Overview

overview

10

Static

static

1

formulario...s2.msi

windows7-x64

6

formulario...s2.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    599s
  • max time network
    604s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    26-08-2024 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    formulario_agendamiento_citas2.msi

  • Size

    9.4MB

  • MD5

    494b601e0b3932fab0ef22ed91c77278

  • SHA1

    754241d8fe6c8fffffb99bf5250258a56d52d4b3

  • SHA256

    b4fcc0bb3fc8beba9218d058298ca32302b89f31252f04cca4f640841866db62

  • SHA512

    d269ccbe8a4e08f731d7ce880d7917f7f829e9668a14a8009f83a690fcc9894e60903d44c9a4710c5655e1fb281d541293f9d6ed6d1fb8df9ccdbd6992289305

  • SSDEEP

    98304:6RrYyhm/Ngv88ZSN3YX/6GdBuj+EgKj3k0mNkgb3S6B4wa36YxA+7p0Zgci:mu/Nn8oCza+EDk0m+4S6B4Vvy+FTci

Score
10/10
remcosmarzo 18 muchachadiscoverypersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

MARZO 18 MUCHACHA

C2

imaxatmonk.imaxatmonk.com:2204

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Acobatlg.exe

  • copy_folder

    edqelofh

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    colrahfc

  • mouse_option

    false

  • mutex

    imaxmontsk-FYKXFK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_agendamiento_citas2.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2216
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BB2C9828913A4522F93ECD852646F3A2 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85B24105-8A70-4C94-BFAB-4A8A68FD3824}
        3⤵
        • Executes dropped EXE
        PID:4944
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FDB5DC34-29D0-4A2E-9B86-94D535CC1666}
        3⤵
        • Executes dropped EXE
        PID:4812
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ABA64380-D107-4D87-B1BC-BB697A02B3A7}
        3⤵
        • Executes dropped EXE
        PID:4800
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FC5297A-AAA3-4441-B877-B0D54E3085DC}
        3⤵
        • Executes dropped EXE
        PID:3388
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{137347A0-DFCF-4187-997B-0F8DFDF2FF57}
        3⤵
        • Executes dropped EXE
        PID:4980
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F049B1A2-467A-4205-B883-8D54DEBCA8B8}
        3⤵
        • Executes dropped EXE
        PID:4356
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E5E44E1-3F06-41CD-890A-682CB41B1779}
        3⤵
        • Executes dropped EXE
        PID:964
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1FF5E1F-4CE6-4BEB-9962-4268545F399A}
        3⤵
        • Executes dropped EXE
        PID:1016
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5A73C058-8AAD-4D47-966E-EBDE90CA2EB8}
        3⤵
        • Executes dropped EXE
        PID:4204
      • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91093238-C981-417B-AFF9-B2D9E84949B6}
        3⤵
        • Executes dropped EXE
        PID:4256
      • C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\identity_helper.exe
        C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\identity_helper.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Users\Admin\AppData\Roaming\mispace\identity_helper.exe
          "C:\Users\Admin\AppData\Roaming\mispace\identity_helper.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4908
            • C:\Users\Admin\AppData\Local\Temp\Fastsecure.exe
              C:\Users\Admin\AppData\Local\Temp\Fastsecure.exe
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\colrahfc\logs.dat
    Filesize

    144B

    MD5

    ff721473eb063ec1026b1d7d7ae0bc3e

    SHA1

    be13c54a92ba86d36abf065f3dc54ee50658b10c

    SHA256

    a6d92adb0b8352b3bb604f09df12bfac1abc59f79b24d4a840301cfc8d9cf75f

    SHA512

    f3b8b6241a42a3b9e1d7d11491c4e57e12a0b06bd528e987ea079769fbf02b04ccd6772362caa8670fa17b3c582249561f36a1171feeab86deeeb87c2af8ae52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\629fb823
    Filesize

    1.6MB

    MD5

    943a220582d9963dec1cec93b6dbb848

    SHA1

    d1767be863add2206c2889ae2edcb557dafd7874

    SHA256

    564f956b773a5f7597ff2bde0a1d6cde90a7782eed1fdc75ba213d2b4e79d8bc

    SHA512

    749b0d7cac32c94bd994709e8761298a4a0dd059c210e263d18d342abcde7ed3651987cd97b3cd0de781c01e6133e2f10b2b9c7703a1021ce595264ca256cab8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fastsecure.exe
    Filesize

    433KB

    MD5

    fea067901f48a5f1faf7ca3b373f1a8f

    SHA1

    e8abe0deb87de9fe3bb3a611234584e9a9b17cce

    SHA256

    bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

    SHA512

    07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIBAC4.tmp
    Filesize

    171KB

    MD5

    a0e940a3d3c1523416675125e3b0c07e

    SHA1

    2e29eeba6da9a4023bc8071158feee3b0277fd1b

    SHA256

    b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

    SHA512

    736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIBD36.tmp
    Filesize

    2.5MB

    MD5

    e1613420d7c082b88787119696b22fc8

    SHA1

    563bd96ea5e7b8d93de7ebb1c0116acbee828edc

    SHA256

    fa69d5b759aec7a65f1712aab68b952de7f28a696012add5ee9543e8e6a599a3

    SHA512

    d33b2891aef5337e67e567f92e13cade1dd8082f0e818d81855651c664e975fd81780131aefa29f26e731ff401afa8453a3c0ffebe046367259c130770690a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\cantina.psd
    Filesize

    68KB

    MD5

    056aa508c0af9080d4e83fff612f943f

    SHA1

    315cb3b8a32fa36523e13440b51793d8871028bb

    SHA256

    a7bd0e5cfc443047fee2c4db5c9a88aecf762a785209028506b4f3c849405cd4

    SHA512

    04c30d14e6a3755ad143bf53b1782eb4d7db4a4e69f82bcae14a2c68388c19e947cbe350a1b9b61cd97cc2408412f07eab0091eeeb244e6c5ccbc37b3ba6dff0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\identity_helper.exe
    Filesize

    1.1MB

    MD5

    f975a2d83d63a473fa2fc5206b66bb79

    SHA1

    e49d21f112ab27ae0953aff30ae122440cf164b9

    SHA256

    6a2d3876003f6c68f824df4f0033564d8c230716908ba2e6c06ea1dd6d5f98e8

    SHA512

    4af4ce56bf131432d488ed112f8858c1e1392d013c6ac0603f2fd70ed513091e35854c0f678efeab7fa9a551517c6b9698f40a92729112de4b852fa3c0c69d64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\msedge_elf.dll
    Filesize

    3.9MB

    MD5

    3bcf8f178ba2ed8b376523d2c9f26ba7

    SHA1

    284f73850315b7533977a41afbfc7a5b85f20338

    SHA256

    4138d7cb4613fdddc1d7b1687f7d37190ee1e1d6bbf700abee11bd791486b937

    SHA512

    33cf9623bf98be3b83be770202bb40dc805bf2610dffe42a624fbe9f7ac647e9058a4376a02917fd430bd5f54fd453ae9347abab99a9fa4430a769419f73f5b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{165DF2EE-BABA-407A-A8BB-A3AEB7C99D8B}\tubenose.svg
    Filesize

    1.1MB

    MD5

    64d5db6fb99adf0c9e802e40b4904484

    SHA1

    8075a1007ec99c4a540b0f517edec9550d6ef842

    SHA256

    d7a7b517da9f55d3f62c23037033ac82af1382ae18865322e4ac8650ca56af73

    SHA512

    01a0184bc4511894fe5654a71e4399fe52341b1388343af465e20f8fc13758706a41f17797f3fb9d3098c84a9f97559cfeb158f294ca1af620ad5df1ab6d8295

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISBEW64.exe
    Filesize

    178KB

    MD5

    40f3a092744e46f3531a40b917cca81e

    SHA1

    c73f62a44cb3a75933cecf1be73a48d0d623039b

    SHA256

    561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

    SHA512

    1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\ISRT.dll
    Filesize

    426KB

    MD5

    8af02bf8e358e11caec4f2e7884b43cc

    SHA1

    16badc6c610eeb08de121ab268093dd36b56bf27

    SHA256

    58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

    SHA512

    d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{195BFEA8-B531-462D-AEAD-B0C9E3BBAF8E}\_isres_0x0409.dll
    Filesize

    1.8MB

    MD5

    7de024bc275f9cdeaf66a865e6fd8e58

    SHA1

    5086e4a26f9b80699ea8d9f2a33cead28a1819c0

    SHA256

    bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

    SHA512

    191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

    Download Submit

  • memory/512-54-0x00007FFE47260000-0x00007FFE473D2000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1012-76-0x00007FFE47260000-0x00007FFE473D2000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1012-77-0x00007FFE47260000-0x00007FFE473D2000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3088-32-0x0000000010000000-0x0000000010114000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3088-37-0x0000000003200000-0x00000000033C7000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3552-106-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-169-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-91-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-94-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-97-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-256-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-103-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-250-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-109-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-112-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-118-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-127-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-133-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-136-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-148-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-154-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-157-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-90-0x00007FFE663B0000-0x00007FFE665A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3552-181-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-187-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-190-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-196-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-199-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-202-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-217-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-223-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-225-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-228-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-231-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-234-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/3552-244-0x0000000000400000-0x0000000000483000-memory.dmp

    Filesize

    524KB

    Download

  • memory/4908-80-0x00007FFE663B0000-0x00007FFE665A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4908-83-0x0000000074DD0000-0x0000000074F4B000-memory.dmp

    Filesize

    1.5MB

    Download