remcos | 7255c52bd792b4078fb2bc5924259cc3becada28ea69afb76f26a7b2eb2f28cd

Analysis

max time kernel
149s
max time network
101s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.3MB
MD5

90eb893c66efe4e796330b770c4d8d93
SHA1

8922081a55722db249b05f132e1040d3c50d1354
SHA256

7255c52bd792b4078fb2bc5924259cc3becada28ea69afb76f26a7b2eb2f28cd
SHA512

0cda9bb881c11c8ba3e606c2598e85d217411db3dfdf35b37225bc3db5683c1805743d364a07b92ceded0877efc2ef5aa4d4ef35aeb6711b17af397bac08e1e6
SSDEEP

24576:9TbBv5rUeTwPmcZScRR2O0nCmLNLIgiB5TGrC003Svlxi6K7nY:XBvws551xLIhzH3Svfi6KE

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

185.246.220.63:3689

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7SGYUR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk	ONENOTE.EXE

Executes dropped EXE 1 IoCs

Processes:

budqfkigs.exe

pid process

824 budqfkigs.exe
Loads dropped DLL 1 IoCs

Processes:

wscript.exe

pid process

568 wscript.exe

pid	process
824	budqfkigs.exe

pid	process
568	wscript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

budqfkigs.exeRegSvcs.exe

description	pid	process	target process
PID 824 set thread context of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 1704 set thread context of 1104	1704	RegSvcs.exe	iexplore.exe

Drops file in Program Files directory 5 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	ONENOTE.EXE
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	ONENOTE.EXE

Drops file in Windows directory 1 IoCs

Processes:

ONENOTE.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log ONENOTE.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ONENOTE.EXE

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeONENOTE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000b92f08b2f90e83f76fc9a2dc1913c63da94592bdf450cd9853af4f03af080d38000000000e800000000200002000000009c492e074857e991f781bfda932013c292c74c832fc1839e96fa383a05a0bf490000000715d3c1aa24e9fccdc54c59eee63d9531042826d783ac64af993eea983eea1263d88dfa741ea7924ec089fcc208c042b9e7dada251ae9b328043a33de512a7a80cee693f225f3e28575a258dcf0e018d39495f3b13ac95792db03f5cd9109088d46095ebf6dc4cf9d187ca28154d668ef9926f2e8cc4dc0377a53f6d8ccaefc70d32a8478fb4c20408a382471cd3e07f40000000a5625e28b990efde6bb93171bfa64c0671f7a5e1811c6013adafbb2781da01fe2a31ea447c394b9862f0e1f505601fea4f71252fd2448a594c902089539fbfe1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	ONENOTE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382125874"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	ONENOTE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7013ec7a3037d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	ONENOTE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a231901acf83ab3c9bf3cdf3661cd111bcea9609a72b877e16526edec3ecdceb000000000e8000000002000020000000e09ba7dee023813a68f7a8d543e600ae74e80c8418fd41cff488fb3371c6bbd620000000c9fb750c1fda4abc3f2cebb0b3e30340fe218b68da594f743b1e1e1e0ce8880c40000000a94fad9465613b7a3138f9830111eb1ffd455b853a80e1cd3b84266ab5a6b356e618bdb1d0b52de0de698a8c017268063edf8279303701ca9136046627c0ad89	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A442CED1-A323-11ED-874D-7AEFAD47A2D2} = "0"	iexplore.exe

Modifies registry class 6 IoCs

Processes:

ONENOTE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\ = "Microsoft OneNote 14.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0EA692EE-BB50-4E3C-AEF0-356D91732725}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\3"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\ = "Microsoft OneNote 12.0 Object Library"	ONENOTE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4A6D-83F1-098E366C709C}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONENOTE.EXE\\2"	ONENOTE.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

900 ONENOTE.EXE
900 ONENOTE.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

RegSvcs.exe

pid process

1704 RegSvcs.exe

pid	process
1704	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ONENOTEM.EXEONENOTE.EXE

description	pid	process
Token: 33	1620	ONENOTEM.EXE
Token: SeIncBasePriorityPrivilege	1620	ONENOTEM.EXE
Token: 33	900	ONENOTE.EXE
Token: SeIncBasePriorityPrivilege	900	ONENOTE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ONENOTEM.EXEiexplore.exe

pid process

1620 ONENOTEM.EXE
832 iexplore.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ONENOTEM.EXE

pid process

1620 ONENOTEM.EXE

pid	process
1620	ONENOTEM.EXE
832	iexplore.exe

pid	process
1620	ONENOTEM.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

ONENOTE.EXEiexplore.exeIEXPLORE.EXE

pid	process
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
900	ONENOTE.EXE
832	iexplore.exe
832	iexplore.exe
316	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

tmp.exewscript.exeONENOTE.EXEbudqfkigs.exeRegSvcs.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1248 wrote to memory of 900	1248	tmp.exe	ONENOTE.EXE
PID 1248 wrote to memory of 900	1248	tmp.exe	ONENOTE.EXE
PID 1248 wrote to memory of 900	1248	tmp.exe	ONENOTE.EXE
PID 1248 wrote to memory of 900	1248	tmp.exe	ONENOTE.EXE
PID 1248 wrote to memory of 568	1248	tmp.exe	wscript.exe
PID 1248 wrote to memory of 568	1248	tmp.exe	wscript.exe
PID 1248 wrote to memory of 568	1248	tmp.exe	wscript.exe
PID 1248 wrote to memory of 568	1248	tmp.exe	wscript.exe
PID 568 wrote to memory of 824	568	wscript.exe	budqfkigs.exe
PID 568 wrote to memory of 824	568	wscript.exe	budqfkigs.exe
PID 568 wrote to memory of 824	568	wscript.exe	budqfkigs.exe
PID 568 wrote to memory of 824	568	wscript.exe	budqfkigs.exe
PID 900 wrote to memory of 1620	900	ONENOTE.EXE	ONENOTEM.EXE
PID 900 wrote to memory of 1620	900	ONENOTE.EXE	ONENOTEM.EXE
PID 900 wrote to memory of 1620	900	ONENOTE.EXE	ONENOTEM.EXE
PID 900 wrote to memory of 1620	900	ONENOTE.EXE	ONENOTEM.EXE
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 824 wrote to memory of 1704	824	budqfkigs.exe	RegSvcs.exe
PID 1704 wrote to memory of 1104	1704	RegSvcs.exe	iexplore.exe
PID 1704 wrote to memory of 1104	1704	RegSvcs.exe	iexplore.exe
PID 1704 wrote to memory of 1104	1704	RegSvcs.exe	iexplore.exe
PID 1704 wrote to memory of 1104	1704	RegSvcs.exe	iexplore.exe
PID 1704 wrote to memory of 1104	1704	RegSvcs.exe	iexplore.exe
PID 1104 wrote to memory of 832	1104	iexplore.exe	iexplore.exe
PID 1104 wrote to memory of 832	1104	iexplore.exe	iexplore.exe
PID 1104 wrote to memory of 832	1104	iexplore.exe	iexplore.exe
PID 1104 wrote to memory of 832	1104	iexplore.exe	iexplore.exe
PID 832 wrote to memory of 316	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 316	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 316	832	iexplore.exe	IEXPLORE.EXE
PID 832 wrote to memory of 316	832	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE" "C:\Users\Admin\AppData\Local\temp\Folder5_51\doc13496420221216084118.one"
2⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
/tsr
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" hije-videm.jpg.vbe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\Folder5_51\budqfkigs.exe
"C:\Users\Admin\AppData\Local\Temp\Folder5_51\budqfkigs.exe" bmbkimik.icm
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:832 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
03171ff1326f9efd6ebafd3b747d1e25

SHA1
cbfbe885b90f0bf7d490cd9fdebb1d8f9e120d49

SHA256
5f91468064da63016fb3e3f46eb1500b7035e1dd0da7771e2d75dda6ce97dacc

SHA512
ccd92809fe77f0f19895851204eb0b92f454b82e890a5de716e89941a14354f8bdd714f9d528827a1f0c7e1d02d522393553139f3be5e4f941c9777ccd9d1df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOLDER~1\XTOQLX~1.LKG
Filesize
868KB

MD5
35bc444640fc20fdc0684e881138893a

SHA1
68d4849f4ce3eb8f3f65a4e153ed8857e7e0df86

SHA256
34e8c732c5234e879eac49f04157b3481ca78a254a1684e5dbff03d50335e400

SHA512
0d1d31fed1c984a7296c64f07da6289af5c97a4c4c160b1d5e3ca2485fa0fe38f1a4df3a93cf91333eba9ffcaec2c07b92bd8332cf18f2f3b40a7b9b53900bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOLDER~1\tbgi.xml
Filesize
35KB

MD5
cc7e2e9d417bdaee212f6e989d1d172a

SHA1
a4e153ca711e875c1fa77eee6d4343018ad7ae52

SHA256
27efbbb8e5c10158fed09405ac7d4216f64dd8070e81e247a222f8581d47c791

SHA512
73361d1dfc4b2c8b781e21b6b5563e60c126c0ab27cfef5b4fa6dda431870cb07cbb131d21b45a453fae4e030c6b824a88ecc95b52cb66c102fb0c00304840e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder5_51\bmbkimik.icm
Filesize
122.5MB

MD5
02c4d23c2333210fab8f0cbe3387c4d8

SHA1
77a51294f080dda7cb8c0fe48e31d1cbc5390fa2

SHA256
91e6df1f33831c38ad032c39b95dfbf07694cd1960e0aeb6737b4fff909965b7

SHA512
064a3e23935164f2bb49c5b2eb8501588838a2be0725760b28d0c96e3f955866a0631b49006aa466650195de4cf4b285ca415133d054e96f4539a551e821fb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder5_51\budqfkigs.exe
Filesize
1.3MB

MD5
af42c158ed705fb237cd7b7d9cbe11c6

SHA1
76be2a5f19857b4f5df22791c6f0921a1693477c

SHA256
0c31954b57eee24a82d2eabbf865aac29e96c455e70f923a821712a3f9107753

SHA512
9bc60f17a66a45470347ef219927c8973aed25e0d3f7cd3657743c9faa5961bd8ed818bf7c97d0c73b02e7bb5461eadd8a7bb1266ec5c28e3c36fc30a39e9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder5_51\budqfkigs.exe
Filesize
1.3MB

MD5
af42c158ed705fb237cd7b7d9cbe11c6

SHA1
76be2a5f19857b4f5df22791c6f0921a1693477c

SHA256
0c31954b57eee24a82d2eabbf865aac29e96c455e70f923a821712a3f9107753

SHA512
9bc60f17a66a45470347ef219927c8973aed25e0d3f7cd3657743c9faa5961bd8ed818bf7c97d0c73b02e7bb5461eadd8a7bb1266ec5c28e3c36fc30a39e9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder5_51\doc13496420221216084118.one
Filesize
125KB

MD5
87cb81babc0fffdf8e78f61f474cb7c1

SHA1
38d26c532637f6a8688ecc1fa981188e59b04222

SHA256
41bc4cc472e0cb141c9eec4f6921bd0e02fadf1d05ee01e02b41fee28442533f

SHA512
2e4f475ae5e8696bdf97a3e4a162b695c1dfa39dc10b6c7518f4e645a2a959a7eb3bd629523b66afa4553a0e33e63f6aa59cf55f43e070e77a3bc936b8b8ddf7

Download Submit
C:\Users\Admin\AppData\Local\temp\Folder5_51\hije-videm.jpg.vbe
Filesize
59KB

MD5
ea8b8ddf5aa440aa2739570924081c61

SHA1
80960cd9e27208747ad8fbe285cfd744d252827a

SHA256
2762e6ca8be6c23699a1d2555239f618075e326df1a1efa4b327085295c947f4

SHA512
57a0ee5eed53475b7934c49547ee4377148836ea3c6a444449006fe8dfb11f1162a407ed73b2df6a006311d3b1fbfe97b8ba25f2c67f61ffd3d74e86f05e8b77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EU9WB2NQ.txt
Filesize
608B

MD5
5122a2dad4d8c4800a220630f03315a5

SHA1
46553560cdb64df2a82940f9f03cc6249dc99de9

SHA256
e7171d7a2971237eec032a867ab9741980d02a0415221da7f7c606faf17e6fea

SHA512
3e51911852351e9d9bcc27ac9edfdef95813953eae78a98a83d1cff12fbdcd5a2e2e1a2f6a6cac7ca8b90db5827f431cedf465cd87b4eab12d360c732b087856

Download Submit
\Users\Admin\AppData\Local\Temp\Folder5_51\budqfkigs.exe
Filesize
1.3MB

MD5
af42c158ed705fb237cd7b7d9cbe11c6

SHA1
76be2a5f19857b4f5df22791c6f0921a1693477c

SHA256
0c31954b57eee24a82d2eabbf865aac29e96c455e70f923a821712a3f9107753

SHA512
9bc60f17a66a45470347ef219927c8973aed25e0d3f7cd3657743c9faa5961bd8ed818bf7c97d0c73b02e7bb5461eadd8a7bb1266ec5c28e3c36fc30a39e9686

Download Submit
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/824-64-0x0000000000000000-mapping.dmp

Download
memory/900-56-0x0000000070A51000-0x0000000070A53000-memory.dmp

Filesize
8KB

Download
memory/900-73-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/900-60-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/1104-81-0x00000000000C8356-mapping.dmp

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1620-70-0x0000000000000000-mapping.dmp

Download
memory/1704-74-0x0000000000380000-0x0000000000A2C000-memory.dmp

Filesize
6.7MB

Download
memory/1704-76-0x0000000000380000-0x0000000000A2C000-memory.dmp

Filesize
6.7MB

Download
memory/1704-77-0x00000000003B2E48-mapping.dmp

Download
memory/1704-80-0x0000000000380000-0x0000000000A2C000-memory.dmp

Filesize
6.7MB

Download
memory/1704-82-0x0000000000380000-0x0000000000A2C000-memory.dmp

Filesize
6.7MB

Download