remcos | fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

Analysis

max time kernel
131s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-03-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fffa5b3e6850c4b61005f41003623395.exe
Size

775KB
MD5

fffa5b3e6850c4b61005f41003623395
SHA1

88f8e7c796b1bdd7f81a277ea68e3f931e41b829
SHA256

fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b
SHA512

91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7
SSDEEP

24576:JuOZ6wGkB+e9uf80lzUOjj/46TLLR2fUHO:iSOjDzLL4fUHO

Score

10^/10

remcos update evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Update

ytuna1709.duckdns.org:3035

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Start-Up Audio.exe
copy_folder
Microsoft Start-Up Media
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Microsoft Sound Endpoint
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 2 IoCs

Processes:

Windows Start-Up Audio.exeWindows Start-Up Audio.exe

pid process

900 Windows Start-Up Audio.exe
1196 Windows Start-Up Audio.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1668 cmd.exe
1668 cmd.exe

pid	process
900	Windows Start-Up Audio.exe
1196	Windows Start-Up Audio.exe

pid	process
1668	cmd.exe
1668	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fffa5b3e6850c4b61005f41003623395.exeWindows Start-Up Audio.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fffa5b3e6850c4b61005f41003623395.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Endpoint = "\"C:\\Windows\\Microsoft Start-Up Media\\Windows Start-Up Audio.exe\""	fffa5b3e6850c4b61005f41003623395.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Windows Start-Up Audio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Endpoint = "\"C:\\Windows\\Microsoft Start-Up Media\\Windows Start-Up Audio.exe\""	Windows Start-Up Audio.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fffa5b3e6850c4b61005f41003623395.exeWindows Start-Up Audio.exeWindows Start-Up Audio.exe

description	pid	process	target process
PID 1284 set thread context of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 900 set thread context of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1196 set thread context of 1584	1196	Windows Start-Up Audio.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

fffa5b3e6850c4b61005f41003623395.exe

description	ioc	process
File created	C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe	fffa5b3e6850c4b61005f41003623395.exe
File opened for modification	C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe	fffa5b3e6850c4b61005f41003623395.exe
File opened for modification	C:\Windows\Microsoft Start-Up Media	fffa5b3e6850c4b61005f41003623395.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207a13b96b52d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000dcff1fd2e3d7df8110b9c5803dd68d5f5da83292bcdb5f5718d8dc567a962f43000000000e8000000002000020000000a90f6bbb8d874a8e963833abdf7710b41f9771a24fcc8ebf58f02f748560b14f90000000b9b9565febdef21b1001b31c8649c694bcf0343f225cd2569308691e56f5730011f92a33829a037b0c92e51de4733c8aca3e9a2f31b0a938dc4eeb8494e98028d09a35555a0ba7c07bd533b379226ebba451d622f7cca4290755d2e3db4db91506949b21fcdab63e5088089b10b56c059b0dc84ac1f325ba2c74d13015c18a74c85574c107bfc408f6cdc688cf68a57e4000000093752471dc8d041db16616e636e7f44e9bd4d01924a1aea51fd92fcaef8619cb46983d2d5b0ea1d055607784cbb85bce2e43ea2570126f0d99c84b13e4e0bac1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DEE3FCC1-BE5E-11ED-AC6A-6E0AA2656971} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e200000000020000000000106600000001000020000000a2bf6f002bcc5baa866e3581d33fbff199a155e7965151b4a45fd23f5dca85ae000000000e800000000200002000000094c2ce256407ade454405f1249968cb00a9978d9a3f6e0a4b78267e8f1ce72bc20000000643d0672dded0e9f8bae24b02a79ef9e77fef59e3c01707d0096541af7210e5e40000000e32227c1eba97887157f4a23549dd1131d9fd69b4046cfd175bacd026323e67ec27ce4dd9ce6dbab25a10cd5f23b3be4de4a2b5b00d8789e2d0427a5b94dee20	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1832 reg.exe
1404 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1568 PING.EXE

pid	process
1832	reg.exe
1404	reg.exe

pid	process
1568	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fffa5b3e6850c4b61005f41003623395.exe

pid	process
1284	fffa5b3e6850c4b61005f41003623395.exe
1284	fffa5b3e6850c4b61005f41003623395.exe
1284	fffa5b3e6850c4b61005f41003623395.exe
1284	fffa5b3e6850c4b61005f41003623395.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fffa5b3e6850c4b61005f41003623395.exe

description pid process

Token: SeDebugPrivilege 1284 fffa5b3e6850c4b61005f41003623395.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1268 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1268 iexplore.exe
1268 iexplore.exe
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE
1608 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1284	fffa5b3e6850c4b61005f41003623395.exe

pid	process
1268	iexplore.exe

pid	process
1268	iexplore.exe
1268	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fffa5b3e6850c4b61005f41003623395.exefffa5b3e6850c4b61005f41003623395.execmd.execmd.exeWindows Start-Up Audio.exeWindows Start-Up Audio.exe

description	pid	process	target process
PID 1284 wrote to memory of 2004	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 2004	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 2004	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 2004	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 692	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 692	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 692	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 692	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 580	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 580	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 580	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 580	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 468	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 468	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 468	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 468	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 1284 wrote to memory of 576	1284	fffa5b3e6850c4b61005f41003623395.exe	fffa5b3e6850c4b61005f41003623395.exe
PID 576 wrote to memory of 520	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 520	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 520	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 520	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 520 wrote to memory of 1832	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1832	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1832	520	cmd.exe	reg.exe
PID 520 wrote to memory of 1832	520	cmd.exe	reg.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 576 wrote to memory of 1668	576	fffa5b3e6850c4b61005f41003623395.exe	cmd.exe
PID 1668 wrote to memory of 1568	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1568	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1568	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 1568	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 900	1668	cmd.exe	Windows Start-Up Audio.exe
PID 1668 wrote to memory of 900	1668	cmd.exe	Windows Start-Up Audio.exe
PID 1668 wrote to memory of 900	1668	cmd.exe	Windows Start-Up Audio.exe
PID 1668 wrote to memory of 900	1668	cmd.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 900 wrote to memory of 1196	900	Windows Start-Up Audio.exe	Windows Start-Up Audio.exe
PID 1196 wrote to memory of 2008	1196	Windows Start-Up Audio.exe	cmd.exe
PID 1196 wrote to memory of 2008	1196	Windows Start-Up Audio.exe	cmd.exe
PID 1196 wrote to memory of 2008	1196	Windows Start-Up Audio.exe	cmd.exe
PID 1196 wrote to memory of 2008	1196	Windows Start-Up Audio.exe	cmd.exe
PID 1196 wrote to memory of 1584	1196	Windows Start-Up Audio.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
2⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
2⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
2⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe
"C:\Users\Admin\AppData\Local\Temp\fffa5b3e6850c4b61005f41003623395.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
- Modifies registry key
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1568

C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
"C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
"C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- UAC bypass
- Modifies registry key
PID:1404

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
6⤵
PID:1584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
29d60f71190410c6ab44a394c105e10b

SHA1
8f406910f7ee52b37739203f9eda125bd5fd0dba

SHA256
16cf29cb4a6320ec113664189bf4c634aa013ed58d95925b0ec5ee20a576e19b

SHA512
4ae901af92eff9da3659703585cfe5f8ab70576515877677432bc99206894a3c98041fa207ea36bb713d199ccd58cab2b58c5b29dc3ba3d25cc108891bd15822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
336cdca34580f9497a17e7c964f3c7d2

SHA1
e7df8b9e9be1334a30cbf7dc763575d89cb3aa94

SHA256
419ab0892d2526a4ec5b9d9d49308fd771d221b0c1bded17bc22710f7f2fec89

SHA512
bec256c7e5b2943b69c6b97734fcc39f73ed2be6777a47effc76ca76d2f89e635601897ffcf1e2fdc8ebc3b2478c048dbe53b6ae7a3ed8fc15d4d756840e87db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
13872cb9e7c90734cbb950f7c76be06d

SHA1
93fbbaa8f67b8b01cee5bcfc06bcb28fd88487bb

SHA256
775197af92127b81ec0151235b9d8aa0bc1da94c08addb1282a7ab62c51ffb93

SHA512
67c40928b9aad93e898bd35994b3c6dfb31a27ab68cbd26cd6e2e8517bd8139096c68d63f9805a578913b1a104587127ba455bebad0df04297f4f7e9061c1c92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
20f66fc5a5f24843004609525d7f4013

SHA1
6241b09c2f3436ff7cb5ec503d01776def3fe464

SHA256
9215d52134ba440aac0952d05d386e82d25196c2f55edc65ab2f118da7e304fe

SHA512
652196493be5eb1bac080272243bd01f551a72f9d878cf7f17cbe6aee79ba9595a7cfde307096c1fa13784e29fe416d52f4104c6bbffce7fbd838112387027ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
01f0bae74fb4cb206c9321d0c7cfb04f

SHA1
cdb08e160e03f06759c2e9447ad44674317bc472

SHA256
68905b56893ac35fea575dcca473fc5476072a63ea90e78888c149d39f00d4f1

SHA512
6ceb053e52a0b2a2b40f8c5f6c0c85e80040e3e87655c920e39f870edf0c2ad08ca8fb6620fc63d51eb0f775c100e4fcaf6174349e1d77b435885f24e1a6376f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
00949986fd82326564cfb3f5c2dacc3f

SHA1
407fd2d3bf779748f86d3fcc2345100ca7c6f579

SHA256
c78945845a83d1837a5042825c5bc6e993ced9fcea8fce14c9daeb90d5e0d421

SHA512
a0b3483a702947938f23d1c94460d4396e81d159a42a490699fa1a2395556fec18d4f505af80ea2a04eb0ff16a1b409566596055e988ec375915fef01ae2b9f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ead64623b4d4bfa7ebb79a822dfaef9c

SHA1
31c2f1b8ed61489a3ef350a8779b88c450b5fefd

SHA256
d7100aeecbecdcefdd3eb953a27735c097cf770377463cc6ea1674af215ae08b

SHA512
25146efebdf051127f29ef18478318de3abd520d83264fd290892e9e2f0db37224fa0fe46ebc2609e8dae4ef72f93f97bc89a143d843f5405496a406a2b44d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c49ac5cd80c94c63c0dff0ebb23b311f

SHA1
baaba2145ea928eb6c6588237fe3760b395d293f

SHA256
ab516c43747d523aadae7c4fa161d4af350726980d6829999742fcbe170101fe

SHA512
f5404ea834d3e36ba682b3bd19e6158651d0556e8495600cf013f53ca45825d65859562876f543d5bd47161f392ffdbb084732315a97c6bb203d7e3dbb5e8583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5c48240d0490038405510e8615ad3aeb

SHA1
3d127c4ccbcf9dc73908d25f99c3658f4076fdce

SHA256
be891489eecf5a23aae2d4b73132ae83cc72dad8bfe626ee4256b25aac970d57

SHA512
791c67e61a807ff185b8454aada8ea001921504e3243929d045559084c425784f36fb3b001f2d6529b1fe75562560ae8f69439ab59a3bdc5a7b1a549fea60929

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
731965cffee33d7b4f7dd4b99203861e

SHA1
4a18ca8f1cd58984a98c203cd9c0eabb803b477e

SHA256
904f964191d88c770bae029dde72b1c85b2c9c95868d2a23475ab354a64cd591

SHA512
ab01ba8bc8f98f85f63a4819cc312696d20de177958716b7ad4ca5391833659e7bd34fceddb7f17a349c3fc19b22ed8b95a24f0c6a05f520fd7bda5f12a394e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA7E6.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD6A.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
113B

MD5
21a89f377d5ca02b88a7a634ea4cfdd6

SHA1
b99266d236a7fdd6bdd47551dc3b9148e2802c12

SHA256
c6c7ea0fe3766e0ab22bc0b66467cd1685f58207c13c8f231e85646661666051

SHA512
de71b19a079f7f57537fe53ede5b4113de7e5fe6315b83933ad145b19de9a2eec893ca0bd18989a929c74d17631d3bb9fe44d71940743a4438de700c848ccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
113B

MD5
21a89f377d5ca02b88a7a634ea4cfdd6

SHA1
b99266d236a7fdd6bdd47551dc3b9148e2802c12

SHA256
c6c7ea0fe3766e0ab22bc0b66467cd1685f58207c13c8f231e85646661666051

SHA512
de71b19a079f7f57537fe53ede5b4113de7e5fe6315b83933ad145b19de9a2eec893ca0bd18989a929c74d17631d3bb9fe44d71940743a4438de700c848ccfc2

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
775KB

MD5
fffa5b3e6850c4b61005f41003623395

SHA1
88f8e7c796b1bdd7f81a277ea68e3f931e41b829

SHA256
fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

SHA512
91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
775KB

MD5
fffa5b3e6850c4b61005f41003623395

SHA1
88f8e7c796b1bdd7f81a277ea68e3f931e41b829

SHA256
fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

SHA512
91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7

Download Submit
C:\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
775KB

MD5
fffa5b3e6850c4b61005f41003623395

SHA1
88f8e7c796b1bdd7f81a277ea68e3f931e41b829

SHA256
fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

SHA512
91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7

Download Submit
\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
775KB

MD5
fffa5b3e6850c4b61005f41003623395

SHA1
88f8e7c796b1bdd7f81a277ea68e3f931e41b829

SHA256
fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

SHA512
91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7

Download Submit
\Windows\Microsoft Start-Up Media\Windows Start-Up Audio.exe
Filesize
775KB

MD5
fffa5b3e6850c4b61005f41003623395

SHA1
88f8e7c796b1bdd7f81a277ea68e3f931e41b829

SHA256
fa46624d2dd01d99a0a1801e67a9e7688d477c1b8e12ca8b50c271a8f226271b

SHA512
91328d23c27dc7a7efdbfde53b8cb2ce072cae355047218887a41dad912a13c53babb1acbacb233d8f7e8d68f4708f959b5f7042c513baa6b982b5c597b20cf7

Download Submit
memory/576-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-73-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-67-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/576-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-64-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/576-62-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/900-89-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/900-88-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/900-87-0x0000000000990000-0x0000000000A58000-memory.dmp

Filesize
800KB

Download
memory/1196-110-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1196-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1196-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1268-113-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/1284-54-0x0000000000130000-0x00000000001F8000-memory.dmp

Filesize
800KB

Download
memory/1284-55-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1284-56-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/1284-57-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1284-58-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1284-59-0x0000000005640000-0x00000000056D6000-memory.dmp

Filesize
600KB

Download
memory/1284-60-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/1584-100-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-106-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-111-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-104-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-112-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-102-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1584-109-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1608-114-0x0000000003050000-0x0000000003052000-memory.dmp

Filesize
8KB

Download