remcos | a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

Resubmissions

02-04-2020 15:00

200402-pmb85r8w5s 10

02-04-2020 14:48

200402-2xn5k91z3n 10

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v200217
submitted
02-04-2020 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SBA_DISA.EXE
Size

152KB
MD5

43927d58e211d5a2d2670bf46b1d9884
SHA1

89dba75b13a506ee5042b5636c06555baf85050c
SHA256

a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835
SHA512

12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Score

10^/10

remcos persistence rat spyware

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

benzinforh.exedwn.exebenzinforh.exebenzinforh.exebenzinforh.exe

pid process

1888 benzinforh.exe
1468 dwn.exe
996 benzinforh.exe
328 benzinforh.exe
336 benzinforh.exe
Loads dropped DLL 6 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exedwn.exe

pid process

1868 SBA_DISA.EXE
1868 SBA_DISA.EXE
1916 benzinforh.exe
1916 benzinforh.exe
1916 benzinforh.exe
1628 dwn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1888	benzinforh.exe
1468	dwn.exe
996	benzinforh.exe
328	benzinforh.exe
336	benzinforh.exe

pid	process
1868	SBA_DISA.EXE
1868	SBA_DISA.EXE
1916	benzinforh.exe
1916	benzinforh.exe
1916	benzinforh.exe
1628	dwn.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SBA_DISA.EXEbenzinforh.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	SBA_DISA.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	benzinforh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	SBA_DISA.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	benzinforh.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

SBA_DISA.EXESBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exedwn.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
1840	SBA_DISA.EXE
1868	SBA_DISA.EXE
1888	benzinforh.exe
1916	benzinforh.exe
1916	benzinforh.exe
1468	dwn.exe
1628	dwn.exe
1368	svchost.exe
1800	svchost.exe
1408	svchost.exe
1908	svchost.exe
1924	svchost.exe
1644	svchost.exe
1632	svchost.exe
1020	svchost.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 1840 set thread context of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1888 set thread context of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1916 set thread context of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 set thread context of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 set thread context of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 set thread context of 336	1916	benzinforh.exe	benzinforh.exe
PID 1468 set thread context of 1628	1468	dwn.exe	dwn.exe
PID 1368 set thread context of 1800	1368	svchost.exe	svchost.exe
PID 1916 set thread context of 1408	1916	benzinforh.exe	svchost.exe
PID 1408 set thread context of 1908	1408	svchost.exe	svchost.exe
PID 1916 set thread context of 1924	1916	benzinforh.exe	svchost.exe
PID 1924 set thread context of 1644	1924	svchost.exe	svchost.exe
PID 1916 set thread context of 1632	1916	benzinforh.exe	svchost.exe
PID 1632 set thread context of 1020	1632	svchost.exe	svchost.exe
PID 1916 set thread context of 1192	1916	benzinforh.exe	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

benzinforh.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe1d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0300f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE	benzinforh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

benzinforh.exe

pid process

996 benzinforh.exe
996 benzinforh.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

benzinforh.exe

pid process

1916 benzinforh.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exedwn.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1840 SBA_DISA.EXE
1888 benzinforh.exe
1468 dwn.exe
1368 svchost.exe
1408 svchost.exe
1924 svchost.exe
1632 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

benzinforh.exe

description pid process

Token: SeDebugPrivilege 328 benzinforh.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exebenzinforh.exesvchost.exedwn.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

1840 SBA_DISA.EXE
1888 benzinforh.exe
1916 benzinforh.exe
1368 svchost.exe
1468 dwn.exe
1408 svchost.exe
1924 svchost.exe
1632 svchost.exe
1192 svchost.exe

pid	process
996	benzinforh.exe
996	benzinforh.exe

pid	process
1916	benzinforh.exe

description	pid	process
Token: SeDebugPrivilege	328	benzinforh.exe

Suspicious use of WriteProcessMemory 116 IoCs

Processes:

SBA_DISA.EXESBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exesvchost.exe

description	pid	process	target process
PID 1840 wrote to memory of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1840 wrote to memory of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1840 wrote to memory of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1840 wrote to memory of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1840 wrote to memory of 1868	1840	SBA_DISA.EXE	SBA_DISA.EXE
PID 1868 wrote to memory of 1888	1868	SBA_DISA.EXE	benzinforh.exe
PID 1868 wrote to memory of 1888	1868	SBA_DISA.EXE	benzinforh.exe
PID 1868 wrote to memory of 1888	1868	SBA_DISA.EXE	benzinforh.exe
PID 1868 wrote to memory of 1888	1868	SBA_DISA.EXE	benzinforh.exe
PID 1888 wrote to memory of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1888 wrote to memory of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1888 wrote to memory of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1888 wrote to memory of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1888 wrote to memory of 1916	1888	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1368	1916	benzinforh.exe	svchost.exe
PID 1916 wrote to memory of 1468	1916	benzinforh.exe	dwn.exe
PID 1916 wrote to memory of 1468	1916	benzinforh.exe	dwn.exe
PID 1916 wrote to memory of 1468	1916	benzinforh.exe	dwn.exe
PID 1916 wrote to memory of 1468	1916	benzinforh.exe	dwn.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 996	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 328	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1916 wrote to memory of 336	1916	benzinforh.exe	benzinforh.exe
PID 1468 wrote to memory of 1628	1468	dwn.exe	dwn.exe
PID 1468 wrote to memory of 1628	1468	dwn.exe	dwn.exe
PID 1468 wrote to memory of 1628	1468	dwn.exe	dwn.exe
PID 1468 wrote to memory of 1628	1468	dwn.exe	dwn.exe
PID 1468 wrote to memory of 1628	1468	dwn.exe	dwn.exe
PID 1368 wrote to memory of 1800	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1800	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1800	1368	svchost.exe	svchost.exe
PID 1368 wrote to memory of 1800	1368	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
"C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
"C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\Sugaryse\benzinforh.exe
"C:\Users\Admin\Sugaryse\benzinforh.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\Sugaryse\benzinforh.exe
"C:\Users\Admin\Sugaryse\benzinforh.exe"
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1800

C:\Users\Admin\Sugaryse\dwn.exe
"C:\Users\Admin\Sugaryse\dwn.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\Sugaryse\dwn.exe
"C:\Users\Admin\Sugaryse\dwn.exe"
6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1628

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\rarhevkmnacpspijr"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:996

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\cuezfnvnbiuccvwnbnfok"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\mxjsggfhoqnhebsrkysqnpvt"
5⤵
- Executes dropped EXE
PID:336

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1908

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1644

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Suspicious use of SetWindowsHookEx
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e526980546d6a1a5bd7ab9a0de3efd8d

SHA1
69e4dbdf6a8db0822662d56141f04714da8808ae

SHA256
072e2ca2adc7fd97b1005ccf7ab5e58b6e46095b8227ef09eac897bfc8f1c158

SHA512
25976fcc2d2a9300ba12bb796762ae0650c8f4420c1f402477ed485d234e60d6373c284a6bd9fce4242ebda47be5a9e8fb642a6b3e6d6b265efd48e447d3274a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
MD5
9dc91d1ae0ad42bc7ea59d04f5764cde

SHA1
9c8b4cfc2333d7a459571ed90ee63d18a342b09e

SHA256
9d7cc95d37e7f03d74ec159888a058d5a7e8f10c974f167ee2094334671a687d

SHA512
bf849ccda5a8d1266b97eff77a75a9063ae37d1ae6af3141f40a94d1a1d334691aa86cabe909a4bc134ec41fac7bf957cef9a01e86482fb10fb5484b09e7b283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
MD5
869c8fb2e075d4fa18e18b14a6105ea5

SHA1
58a73030ac4ec92b6777dc3f2f85af3c96e9fc55

SHA256
d2bfa48276a89799e6f2d529b15cd27318c32431daa2e13cf38528e09b04de2e

SHA512
1552265fdc1b8c125638ae54443e1a20bdd00eb9ca7dce03a6a37a780ae548c747b5ecf1a772ed2db804bd5c1cfe85d3246b85b6daf2279f750072ff0a1cfefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
e550da03aee5b546b436cd553d3233b9

SHA1
7d4f842c50f4136f10c6c6a2e891bfc4a182a0ed

SHA256
9abfd4e29b96cca442502b1de6071fe0293455df22b4eff19fa3e6df060947e7

SHA512
e758228aa2b04ec44ded777ae2318ecf6e9278b6b5981d29d10378e0f66885fabccab48ece78fc279755e710fb531575b58a4fe28469d199736eeb24aa62c767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
eb11664615b4b6bf9ee628ec8e6d08c2

SHA1
e34e1e1bf7310c91a61db9fc48df90b2d3ba8ad8

SHA256
168d935d73b33aa185d102a6c6b9c05c78f0f13713b0531e4008ab903421a17c

SHA512
826d9a562a5f30c97ba19a785d2174b13cab9fda9bdd9d6f909b5da9a1ede7302b34490fb6505aceacda64785e3f148e7a66c91f6c363e0c0de31c60aeb3572c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
MD5
20ba5e97c3c163a34a909f2af06ad340

SHA1
167a91fa01e7cb6c4673745a12b3fa9585db2fc9

SHA256
5249708b3520b48c5e1b6bd58d110005ee7dead8b65cda93a87a405756d8bcb5

SHA512
c97d34fce29f8df27f3a2c6f0f6021f124a5410554b7efca37bc08dfb0a4587c49b7b64cba03e68c1af2aed36dda6a639204689b2cd1d41a9d05cdfff2704f1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
MD5
189bbe4b2bfcd5c51183de5b96326225

SHA1
2f4b5eb06b002a1ce5bec401a1373f438073b3cb

SHA256
2cd90329949ce84ae4a123b353fae155dcb5cce698d71973e272a450f53ed1fa

SHA512
3f47c5297157ff16b4cb842836f0d5b87e9e94284c64aed6a87d38ad7e2c702e10f7722410a190258cec81539f143951284e4b8e2d8a5011579623466a1b71f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
3b99a3a6a61e3fe5b906df98cc778715

SHA1
51d45166fdd94e76722380e5b2329d4fe1506e44

SHA256
ea2c602ce0e1d2b4de233df7f65c175543616c1cc009f90c2bd425896b814d42

SHA512
0ac0c3e1e42d7dcc5f46d5513c1857a10a12f71f293273b907b77ecee48a9087fdde347995727bc0c23215c1d97e2930be40c7695678c8d4ed79c514e28eecb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XOZCGR3G.txt
MD5
f85e0fb0fb2c97b7069ea93e8b20fc32

SHA1
f7f69af4183cd83cd038ec950141b1705e375647

SHA256
211c3eff53402f122e41477a48a5baf7745d15ab937bd343a125087fab3bd341

SHA512
a9457bd653bad223ecf2231962f9ad6d34dc0b8fc7aa7c645cb1159e1884988e1ad512f1486fa8e8c3bb754213897bac5cb49dc794a35493ca75dbcd1d77691b

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
memory/328-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/328-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/328-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/336-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/336-25-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/336-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/996-18-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/996-21-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1368-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1368-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download