Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
Resource
win7-20231129-en
General
-
Target
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
-
Size
1.0MB
-
MD5
e5d2981fd9c531b3cfb780cf781bac91
-
SHA1
aaf7084c369138eb5588051eda8aec9aa3c4ac26
-
SHA256
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
-
SHA512
ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539
-
SSDEEP
24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo
Malware Config
Extracted
remcos
P2-bin
84.38.132.126:61445
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ANE1CN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 27 IoCs
resource yara_rule behavioral1/memory/2512-30-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-34-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-37-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-39-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-41-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-45-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-47-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-48-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-51-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-52-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-53-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-57-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-56-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-58-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-59-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-60-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-61-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-63-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-64-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-72-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-102-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-105-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-106-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-107-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-115-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-116-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2512-123-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral1/memory/1068-71-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1068-74-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1068-67-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/644-75-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/644-77-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/644-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2960-82-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2960-84-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2960-85-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2960-86-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2960-87-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1068-92-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/644-95-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2512-96-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2512-100-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2512-99-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2512-101-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2512-111-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/644-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/644-95-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/644-80-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/644-95-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/644-80-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/644-95-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1068-74-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1068-92-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/1068-74-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/644-80-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2960-86-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2960-87-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1068-92-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/644-95-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2548 set thread context of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2512 set thread context of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 set thread context of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 set thread context of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2892 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2824 powershell.exe 2672 powershell.exe 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 1068 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 1068 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2960 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2824 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2548 wrote to memory of 2824 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2548 wrote to memory of 2824 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2548 wrote to memory of 2824 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2548 wrote to memory of 2672 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2548 wrote to memory of 2672 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2548 wrote to memory of 2672 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2548 wrote to memory of 2672 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2548 wrote to memory of 2892 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2548 wrote to memory of 2892 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2548 wrote to memory of 2892 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2548 wrote to memory of 2892 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2548 wrote to memory of 2512 2548 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2512 wrote to memory of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 wrote to memory of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 wrote to memory of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 wrote to memory of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 wrote to memory of 1068 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2512 wrote to memory of 1440 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 37 PID 2512 wrote to memory of 1440 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 37 PID 2512 wrote to memory of 1440 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 37 PID 2512 wrote to memory of 1440 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 37 PID 2512 wrote to memory of 1472 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2512 wrote to memory of 1472 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2512 wrote to memory of 1472 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2512 wrote to memory of 1472 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2512 wrote to memory of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 wrote to memory of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 wrote to memory of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 wrote to memory of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 wrote to memory of 644 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 38 PID 2512 wrote to memory of 2040 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2512 wrote to memory of 2040 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2512 wrote to memory of 2040 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2512 wrote to memory of 2040 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2512 wrote to memory of 1620 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2512 wrote to memory of 1620 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2512 wrote to memory of 1620 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2512 wrote to memory of 1620 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2512 wrote to memory of 1232 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2512 wrote to memory of 1232 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2512 wrote to memory of 1232 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2512 wrote to memory of 1232 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2512 wrote to memory of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2512 wrote to memory of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2512 wrote to memory of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2512 wrote to memory of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2512 wrote to memory of 2960 2512 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp407A.tmp"2⤵
- Creates scheduled task(s)
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\mwxejytkeimflbas"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzcwkiddsrekohowqmg"3⤵PID:1440
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzcwkiddsrekohowqmg"3⤵
- Accesses Microsoft Outlook accounts
PID:644
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzcwkiddsrekohowqmg"3⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytphkbofgzwxynkazxtlel"3⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytphkbofgzwxynkazxtlel"3⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytphkbofgzwxynkazxtlel"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytphkbofgzwxynkazxtlel"3⤵PID:1232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD501858ef3d89414fe18ee21beabc2e5eb
SHA1cb7513d082cbbb4bfba82007d60f662223f17a32
SHA256a41db451968a627681c1153696b72e8eb9116b0b6f207ee5434b1d638c74f265
SHA5128453dd6b4be559b203d8d9e8c3030ef457589a76eeef08a59b466e4f9eaab19fbf3a877789f3d42b4efb155a64d97ccef5a99d398895eb23871a28f4f05c999d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD5a74c62fd136aca222a10d7ceb0778550
SHA18cc9227127366cf2133ed32f1e4547ca7f99b36b
SHA256d956d502f4de4501d919a3bb0df2369425389d4bf39b3fb36db001936144d6dc
SHA51218e8c0ff6ae2ea1865f4ba9344e2ef5a3bc00fdac20c70fa06e0033b3506a4b095205f4595ccc80d4b3df5fef5c5ca5c327df0ad6640e82e7dbe5287228c4e8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4W44A8D75E2213A4MZT4.temp
Filesize7KB
MD58d65f902bdfa36bd969d763af66d8840
SHA1a3ab43f6ec982272220695700d25297d76316adb
SHA2567892eae1d19e2fb4641ae6e0bae6b5e28010fee6db0888bc808c970aebda8b24
SHA51281b503a502d2a67a5f04354009b0a956f4dce3da4729df1a3a962e9e078e96f1ee4c49f86d205a8991dcbf471112c87c6a77cdf8c1a1d3f485b37c7ab50fa028