Analysis Overview
SHA256
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
Threat Level: Known bad
The file f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Drops startup file
Enumerates processes with tasklist
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 07:13
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 07:13
Reported
2024-07-26 07:15
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4284 created 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
"C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4684
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4684\Travelling.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Wiki + Pharmacies + Quilt + Either 4684\E
C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
4684\Travelling.pif 4684\E
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | VROesbkaGG.VROesbkaGG | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Spending
| MD5 | 5a1321d892070c60f726edc3e3692ab7 |
| SHA1 | ecdda384d7aa6e3e0c289fdf44652de169aefde6 |
| SHA256 | ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713 |
| SHA512 | 2986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b |
C:\Users\Admin\AppData\Local\Temp\Nextel
| MD5 | fdbd6f9f8d264754709a9a392e5166c2 |
| SHA1 | a6026b0a6e26427676a7eba319a0fad436fb5a46 |
| SHA256 | 9ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840 |
| SHA512 | 5c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83 |
C:\Users\Admin\AppData\Local\Temp\Carroll
| MD5 | cdf5ce2b2740794fb5638a60c97d6ca7 |
| SHA1 | 68e967c2267b4631fa8f068bdce84db1f02fe0ed |
| SHA256 | f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d |
| SHA512 | 3a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51 |
C:\Users\Admin\AppData\Local\Temp\Foot
| MD5 | 7735d4e2e9fd3e829340f06b7a47e0fc |
| SHA1 | ade0d827c011e03cd3d3a6b4cd544fc4227c5122 |
| SHA256 | bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a |
| SHA512 | 1dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5 |
C:\Users\Admin\AppData\Local\Temp\Deviant
| MD5 | 497d3bd5165a8545a5b4dcf3a842f721 |
| SHA1 | 41e3dc37a0eb4b0fdd17bc4aa21503022744de08 |
| SHA256 | 3eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85 |
| SHA512 | 93d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48 |
C:\Users\Admin\AppData\Local\Temp\Cemetery
| MD5 | 47f942807f5dec3c5107788292d0fecd |
| SHA1 | 21da1ca4ac2a0dc11c4d30c70f1d7d41025c5116 |
| SHA256 | 423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b |
| SHA512 | 8622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 9a2a73b89ef29c867db353c905ba26b2 |
| SHA1 | 202e2c7d9c9b87957ed0e0a6b6398b9356846ae0 |
| SHA256 | 210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a |
| SHA512 | 29b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7 |
C:\Users\Admin\AppData\Local\Temp\Pharmacies
| MD5 | 1bc99d6790ad7980b06e0155053fa85d |
| SHA1 | 080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d |
| SHA256 | 2f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d |
| SHA512 | 38a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80 |
C:\Users\Admin\AppData\Local\Temp\Either
| MD5 | 3ce1f10bafb24d85a3b76ea4d5aa70db |
| SHA1 | 37e31294b91bf67cdce1e1d58342f7f97f284e6a |
| SHA256 | c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32 |
| SHA512 | 2c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c |
C:\Users\Admin\AppData\Local\Temp\Quilt
| MD5 | 55a984e33e1bc5af3daa8243b4fcdf41 |
| SHA1 | a32a48801302c293749a478cbdddde2de3fb56e2 |
| SHA256 | 566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6 |
| SHA512 | f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f |
C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\4684\E
| MD5 | 58cb40a5a8e893df0b75dbf70ed10162 |
| SHA1 | 9bc860f702f5b8f6dc2eb437e23ed41362cfceb1 |
| SHA256 | 4a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43 |
| SHA512 | 3031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7 |
memory/4284-32-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-31-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-33-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-34-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-35-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-38-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-37-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-36-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-39-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-40-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-41-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-42-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-43-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-44-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-45-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-46-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-47-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-48-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-49-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-50-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-51-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-52-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-53-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-54-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-55-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-56-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-57-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-58-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-59-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-60-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-61-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-62-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-63-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-64-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-65-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-66-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-67-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-68-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-69-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-70-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-71-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-72-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-73-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-74-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-75-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-76-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-77-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-78-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-79-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-80-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-81-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-82-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-83-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-84-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-85-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-86-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-87-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-88-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-89-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-90-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-91-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-92-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-93-0x0000000000080000-0x00000000000F5000-memory.dmp
memory/4284-94-0x0000000000080000-0x00000000000F5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 07:13
Reported
2024-07-26 07:15
Platform
win7-20240705-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1480 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
"C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 4681
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4681\Travelling.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Wiki + Pharmacies + Quilt + Either 4681\E
C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
4681\Travelling.pif 4681\E
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | VROesbkaGG.VROesbkaGG | udp |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp | |
| UA | 31.43.185.8:2202 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Spending
| MD5 | 5a1321d892070c60f726edc3e3692ab7 |
| SHA1 | ecdda384d7aa6e3e0c289fdf44652de169aefde6 |
| SHA256 | ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713 |
| SHA512 | 2986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b |
C:\Users\Admin\AppData\Local\Temp\Nextel
| MD5 | fdbd6f9f8d264754709a9a392e5166c2 |
| SHA1 | a6026b0a6e26427676a7eba319a0fad436fb5a46 |
| SHA256 | 9ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840 |
| SHA512 | 5c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83 |
C:\Users\Admin\AppData\Local\Temp\Foot
| MD5 | 7735d4e2e9fd3e829340f06b7a47e0fc |
| SHA1 | ade0d827c011e03cd3d3a6b4cd544fc4227c5122 |
| SHA256 | bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a |
| SHA512 | 1dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5 |
C:\Users\Admin\AppData\Local\Temp\Carroll
| MD5 | cdf5ce2b2740794fb5638a60c97d6ca7 |
| SHA1 | 68e967c2267b4631fa8f068bdce84db1f02fe0ed |
| SHA256 | f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d |
| SHA512 | 3a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51 |
C:\Users\Admin\AppData\Local\Temp\Deviant
| MD5 | 497d3bd5165a8545a5b4dcf3a842f721 |
| SHA1 | 41e3dc37a0eb4b0fdd17bc4aa21503022744de08 |
| SHA256 | 3eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85 |
| SHA512 | 93d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48 |
C:\Users\Admin\AppData\Local\Temp\Cemetery
| MD5 | 47f942807f5dec3c5107788292d0fecd |
| SHA1 | 21da1ca4ac2a0dc11c4d30c70f1d7d41025c5116 |
| SHA256 | 423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b |
| SHA512 | 8622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de |
C:\Users\Admin\AppData\Local\Temp\Wiki
| MD5 | 9a2a73b89ef29c867db353c905ba26b2 |
| SHA1 | 202e2c7d9c9b87957ed0e0a6b6398b9356846ae0 |
| SHA256 | 210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a |
| SHA512 | 29b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7 |
C:\Users\Admin\AppData\Local\Temp\Pharmacies
| MD5 | 1bc99d6790ad7980b06e0155053fa85d |
| SHA1 | 080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d |
| SHA256 | 2f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d |
| SHA512 | 38a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80 |
C:\Users\Admin\AppData\Local\Temp\Quilt
| MD5 | 55a984e33e1bc5af3daa8243b4fcdf41 |
| SHA1 | a32a48801302c293749a478cbdddde2de3fb56e2 |
| SHA256 | 566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6 |
| SHA512 | f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f |
C:\Users\Admin\AppData\Local\Temp\Either
| MD5 | 3ce1f10bafb24d85a3b76ea4d5aa70db |
| SHA1 | 37e31294b91bf67cdce1e1d58342f7f97f284e6a |
| SHA256 | c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32 |
| SHA512 | 2c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c |
\Users\Admin\AppData\Local\Temp\4681\Travelling.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\4681\E
| MD5 | 58cb40a5a8e893df0b75dbf70ed10162 |
| SHA1 | 9bc860f702f5b8f6dc2eb437e23ed41362cfceb1 |
| SHA256 | 4a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43 |
| SHA512 | 3031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7 |
memory/1480-31-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-32-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-33-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-34-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-35-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-36-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-37-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-38-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-40-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-39-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-41-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-42-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-43-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-44-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-45-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-46-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-47-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-48-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-49-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-50-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-51-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-52-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-53-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-54-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-55-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-56-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-57-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-58-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-59-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-60-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-61-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-62-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-63-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-64-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-65-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-66-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-67-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-68-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-69-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-70-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-71-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-72-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-73-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-74-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-75-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-76-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-77-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-78-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-79-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-80-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-81-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-82-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-83-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-84-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-85-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-86-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-87-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-88-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-89-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-90-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-91-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-92-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-93-0x00000000043C0000-0x0000000004435000-memory.dmp
memory/1480-94-0x00000000043C0000-0x0000000004435000-memory.dmp