Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
script.ps1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
script.ps1
Resource
win10v2004-20250314-en
General
-
Target
script.ps1
-
Size
3KB
-
MD5
cb85017cf90bd06129da09acf240719c
-
SHA1
0037c13c7d2043a215a3efe4522b6aad1109fffc
-
SHA256
c0aac89c0d9d92a680006d6c59bcf2b76807ec85e687c98c9b9618bd5d5ae4ad
-
SHA512
304b26c649d9da37c00852b6511b3483ca5ed97a37d4ea1f77987da425f7a9e1ea84642cb7c6108e50d96d38994a58e5d982f4cb7b200eb6aa5f435dd2bc13e0
Malware Config
Extracted
remcos
Neleu5143ssach
www.vzprojekti.com:28799
www.porsche-augsbrug.de:28799
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Neleu8263scah-9YRWAH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 10 IoCs
flow pid Process 8 1068 powershell.exe 34 5932 powershell.exe 37 5932 powershell.exe 39 5932 powershell.exe 49 5932 powershell.exe 75 5932 powershell.exe 86 5932 powershell.exe 87 5932 powershell.exe 92 5932 powershell.exe 94 5932 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mystery = "%Sundhedstjeneste% -windowstyle 1 $Uforligneliges155=(gi 'HKCU:\\Software\\Rnefolk\\').GetValue('Noncooperation');%Sundhedstjeneste% ($Uforligneliges155)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 5932 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5932 powershell.exe -
pid Process 1068 powershell.exe 5660 powershell.exe 5932 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1068 powershell.exe 1068 powershell.exe 5660 powershell.exe 5660 powershell.exe 5932 powershell.exe 5932 powershell.exe 5932 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 5660 powershell.exe Token: SeDebugPrivilege 5932 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5660 wrote to memory of 5932 5660 powershell.exe 93 PID 5660 wrote to memory of 5932 5660 powershell.exe 93 PID 5660 wrote to memory of 5932 5660 powershell.exe 93 PID 5932 wrote to memory of 1976 5932 powershell.exe 100 PID 5932 wrote to memory of 1976 5932 powershell.exe 100 PID 5932 wrote to memory of 1976 5932 powershell.exe 100 PID 1976 wrote to memory of 388 1976 cmd.exe 102 PID 1976 wrote to memory of 388 1976 cmd.exe 102 PID 1976 wrote to memory of 388 1976 cmd.exe 102
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1"1⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps12⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mystery" /t REG_EXPAND_SZ /d "%Sundhedstjeneste% -windowstyle 1 $Uforligneliges155=(gi 'HKCU:\Software\Rnefolk\').GetValue('Noncooperation');%Sundhedstjeneste% ($Uforligneliges155)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mystery" /t REG_EXPAND_SZ /d "%Sundhedstjeneste% -windowstyle 1 $Uforligneliges155=(gi 'HKCU:\Software\Rnefolk\').GetValue('Noncooperation');%Sundhedstjeneste% ($Uforligneliges155)"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:388
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5246601048229d293d26379eda88e8c9b
SHA1ffd05ff1e2b3710c0e4b43169e1fe31e5e11c886
SHA2569de9a36bfdd5761f70b60659cf7ce8e9cd5f9cb454b260d924358c1737114519
SHA512830cbd8e46a91fa32c5b23cf0419322e1cf4019d4efd0a6526ee0f0e925d0cd1303119ce8e0893652a36ab9bc0e512006bbda55a8372c523cec6c68b818081f9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
651KB
MD5f0481e8fe5b1fd2a6fc804ff30befb7a
SHA130a99cf8d776d2a9e4a9f3632c4e69a387e100f1
SHA2560bb55acde277f9c3978549377c9b8968c4b8692feb4e63bcf67a29ff68882c3d
SHA5125a30a161ed4001559c407a67abac7ceb704ad8cad7647db6fa3e576c92ea13cc72f44651a3c4438d285f0295547a65150b4df086db6732a32ba0c51f71c3b59c