remcos | e6f4b1ed945dfe592851779ee00459e49d078983937b72c6cedb4da6d1a42433

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice_ Public Bank Berhad.pdf.exe
Size

1.4MB
MD5

89ff8e75427e825570b0b2340dd832cf
SHA1

12903d7c478914c4c38e76b24001145048f20b8e
SHA256

7011d414322a2e8079029fdb2646ce87bea6baaa1dccdb4cc3ac07f968189cbd
SHA512

525e3098b2b6699113feedabe29e9636e71f30e1caef327c576df4853021a431483905bb6b17379cb587d87a79a811f856e25627f50e9ca34de7142603493c96
SSDEEP

24576:KbGQWvRW2299XrxE7Ozo4vq60bhs+VfnO52CF:EGQWsXr+zZzhrVfni

Score

10^/10

remcos zgrat remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.96.14.67:9785

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6W5HVR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2172-3-0x0000000005C10000-0x0000000005CE8000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-4-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-5-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-7-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-9-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-17-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-15-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-23-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-25-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-27-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-21-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-19-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-29-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-13-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-33-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-35-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-31-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-11-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-41-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-39-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-37-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-43-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-45-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-47-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-49-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-57-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-55-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-59-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-53-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-67-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-65-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-63-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-61-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1
behavioral2/memory/2172-51-0x0000000005C10000-0x0000000005CE2000-memory.dmp	family_zgrat_v1

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1236-971-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/1236-974-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/2340-986-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/2340-989-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/4880-1011-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4320-969-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3328-1004-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4320-1015-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/1792-1026-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4320-1025-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3328-1027-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 16 IoCs

resource	yara_rule
behavioral2/memory/4320-969-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/864-970-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1236-971-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/864-972-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1236-974-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/2340-986-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/380-988-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2340-989-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/380-990-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3328-1004-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4880-1011-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4412-1014-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/4320-1015-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1792-1026-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4320-1025-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3328-1027-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Payment Advice_ Public Bank Berhad.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Payment Advice_ Public Bank Berhad.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Payment Advice_ Public Bank Berhad.pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ohmueaslw = "C:\\Users\\Admin\\AppData\\Roaming\\Ohmueaslw.exe"	Payment Advice_ Public Bank Berhad.pdf.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 4280 set thread context of 4320	4280	Payment Advice_ Public Bank Berhad.pdf.exe	102
PID 4280 set thread context of 1236	4280	Payment Advice_ Public Bank Berhad.pdf.exe	104
PID 4280 set thread context of 864	4280	Payment Advice_ Public Bank Berhad.pdf.exe	105
PID 4280 set thread context of 1792	4280	Payment Advice_ Public Bank Berhad.pdf.exe	106
PID 4280 set thread context of 2340	4280	Payment Advice_ Public Bank Berhad.pdf.exe	107
PID 4280 set thread context of 380	4280	Payment Advice_ Public Bank Berhad.pdf.exe	108
PID 4280 set thread context of 3328	4280	Payment Advice_ Public Bank Berhad.pdf.exe	110
PID 4280 set thread context of 4880	4280	Payment Advice_ Public Bank Berhad.pdf.exe	111
PID 4280 set thread context of 4412	4280	Payment Advice_ Public Bank Berhad.pdf.exe	112

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
864	Payment Advice_ Public Bank Berhad.pdf.exe
864	Payment Advice_ Public Bank Berhad.pdf.exe
4320	Payment Advice_ Public Bank Berhad.pdf.exe
4320	Payment Advice_ Public Bank Berhad.pdf.exe
1792	Payment Advice_ Public Bank Berhad.pdf.exe
1792	Payment Advice_ Public Bank Berhad.pdf.exe
380	Payment Advice_ Public Bank Berhad.pdf.exe
380	Payment Advice_ Public Bank Berhad.pdf.exe
3328	Payment Advice_ Public Bank Berhad.pdf.exe
3328	Payment Advice_ Public Bank Berhad.pdf.exe
4412	Payment Advice_ Public Bank Berhad.pdf.exe
4412	Payment Advice_ Public Bank Berhad.pdf.exe
3328	Payment Advice_ Public Bank Berhad.pdf.exe
4320	Payment Advice_ Public Bank Berhad.pdf.exe
3328	Payment Advice_ Public Bank Berhad.pdf.exe
4320	Payment Advice_ Public Bank Berhad.pdf.exe
1792	Payment Advice_ Public Bank Berhad.pdf.exe
1792	Payment Advice_ Public Bank Berhad.pdf.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe
4280	Payment Advice_ Public Bank Berhad.pdf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	Payment Advice_ Public Bank Berhad.pdf.exe
Token: SeDebugPrivilege	864	Payment Advice_ Public Bank Berhad.pdf.exe
Token: SeDebugPrivilege	380	Payment Advice_ Public Bank Berhad.pdf.exe
Token: SeDebugPrivilege	4412	Payment Advice_ Public Bank Berhad.pdf.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 2172 wrote to memory of 4280	2172	Payment Advice_ Public Bank Berhad.pdf.exe	96
PID 4280 wrote to memory of 4320	4280	Payment Advice_ Public Bank Berhad.pdf.exe	102
PID 4280 wrote to memory of 4320	4280	Payment Advice_ Public Bank Berhad.pdf.exe	102
PID 4280 wrote to memory of 4320	4280	Payment Advice_ Public Bank Berhad.pdf.exe	102
PID 4280 wrote to memory of 4320	4280	Payment Advice_ Public Bank Berhad.pdf.exe	102
PID 4280 wrote to memory of 1236	4280	Payment Advice_ Public Bank Berhad.pdf.exe	104
PID 4280 wrote to memory of 1236	4280	Payment Advice_ Public Bank Berhad.pdf.exe	104
PID 4280 wrote to memory of 1236	4280	Payment Advice_ Public Bank Berhad.pdf.exe	104
PID 4280 wrote to memory of 1236	4280	Payment Advice_ Public Bank Berhad.pdf.exe	104
PID 4280 wrote to memory of 864	4280	Payment Advice_ Public Bank Berhad.pdf.exe	105
PID 4280 wrote to memory of 864	4280	Payment Advice_ Public Bank Berhad.pdf.exe	105
PID 4280 wrote to memory of 864	4280	Payment Advice_ Public Bank Berhad.pdf.exe	105
PID 4280 wrote to memory of 864	4280	Payment Advice_ Public Bank Berhad.pdf.exe	105
PID 4280 wrote to memory of 1792	4280	Payment Advice_ Public Bank Berhad.pdf.exe	106
PID 4280 wrote to memory of 1792	4280	Payment Advice_ Public Bank Berhad.pdf.exe	106
PID 4280 wrote to memory of 1792	4280	Payment Advice_ Public Bank Berhad.pdf.exe	106
PID 4280 wrote to memory of 1792	4280	Payment Advice_ Public Bank Berhad.pdf.exe	106
PID 4280 wrote to memory of 2340	4280	Payment Advice_ Public Bank Berhad.pdf.exe	107
PID 4280 wrote to memory of 2340	4280	Payment Advice_ Public Bank Berhad.pdf.exe	107
PID 4280 wrote to memory of 2340	4280	Payment Advice_ Public Bank Berhad.pdf.exe	107
PID 4280 wrote to memory of 2340	4280	Payment Advice_ Public Bank Berhad.pdf.exe	107
PID 4280 wrote to memory of 380	4280	Payment Advice_ Public Bank Berhad.pdf.exe	108
PID 4280 wrote to memory of 380	4280	Payment Advice_ Public Bank Berhad.pdf.exe	108
PID 4280 wrote to memory of 380	4280	Payment Advice_ Public Bank Berhad.pdf.exe	108
PID 4280 wrote to memory of 380	4280	Payment Advice_ Public Bank Berhad.pdf.exe	108
PID 4280 wrote to memory of 4484	4280	Payment Advice_ Public Bank Berhad.pdf.exe	109
PID 4280 wrote to memory of 4484	4280	Payment Advice_ Public Bank Berhad.pdf.exe	109
PID 4280 wrote to memory of 4484	4280	Payment Advice_ Public Bank Berhad.pdf.exe	109
PID 4280 wrote to memory of 3328	4280	Payment Advice_ Public Bank Berhad.pdf.exe	110
PID 4280 wrote to memory of 3328	4280	Payment Advice_ Public Bank Berhad.pdf.exe	110
PID 4280 wrote to memory of 3328	4280	Payment Advice_ Public Bank Berhad.pdf.exe	110
PID 4280 wrote to memory of 3328	4280	Payment Advice_ Public Bank Berhad.pdf.exe	110
PID 4280 wrote to memory of 4880	4280	Payment Advice_ Public Bank Berhad.pdf.exe	111
PID 4280 wrote to memory of 4880	4280	Payment Advice_ Public Bank Berhad.pdf.exe	111
PID 4280 wrote to memory of 4880	4280	Payment Advice_ Public Bank Berhad.pdf.exe	111
PID 4280 wrote to memory of 4880	4280	Payment Advice_ Public Bank Berhad.pdf.exe	111
PID 4280 wrote to memory of 4412	4280	Payment Advice_ Public Bank Berhad.pdf.exe	112
PID 4280 wrote to memory of 4412	4280	Payment Advice_ Public Bank Berhad.pdf.exe	112
PID 4280 wrote to memory of 4412	4280	Payment Advice_ Public Bank Berhad.pdf.exe	112
PID 4280 wrote to memory of 4412	4280	Payment Advice_ Public Bank Berhad.pdf.exe	112

C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qzvdrtbmkaiiqxcn"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\btankmmgyiamsdyzjsf"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:1236
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dvgglefhuqsrdjmdbcsaroz"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xkcxpdrtimw"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1792
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\iehqqvcmwuoxrrf"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\szmiiomokdgcbfbruk"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqnknfstlh"
    3⤵
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqnknfstlh"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3328
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zkbdgxcvhpuna"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:4880
- - C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmgwhqnovxmscgdq"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pqnknfstlh

Filesize
4KB

MD5
0cb17253d14f1f732dfbc3ef9b580d1e

SHA1
85d726cf68f14dd34090de9f4d160c0387249b68

SHA256
e09a0aed9bbc43da3b7a85d30a9a10b54d11c096aa6cef81c23364bc9c4dfcc9

SHA512
f651e62d58e83f9d5e21f3ac8cc516290bfff66c1981dc14cc3a7a900db70d6e7e15c99bb717a18c036b96a6c2f794c2351df7aa39b69531f2112860a51a86ee

Download Submit
memory/380-990-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/380-988-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/864-970-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/864-972-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1236-974-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1236-971-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1792-1026-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2172-29-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-61-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-23-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-25-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-27-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-21-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-19-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-0-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-13-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-33-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-35-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-31-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-11-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-41-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-39-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-37-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-43-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-45-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-47-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-49-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-57-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-55-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-59-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-53-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-67-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-65-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-63-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-15-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-51-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-936-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2172-938-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/2172-937-0x00000000060C0000-0x0000000006130000-memory.dmp

Filesize
448KB

Download
memory/2172-939-0x0000000006790000-0x0000000006D34000-memory.dmp

Filesize
5.6MB

Download
memory/2172-948-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-1-0x0000000000600000-0x0000000000762000-memory.dmp

Filesize
1.4MB

Download
memory/2172-2-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/2172-17-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-9-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-7-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-3-0x0000000005C10000-0x0000000005CE8000-memory.dmp

Filesize
864KB

Download
memory/2172-5-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2172-4-0x0000000005C10000-0x0000000005CE2000-memory.dmp

Filesize
840KB

Download
memory/2340-986-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2340-989-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3328-1027-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3328-1004-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4280-973-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-946-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4280-1034-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4280-1038-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4320-1015-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4320-969-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4320-1025-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4412-1014-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4880-1011-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download