remcos | 9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

General

Target

9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe
Size

321KB
MD5

efd7d49d7985282a6049b308965c1888
SHA1

308ccb6f12c0f3c456c57051f691e929edf13a9e
SHA256

9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d
SHA512

8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21
SSDEEP

6144:BrJOumSn1I+U5F5WTLErZ0ySwNNZFnKZ8+0nAbSfOL/+H0mjYawdF1Ust:KumSnm+U5F5WTLErZ0PwnySmL/+UmjY4

Score

10^/10

remcos remotehost evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

RemoteHost

C2

okkkk1.ddns.net:4444

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-9WWA88
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Executes dropped EXE 2 IoCs

Processes:

render.exerender.exe

pid process

612 render.exe
1404 render.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
612	render.exe
1404	render.exe

Drops startup file 5 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exerender.exe

pid process

1200 cmd.exe
612 render.exe

pid	process
1200	cmd.exe
612	render.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

render.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\render.exe -boot"	render.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

render.exerender.exe

description	pid	process	target process
PID 612 set thread context of 1404	612	render.exe	render.exe
PID 1404 set thread context of 1860	1404	render.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19E2A091-7267-11ED-95AE-5A5CFA1077B6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

304 reg.exe

pid	process
304	reg.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exerender.exe

description	pid	process
Token: SeDebugPrivilege	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe
Token: SeDebugPrivilege	612	render.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1528 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1528 iexplore.exe
1528 iexplore.exe
1092 IEXPLORE.EXE
1092 IEXPLORE.EXE
1092 IEXPLORE.EXE
1092 IEXPLORE.EXE

pid	process
1528	iexplore.exe

pid	process
1528	iexplore.exe
1528	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.execmd.exerender.exerender.execmd.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 564 wrote to memory of 596	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 596	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 596	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 596	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1684	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1684	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1684	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1684	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 292	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 292	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 292	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 292	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1200	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1200	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1200	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 564 wrote to memory of 1200	564	9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe	cmd.exe
PID 1200 wrote to memory of 612	1200	cmd.exe	render.exe
PID 1200 wrote to memory of 612	1200	cmd.exe	render.exe
PID 1200 wrote to memory of 612	1200	cmd.exe	render.exe
PID 1200 wrote to memory of 612	1200	cmd.exe	render.exe
PID 612 wrote to memory of 2012	612	render.exe	cmd.exe
PID 612 wrote to memory of 2012	612	render.exe	cmd.exe
PID 612 wrote to memory of 2012	612	render.exe	cmd.exe
PID 612 wrote to memory of 2012	612	render.exe	cmd.exe
PID 612 wrote to memory of 1816	612	render.exe	cmd.exe
PID 612 wrote to memory of 1816	612	render.exe	cmd.exe
PID 612 wrote to memory of 1816	612	render.exe	cmd.exe
PID 612 wrote to memory of 1816	612	render.exe	cmd.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 612 wrote to memory of 1404	612	render.exe	render.exe
PID 1404 wrote to memory of 1868	1404	render.exe	cmd.exe
PID 1404 wrote to memory of 1868	1404	render.exe	cmd.exe
PID 1404 wrote to memory of 1868	1404	render.exe	cmd.exe
PID 1404 wrote to memory of 1868	1404	render.exe	cmd.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1404 wrote to memory of 1860	1404	render.exe	iexplore.exe
PID 1868 wrote to memory of 304	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 304	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 304	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 304	1868	cmd.exe	reg.exe
PID 1860 wrote to memory of 1528	1860	iexplore.exe	iexplore.exe
PID 1860 wrote to memory of 1528	1860	iexplore.exe	iexplore.exe
PID 1860 wrote to memory of 1528	1860	iexplore.exe	iexplore.exe
PID 1860 wrote to memory of 1528	1860	iexplore.exe	iexplore.exe
PID 1528 wrote to memory of 1092	1528	iexplore.exe	IEXPLORE.EXE
PID 1528 wrote to memory of 1092	1528	iexplore.exe	IEXPLORE.EXE
PID 1528 wrote to memory of 1092	1528	iexplore.exe	IEXPLORE.EXE
PID 1528 wrote to memory of 1092	1528	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe
"C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
2⤵
- Drops startup file
PID:292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
4⤵
- Drops startup file
PID:2012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
4⤵
- Drops startup file
PID:1816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- UAC bypass
- Modifies registry key
PID:304

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
Filesize
321KB

MD5
efd7d49d7985282a6049b308965c1888

SHA1
308ccb6f12c0f3c456c57051f691e929edf13a9e

SHA256
9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

SHA512
8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

Download Submit
memory/292-61-0x0000000000000000-mapping.dmp

Download
memory/304-90-0x0000000000000000-mapping.dmp

Download
memory/564-58-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/564-60-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/564-56-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/564-55-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/564-54-0x00000000003D0000-0x0000000000426000-memory.dmp

Filesize
344KB

Download
memory/596-57-0x0000000000000000-mapping.dmp

Download
memory/612-65-0x0000000000000000-mapping.dmp

Download
memory/612-67-0x0000000000870000-0x00000000008C6000-memory.dmp

Filesize
344KB

Download
memory/612-71-0x00000000047D0000-0x00000000047DC000-memory.dmp

Filesize
48KB

Download
memory/1200-62-0x0000000000000000-mapping.dmp

Download
memory/1404-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-83-0x00000000004139C4-mapping.dmp

Download
memory/1404-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1684-59-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x0000000000000000-mapping.dmp

Download
memory/1868-88-0x0000000000000000-mapping.dmp

Download
memory/2012-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads