remcos | 79b485007f44b4d768cfa76af093ba16751d986fbd4053b8328a7dd119198e96

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7v200217
submitted
02-04-2020 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blank.ps1
Size

26B
MD5

ef623f762ecb5a3d8f2a21b6f36fe827
SHA1

422c8588283d250dc49141a18f9c9079fa62ecf0
SHA256

95a0316c3a89e5fb1824447591dfa1c9fa08ea2a06567fb63e923d73838a0596
SHA512

b11b6510c73f126d4dcb10281111eeb0ab328a713fa5c183230f679cfbeaf41af27b658b734c3334a9cef94667d8d478d41ce54112483a99f332f2f85286b1db

Score

10^/10

remcos persistence rat spyware

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

benzinforh.exebenzinforh.exedwn.exebenzinforh.exebenzinforh.exe

pid process

1588 benzinforh.exe
1920 benzinforh.exe
1940 dwn.exe
2012 benzinforh.exe
1984 benzinforh.exe
Loads dropped DLL 6 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exedwn.exe

pid process

240 SBA_DISA.EXE
240 SBA_DISA.EXE
576 benzinforh.exe
576 benzinforh.exe
576 benzinforh.exe
1884 dwn.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1588	benzinforh.exe
1920	benzinforh.exe
1940	dwn.exe
2012	benzinforh.exe
1984	benzinforh.exe

pid	process
240	SBA_DISA.EXE
240	SBA_DISA.EXE
576	benzinforh.exe
576	benzinforh.exe
576	benzinforh.exe
1884	dwn.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SBA_DISA.EXEbenzinforh.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	SBA_DISA.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	benzinforh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	benzinforh.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gymnasti = "C:\\Users\\Admin\\Sugaryse\\benzinforh.vbs"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	SBA_DISA.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

SBA_DISA.EXESBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exedwn.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
108	SBA_DISA.EXE
240	SBA_DISA.EXE
1588	benzinforh.exe
576	benzinforh.exe
576	benzinforh.exe
1940	dwn.exe
1884	dwn.exe
1864	svchost.exe
1744	svchost.exe
1240	svchost.exe
1492	svchost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exesvchost.exesvchost.exe

description	pid	process	target process
PID 108 set thread context of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 1588 set thread context of 576	1588	benzinforh.exe	benzinforh.exe
PID 576 set thread context of 1864	576	benzinforh.exe	svchost.exe
PID 576 set thread context of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 set thread context of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 set thread context of 1984	576	benzinforh.exe	benzinforh.exe
PID 1940 set thread context of 1884	1940	dwn.exe	dwn.exe
PID 1864 set thread context of 1744	1864	svchost.exe	svchost.exe
PID 576 set thread context of 1240	576	benzinforh.exe	svchost.exe
PID 1240 set thread context of 1492	1240	svchost.exe	svchost.exe
PID 576 set thread context of 1608	576	benzinforh.exe	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

benzinforh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE	benzinforh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe1d000000010000001000000073621e116224668780b2d2bee454e52e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 0400000001000000100000009414777e3e5efd8f30bd41b0cfe7d0300f0000000100000014000000bf4d2c390bbf0aa3a2b7ea2dc751011bf5fd422e090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e0000001400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe190000000100000010000000a8827a3cbd2d87d783b59b8062c87e9a2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	benzinforh.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exebenzinforh.exe

pid process

1852 powershell.exe
1920 benzinforh.exe
1920 benzinforh.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

benzinforh.exe

pid process

576 benzinforh.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exedwn.exesvchost.exesvchost.exe

pid process

108 SBA_DISA.EXE
1588 benzinforh.exe
1940 dwn.exe
1864 svchost.exe
1240 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exebenzinforh.exe

description pid process

Token: SeDebugPrivilege 1852 powershell.exe
Token: SeDebugPrivilege 2012 benzinforh.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

SBA_DISA.EXEbenzinforh.exebenzinforh.exesvchost.exedwn.exesvchost.exesvchost.exe

pid process

108 SBA_DISA.EXE
1588 benzinforh.exe
576 benzinforh.exe
1864 svchost.exe
1940 dwn.exe
1240 svchost.exe
1608 svchost.exe

pid	process
1852	powershell.exe
1920	benzinforh.exe
1920	benzinforh.exe

pid	process
576	benzinforh.exe

description	pid	process
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2012	benzinforh.exe

Suspicious use of WriteProcessMemory 88 IoCs

Processes:

SBA_DISA.EXESBA_DISA.EXEbenzinforh.exebenzinforh.exedwn.exesvchost.exe

description	pid	process	target process
PID 108 wrote to memory of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 108 wrote to memory of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 108 wrote to memory of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 108 wrote to memory of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 108 wrote to memory of 240	108	SBA_DISA.EXE	SBA_DISA.EXE
PID 240 wrote to memory of 1588	240	SBA_DISA.EXE	benzinforh.exe
PID 240 wrote to memory of 1588	240	SBA_DISA.EXE	benzinforh.exe
PID 240 wrote to memory of 1588	240	SBA_DISA.EXE	benzinforh.exe
PID 240 wrote to memory of 1588	240	SBA_DISA.EXE	benzinforh.exe
PID 1588 wrote to memory of 576	1588	benzinforh.exe	benzinforh.exe
PID 1588 wrote to memory of 576	1588	benzinforh.exe	benzinforh.exe
PID 1588 wrote to memory of 576	1588	benzinforh.exe	benzinforh.exe
PID 1588 wrote to memory of 576	1588	benzinforh.exe	benzinforh.exe
PID 1588 wrote to memory of 576	1588	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1864	576	benzinforh.exe	svchost.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1920	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1940	576	benzinforh.exe	dwn.exe
PID 576 wrote to memory of 1940	576	benzinforh.exe	dwn.exe
PID 576 wrote to memory of 1940	576	benzinforh.exe	dwn.exe
PID 576 wrote to memory of 1940	576	benzinforh.exe	dwn.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 2012	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 576 wrote to memory of 1984	576	benzinforh.exe	benzinforh.exe
PID 1940 wrote to memory of 1884	1940	dwn.exe	dwn.exe
PID 1940 wrote to memory of 1884	1940	dwn.exe	dwn.exe
PID 1940 wrote to memory of 1884	1940	dwn.exe	dwn.exe
PID 1940 wrote to memory of 1884	1940	dwn.exe	dwn.exe
PID 1940 wrote to memory of 1884	1940	dwn.exe	dwn.exe
PID 1864 wrote to memory of 1744	1864	svchost.exe	svchost.exe
PID 1864 wrote to memory of 1744	1864	svchost.exe	svchost.exe
PID 1864 wrote to memory of 1744	1864	svchost.exe	svchost.exe
PID 1864 wrote to memory of 1744	1864	svchost.exe	svchost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\blank.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
"C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
"C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\Sugaryse\benzinforh.exe
"C:\Users\Admin\Sugaryse\benzinforh.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\Sugaryse\benzinforh.exe
"C:\Users\Admin\Sugaryse\benzinforh.exe"
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1744

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\kofnrywjqymjqrtnoasjqaswm"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Users\Admin\Sugaryse\dwn.exe
"C:\Users\Admin\Sugaryse\dwn.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\Sugaryse\dwn.exe
"C:\Users\Admin\Sugaryse\dwn.exe"
6⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1884

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\mqkyrqhdegenaxhzflnkbnnfvdkm"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\Sugaryse\benzinforh.exe
C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkxqsjsesowsdlvdowaeeshwwkcvsaa"
5⤵
- Executes dropped EXE
PID:1984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
6⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
5⤵
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
e526980546d6a1a5bd7ab9a0de3efd8d

SHA1
69e4dbdf6a8db0822662d56141f04714da8808ae

SHA256
072e2ca2adc7fd97b1005ccf7ab5e58b6e46095b8227ef09eac897bfc8f1c158

SHA512
25976fcc2d2a9300ba12bb796762ae0650c8f4420c1f402477ed485d234e60d6373c284a6bd9fce4242ebda47be5a9e8fb642a6b3e6d6b265efd48e447d3274a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
MD5
9dc91d1ae0ad42bc7ea59d04f5764cde

SHA1
9c8b4cfc2333d7a459571ed90ee63d18a342b09e

SHA256
9d7cc95d37e7f03d74ec159888a058d5a7e8f10c974f167ee2094334671a687d

SHA512
bf849ccda5a8d1266b97eff77a75a9063ae37d1ae6af3141f40a94d1a1d334691aa86cabe909a4bc134ec41fac7bf957cef9a01e86482fb10fb5484b09e7b283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
MD5
869c8fb2e075d4fa18e18b14a6105ea5

SHA1
58a73030ac4ec92b6777dc3f2f85af3c96e9fc55

SHA256
d2bfa48276a89799e6f2d529b15cd27318c32431daa2e13cf38528e09b04de2e

SHA512
1552265fdc1b8c125638ae54443e1a20bdd00eb9ca7dce03a6a37a780ae548c747b5ecf1a772ed2db804bd5c1cfe85d3246b85b6daf2279f750072ff0a1cfefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
e550da03aee5b546b436cd553d3233b9

SHA1
7d4f842c50f4136f10c6c6a2e891bfc4a182a0ed

SHA256
9abfd4e29b96cca442502b1de6071fe0293455df22b4eff19fa3e6df060947e7

SHA512
e758228aa2b04ec44ded777ae2318ecf6e9278b6b5981d29d10378e0f66885fabccab48ece78fc279755e710fb531575b58a4fe28469d199736eeb24aa62c767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a9efcff7920927c70aa39a6c0f30b05a

SHA1
dac761b047ca2c09d3ba3bdb5648b2d4fa4a665c

SHA256
b44409f1f52b9540808ff556a0a3b4b6234b0629612855c4d8dc334869e37830

SHA512
a5a8a1f41fb8be3fa4ab88c273e2af74a5dd191982836dc841d07d335df631df037f89a5e91e91492b793af1432879eb2e69250931da4a032ab2692efed68b55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
MD5
691118ee793ac4265a9c56fd7091033d

SHA1
184afb2705a553b48abce045d6a1198850971a93

SHA256
7799697ae5d872d73465022532ffdba936c2bd764e559e1dda141ae5c212ece4

SHA512
12c5268c76ce0ffc5419c0a4d4e1e7a312444e40c8978c4856002c02a97074737ee1c163c5ab6d862fdaebf7d227e08b288228fd123810dec8380c6cd7bf0b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
MD5
8a69d18da2679af95298537f7d15392c

SHA1
4f9ab6418f19ee716d187a942022ec6ebb83b578

SHA256
49250d674c0b5c0be1162544b637bda8f8258ffc9a846ffd1e8f8f9ce3e60d87

SHA512
2126ec793469f8ce42590d3c9dff6a209b2f19707440c6695d3f12d0166e180cf68aa6a800d4f69f8c111c60c15093f1a4a3d56bd6eaf8ebac5ca80d62a289cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
6b3f79214be4a27ca3234a4f3833ad54

SHA1
ca5e8d6c2c1b272f6dd1e4d81a814b7ba7876858

SHA256
675e4b3f0b1d385984b4afe9aadd646fa0641ea37e636c3e803be752a632903b

SHA512
61bd5f67987aca2f4374436a8706dc5a4c4366cd73d53413e371a42c95a1a45790d9bc1a797da3156fa09c41eb41dda19efdb5169975e1ecb7d5ee283f918d55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SGM5U203.txt
MD5
b55da42c82c0dd09c01f9c273273ae0d

SHA1
16fdbd085eb621007ddecd1280267b617e1a733a

SHA256
94493e081abaa861562f0ed80c6f3f56cb57b7ef60d4cb8fe548ac30dbcbcb43

SHA512
82ac47b2eeb20bcec12e38d04bceda981e3c6161d17151a54a76030678930ec70b22760c30eae69267dcfdcaab453428afa0ea65f1b89d6a8cfa0f084796e140

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\benzinforh.vbs
MD5
b2f77fbcd220c98436c0c42b0d0fb01f

SHA1
3f3b0cd67cae27cad373ca5af477e0ab00d11515

SHA256
6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

SHA512
510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
C:\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
\Users\Admin\Sugaryse\benzinforh.exe
MD5
43927d58e211d5a2d2670bf46b1d9884

SHA1
89dba75b13a506ee5042b5636c06555baf85050c

SHA256
a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

SHA512
12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Download Submit
\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
\Users\Admin\Sugaryse\dwn.exe
MD5
daeefcc7e346e447891d46b6611aa5be

SHA1
9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

SHA256
14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

SHA512
5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

Download Submit
memory/1864-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1864-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1920-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1920-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1984-27-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1984-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2012-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2012-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2012-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download