remcos | 77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

General

Target

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Size

119KB
MD5

a257f126fda7ec1745bbbdb0ecb97dce
SHA1

354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e
SHA256

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d
SHA512

36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Score

10^/10

remcos lockdown open evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Lockdown Open

C2

ascoitaliasa.duckdns.org:4046

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows logoff sound.exe
copy_folder
Microsoft Media
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Audio
keylog_path
%AppData%
mouse_option
false
mutex
Window Audio
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Window sound
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Password;Username;proformer;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 2 IoCs

Processes:

Windows logoff sound.exeWindows logoff sound.exe

pid process

1716 Windows logoff sound.exe
616 Windows logoff sound.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

560 cmd.exe

pid	process
1716	Windows logoff sound.exe
616	Windows logoff sound.exe

pid	process
560	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exeWindows logoff sound.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window sound = "\"C:\\Windows\\Microsoft Media\\Windows logoff sound.exe\""	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows logoff sound.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window sound = "\"C:\\Windows\\Microsoft Media\\Windows logoff sound.exe\""	Windows logoff sound.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exeWindows logoff sound.exeWindows logoff sound.exe

description	pid	process	target process
PID 1972 set thread context of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1716 set thread context of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 616 set thread context of 1720	616	Windows logoff sound.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

description	ioc	process
File created	C:\Windows\Microsoft Media\Windows logoff sound.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
File opened for modification	C:\Windows\Microsoft Media\Windows logoff sound.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
File opened for modification	C:\Windows\Microsoft Media	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FAFD061-D89B-11EC-B7F1-DEAEF166B17F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000617c161b1bd85d15c69dc70982a362c06aeb199c499754bb3f90ceb8d469494e000000000e8000000002000020000000d0a2a227420670a12e31b3dcdc1016697888369826157fb11788720827deb141900000009f49afad9dbafc1a1ce6c66b3a62453efa26c7c1d89e3d3caf57c15988f60f5192d616ac33928323d199530eab72c5fce15fbc9d48dfa8dc46cd7e026fb71ec7001ec88c6f46f3a46bb9459407f4e7a966314316e4573474eeca7b81fd1686abf7fc8ea680f44bcdd33f3667372e295672a2903cd1b65a08fd9e8102387c0db655696e145ff0378593330575d2b8ba8c400000004201ca87a50f05ecdd70d7c6d4594745f8ac1f34a7e394908d2595a3beeb17d37cdc961b4d08e8335bda4918506f6c5e2afa69683b3e316d1665775016287d6c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10994621a86cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000eb0202c5ea2405425f584b6bb0ac40dbf151b54faab1a3d8e45236a39df3e2a0000000000e8000000002000020000000c12374fd49dd6fb0367fc8c7709492aeda01966750b205fdc2ba17137b52d10520000000ad8f3516583193822cdaf29c453bcce61e216fe675b6b629a5aa675c6d702836400000007f4a2a46aa3161c1b32d4ccbd43a1eaf81b43d0ab3a9cbb569a7c0f80eb6ef2fdd4d24216a0522116d855aa17115f1611419fde9de87c1f43f3a8f7c8a9f074d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1152 reg.exe
1532 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1896 PING.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

432 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

432 iexplore.exe
432 iexplore.exe
1584 IEXPLORE.EXE
1584 IEXPLORE.EXE
1584 IEXPLORE.EXE
1584 IEXPLORE.EXE

pid	process
1152	reg.exe
1532	reg.exe

pid	process
1896	PING.EXE

pid	process
432	iexplore.exe

pid	process
432	iexplore.exe
432	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.execmd.execmd.exeWindows logoff sound.exeWindows logoff sound.execmd.exeiexplore.exe

description	pid	process	target process
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1972 wrote to memory of 1516	1972	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
PID 1516 wrote to memory of 1768	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 1768	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 1768	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 1768	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1768 wrote to memory of 1152	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1152	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1152	1768	cmd.exe	reg.exe
PID 1768 wrote to memory of 1152	1768	cmd.exe	reg.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 1516 wrote to memory of 560	1516	77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe	cmd.exe
PID 560 wrote to memory of 1896	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1896	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1896	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1896	560	cmd.exe	PING.EXE
PID 560 wrote to memory of 1716	560	cmd.exe	Windows logoff sound.exe
PID 560 wrote to memory of 1716	560	cmd.exe	Windows logoff sound.exe
PID 560 wrote to memory of 1716	560	cmd.exe	Windows logoff sound.exe
PID 560 wrote to memory of 1716	560	cmd.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 1716 wrote to memory of 616	1716	Windows logoff sound.exe	Windows logoff sound.exe
PID 616 wrote to memory of 1752	616	Windows logoff sound.exe	cmd.exe
PID 616 wrote to memory of 1752	616	Windows logoff sound.exe	cmd.exe
PID 616 wrote to memory of 1752	616	Windows logoff sound.exe	cmd.exe
PID 616 wrote to memory of 1752	616	Windows logoff sound.exe	cmd.exe
PID 1752 wrote to memory of 1532	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1532	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1532	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1532	1752	cmd.exe	reg.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 616 wrote to memory of 1720	616	Windows logoff sound.exe	iexplore.exe
PID 1720 wrote to memory of 432	1720	iexplore.exe	iexplore.exe
PID 1720 wrote to memory of 432	1720	iexplore.exe	iexplore.exe
PID 1720 wrote to memory of 432	1720	iexplore.exe	iexplore.exe
PID 1720 wrote to memory of 432	1720	iexplore.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
"C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1896

C:\Windows\Microsoft Media\Windows logoff sound.exe
"C:\Windows\Microsoft Media\Windows logoff sound.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft Media\Windows logoff sound.exe
"{path}"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:1532

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:432

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1b4wh1e\imagestore.dat

Filesize
21KB

MD5
4ca02529103eb488098394aa260ae82a

SHA1
6c0132734397e534aa7487e4d370762b38cd8942

SHA256
ec9edc65f2e37204400cf90c4739f9b938fff7e461e9b2222063350b2d576ec1

SHA512
20958c2e37f4f9385fbe36ffeb8c97dd4857d6f839620bf34de061b8c6d8cd0e60993ffd5a0a6dc71bb66917003b65c27c277efe4f57dee17ed7150fd02f200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
102B

MD5
d65c998bd7769229c5cd6c8a1ae4b639

SHA1
59afa2c156d6d670d8e87d61756b814d3bc19bb3

SHA256
bac6c33f44976bb615821bb75ab53cbb8c34d53a00246f68f62b255ef0ba1d7f

SHA512
a56827185f39b896555ddd52391235b9a93e79c269674bf1db729abe728e452ecee1a42749352e12c7261eb114bb66add062cb41f367d5e971ea406bfc831895

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
C:\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
\Windows\Microsoft Media\Windows logoff sound.exe

Filesize
119KB

MD5
a257f126fda7ec1745bbbdb0ecb97dce

SHA1
354cda5f58ff5828c9ce38b95f3c6d4aa6f59f6e

SHA256
77ac51b18cd4a709780da4ca82a3f3a82d18600b9cbb9933f0dcf8dbe117872d

SHA512
36ed37c96165672c49aa1b5d83988eda5063372bbbb1bf6f4c21868b80cd062895c94e9653ca2de30bbd2c55696ca12bfa744f1aacd500bdc9665c1d7827c5f2

Download Submit
memory/560-71-0x0000000000000000-mapping.dmp

Download
memory/616-88-0x000000000040FD88-mapping.dmp

Download
memory/616-95-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/616-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1152-70-0x0000000000000000-mapping.dmp

Download
memory/1516-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-64-0x000000000040FD88-mapping.dmp

Download
memory/1516-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-59-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1516-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1532-94-0x0000000000000000-mapping.dmp

Download
memory/1716-79-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-76-0x0000000000000000-mapping.dmp

Download
memory/1752-93-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x0000000000000000-mapping.dmp

Download
memory/1896-73-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads