remcos | 7394a60726a1e8b2a0d54afaa74cbade2846696214ceaf8417171c3ba611f14a

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02/03/2023, 11:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO Match2023.xls
Size

1.4MB
MD5

92c740dbfda6abf84475076d68864f2c
SHA1

6bdbf063daf6b58958a7888aefe73229ce7cfae7
SHA256

7394a60726a1e8b2a0d54afaa74cbade2846696214ceaf8417171c3ba611f14a
SHA512

80f65bc03e1a410729ad5f32607551d73d599eca2941e0461efa3812ca5d248b72564b863fa4245f81c63c3f66f882395e8b53f3972483abd2a15270c51fae6c
SSDEEP

24576:lLKgWQmmav30xOnBZWQmmav30xfJsWQmmav30x8BhlWQmmav30xs69WvEONLyP4r:lLK1QmmQ30smQmmQ30NJBQmmQ30WnkQa

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

185.222.58.53:2049

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-SVY7ZY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1612-162-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1612-166-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1612-174-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1972-157-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1972-167-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1972-172-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral1/memory/1612-162-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1972-157-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/908-164-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/908-165-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1612-166-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1972-167-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1972-172-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1612-174-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1480	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1940	vbc.exe
1812	vbc.exe
1700	vbc.exe
1972	vbc.exe
1612	vbc.exe
908	vbc.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 1812	1940	vbc.exe	37
PID 1812 set thread context of 1972	1812	vbc.exe	40
PID 1812 set thread context of 1612	1812	vbc.exe	41
PID 1812 set thread context of 908	1812	vbc.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1524	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1480	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
924	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
1940	vbc.exe
560	powershell.exe
1972	vbc.exe
1972	vbc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1812	vbc.exe
1812	vbc.exe
1812	vbc.exe
1812	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	vbc.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	908	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1812	vbc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1812	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
924	EXCEL.EXE
924	EXCEL.EXE
924	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1940	1480	EQNEDT32.EXE	31
PID 1480 wrote to memory of 1940	1480	EQNEDT32.EXE	31
PID 1480 wrote to memory of 1940	1480	EQNEDT32.EXE	31
PID 1480 wrote to memory of 1940	1480	EQNEDT32.EXE	31
PID 1940 wrote to memory of 560	1940	vbc.exe	33
PID 1940 wrote to memory of 560	1940	vbc.exe	33
PID 1940 wrote to memory of 560	1940	vbc.exe	33
PID 1940 wrote to memory of 560	1940	vbc.exe	33
PID 1940 wrote to memory of 1524	1940	vbc.exe	34
PID 1940 wrote to memory of 1524	1940	vbc.exe	34
PID 1940 wrote to memory of 1524	1940	vbc.exe	34
PID 1940 wrote to memory of 1524	1940	vbc.exe	34
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1940 wrote to memory of 1812	1940	vbc.exe	37
PID 1812 wrote to memory of 1700	1812	vbc.exe	39
PID 1812 wrote to memory of 1700	1812	vbc.exe	39
PID 1812 wrote to memory of 1700	1812	vbc.exe	39
PID 1812 wrote to memory of 1700	1812	vbc.exe	39
PID 1812 wrote to memory of 1972	1812	vbc.exe	40
PID 1812 wrote to memory of 1972	1812	vbc.exe	40
PID 1812 wrote to memory of 1972	1812	vbc.exe	40
PID 1812 wrote to memory of 1972	1812	vbc.exe	40
PID 1812 wrote to memory of 1972	1812	vbc.exe	40
PID 1812 wrote to memory of 1612	1812	vbc.exe	41
PID 1812 wrote to memory of 1612	1812	vbc.exe	41
PID 1812 wrote to memory of 1612	1812	vbc.exe	41
PID 1812 wrote to memory of 1612	1812	vbc.exe	41
PID 1812 wrote to memory of 1612	1812	vbc.exe	41
PID 1812 wrote to memory of 908	1812	vbc.exe	42
PID 1812 wrote to memory of 908	1812	vbc.exe	42
PID 1812 wrote to memory of 908	1812	vbc.exe	42
PID 1812 wrote to memory of 908	1812	vbc.exe	42
PID 1812 wrote to memory of 908	1812	vbc.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO Match2023.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:924

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Public\vbc.exe
  "C:\Users\Public\vbc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zrVRjShi.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zrVRjShi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp903F.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1524
- - C:\Users\Public\vbc.exe
    "C:\Users\Public\vbc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Public\vbc.exe
      C:\Users\Public\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\aoyxysj"
      4⤵
      Executes dropped EXE
      PID:1700
  - - C:\Users\Public\vbc.exe
      C:\Users\Public\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\aoyxysj"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1972
  - - C:\Users\Public\vbc.exe
      C:\Users\Public\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ljdizkupuec"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:1612
  - - C:\Users\Public\vbc.exe
      C:\Users\Public\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\vlqaacfrqmuxal"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70B54DEC.emf

Filesize
577KB

MD5
ae689aefea9e9889be7e07e89b50606c

SHA1
441a5710e58d4dbe4436c989d5f5acbf9f6c0314

SHA256
ec7a39ccc0cb412c651986e3adc67cbf786cb7f74985abc203dffad63e02a262

SHA512
486d01e30c8897f216d3200932c52fad3f1da8f8181dba768addc6da416e44c8101dd1e42127a73dc108fa1e4deaa9a9f55a5582d4cfce90f44cb72bf25d8e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9874A5AE.emf

Filesize
34KB

MD5
98d49b996eb4d333cff85c9b1f2da071

SHA1
6ec5cb8928132d12f9fabef8a54167541540eb94

SHA256
8f6c0f23c8396223bdd5cb4ca02140e8f2f5a9b1c31160e83d8274a63eef797f

SHA512
fbd5f8e9d1944afddbb56bb32c0b37980957803ad15957569a2fbc4e07118804e1f61919c0f11b19d86d70dde63453223bc88dbbffdc31183f4e7708f9559559

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoyxysj

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp903F.tmp

Filesize
1KB

MD5
71778edab89c3a57a526da505dc6b3d6

SHA1
5e1b47ed92f8313b33db0f1e56f2bfbf22480845

SHA256
5e50f10400494079cfa102c98460fe23d52356edef563f31e996b4067bbc26e8

SHA512
efc61c17507e32efcd98c1176710de5391abdd8a65c716bc1959e751dc61c4574ca4c71c4a7b22e22dbdc7d32071d61cbec0a8910d128a61f7e0dab59939cc64

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
C:\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
\Users\Public\vbc.exe

Filesize
1.2MB

MD5
b3be6cc0ebfb0f69b35de6eadbcf6e6f

SHA1
a63698d5132272a1dee1366b054f4c43569192f2

SHA256
02ced6da9cf24901681948deae308d36975cb623dcc6735f2142f4252bc7e197

SHA512
6f845f15ff132e9f314bc268403e5ddf2d198348c2c7b19f9ce60e29738cba61bc0ee24ba74509cf6f8f605f92b2db1d2da8bca7e77924ceeab8b37025a17b4b

Download Submit
memory/560-100-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/560-117-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/908-163-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-156-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-164-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/908-165-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/924-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/924-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1612-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1612-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1612-162-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1612-166-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1612-174-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1812-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-106-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-108-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-110-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-104-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-180-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1812-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1812-178-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1812-175-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1940-89-0x0000000004BE0000-0x0000000004BE6000-memory.dmp

Filesize
24KB

Download
memory/1940-77-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1940-76-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/1940-75-0x0000000000260000-0x00000000003A6000-memory.dmp

Filesize
1.3MB

Download
memory/1940-80-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1940-81-0x0000000005030000-0x0000000005122000-memory.dmp

Filesize
968KB

Download
memory/1940-79-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1940-90-0x0000000005460000-0x00000000054E0000-memory.dmp

Filesize
512KB

Download
memory/1972-167-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1972-172-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1972-157-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1972-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1972-148-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download