Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/02/2024, 02:26
Static task
static1
Behavioral task
behavioral1
Sample
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
Resource
win7-20231129-en
General
-
Target
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
-
Size
1.0MB
-
MD5
e5d2981fd9c531b3cfb780cf781bac91
-
SHA1
aaf7084c369138eb5588051eda8aec9aa3c4ac26
-
SHA256
3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
-
SHA512
ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539
-
SSDEEP
24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo
Malware Config
Extracted
remcos
P2-bin
84.38.132.126:61445
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ANE1CN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 33 IoCs
resource yara_rule behavioral1/memory/2496-27-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-29-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-31-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-35-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-33-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-38-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-40-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-42-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-43-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-46-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-47-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-45-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-50-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-51-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-52-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-54-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-53-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-55-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-57-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-58-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-59-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-60-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-61-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-99-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-101-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-106-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-107-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-114-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-115-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-122-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-123-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-130-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2496-131-0x0000000000400000-0x0000000000482000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables built or packed with MPress PE compressor 18 IoCs
resource yara_rule behavioral1/memory/1764-68-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1764-64-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1764-71-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2560-70-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2560-75-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2560-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1648-76-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1648-80-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1648-82-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1648-81-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1648-84-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1764-89-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2560-91-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2496-98-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2496-97-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2496-96-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2496-93-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2496-105-0x0000000010000000-0x0000000010019000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/2560-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2560-91-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral1/memory/2560-78-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2560-91-0x0000000000400000-0x0000000000457000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2560-78-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2560-91-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1764-71-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1764-89-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/memory/1764-71-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2560-78-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1648-82-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1648-81-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1648-84-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1764-89-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2560-91-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2240 set thread context of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2496 set thread context of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 set thread context of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 set thread context of 1648 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 46 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2180 powershell.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2656 powershell.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 1764 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 1764 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe Token: SeDebugPrivilege 2180 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe Token: SeDebugPrivilege 1648 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2180 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2240 wrote to memory of 2180 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2240 wrote to memory of 2180 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2240 wrote to memory of 2180 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 28 PID 2240 wrote to memory of 2656 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2240 wrote to memory of 2656 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2240 wrote to memory of 2656 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2240 wrote to memory of 2656 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 30 PID 2240 wrote to memory of 2668 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2240 wrote to memory of 2668 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2240 wrote to memory of 2668 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2240 wrote to memory of 2668 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 32 PID 2240 wrote to memory of 2464 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2240 wrote to memory of 2464 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2240 wrote to memory of 2464 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2240 wrote to memory of 2464 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 34 PID 2240 wrote to memory of 2476 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2240 wrote to memory of 2476 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2240 wrote to memory of 2476 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2240 wrote to memory of 2476 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 36 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2240 wrote to memory of 2496 2240 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 35 PID 2496 wrote to memory of 1868 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2496 wrote to memory of 1868 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2496 wrote to memory of 1868 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2496 wrote to memory of 1868 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 39 PID 2496 wrote to memory of 1864 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2496 wrote to memory of 1864 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2496 wrote to memory of 1864 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2496 wrote to memory of 1864 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 40 PID 2496 wrote to memory of 1132 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2496 wrote to memory of 1132 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2496 wrote to memory of 1132 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2496 wrote to memory of 1132 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 41 PID 2496 wrote to memory of 1160 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2496 wrote to memory of 1160 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2496 wrote to memory of 1160 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2496 wrote to memory of 1160 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 42 PID 2496 wrote to memory of 2092 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2496 wrote to memory of 2092 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2496 wrote to memory of 2092 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2496 wrote to memory of 2092 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 43 PID 2496 wrote to memory of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 wrote to memory of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 wrote to memory of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 wrote to memory of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 wrote to memory of 1764 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 44 PID 2496 wrote to memory of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 wrote to memory of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 wrote to memory of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 wrote to memory of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 wrote to memory of 2560 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 45 PID 2496 wrote to memory of 1648 2496 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47CA.tmp"2⤵
- Creates scheduled task(s)
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵PID:1132
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵PID:1160
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\uonsfkxblizczfwptro"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\fitkfdiuzqrhbtttdcjyiwb"3⤵
- Accesses Microsoft Outlook accounts
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exeC:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\pkyvgvbwvyjmmzhxumvatjnxxv"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"2⤵PID:2476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b877dff7423b560ebe11ec005f17067f
SHA1a79ec23ea843d94573f1056d5011c906fc7f6f39
SHA256bd27c5d9ae0bfcefc51dacc7b0712f1de411f5ef2cf011aab45f582dc79af4d6
SHA512afcbea5d2fa486354122a56196c52e2aadfae8646aed66643d0e0d7f3048b3db589ab8b2ef593ab135656e41fa752c76bad69334dac8a5fa22ae544630e2b61a
-
Filesize
1KB
MD58b7293738d19fa19094355c3a393e57d
SHA17d2fdba1e83a774fe5b88cfc879e571addeaa14e
SHA256a79bae861944da9f2d4cfd0560d9021b6b77919dc42b4cc7eff3c046e1fa46c3
SHA5125c83bb1b13907abbd128c0df33b6b89a728eb51116f73dc1348fe44d5957ba04f2d6c8050ef151248abbf650a77c5437f831324ed0596b49f7b6baf867d9d5fa
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UBWENRJFHOYR0N90WTB4.temp
Filesize7KB
MD5b019ac366ee89f33f203e6af94e9d477
SHA1d297eace390ab51073b4bb959fb33fe33a6ce747
SHA256fbcd3f71db474935df97700e441ab403b7436ea3c302b8430aaa111054aa0983
SHA5124d90b034ef74043a99816a6d4c73bf2fe7915bfe0854d0e8353f6386bd5730820d936a91820fdc816c72eb9e9fbbbaf2e8fbc3038e55b6b6b751975c00557c20