remcos | 5001f73bf27e0507fe9a7dac37293f3ba4959fb147a00829163ff219256da294

Resubmissions

03/09/2024, 07:58

240903-jt29vasfle 10

03/09/2024, 07:55

240903-jsfdpa1flm 5

03/09/2024, 05:48

240903-ghfklazejh 5

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTA CREDITO FACTURA FECG-36060.msg
Size

77KB
MD5

b197979f2689f810030171a5721dfd2f
SHA1

f2c11d73ed520e25738582f29362b6ebf77a2c1d
SHA256

5001f73bf27e0507fe9a7dac37293f3ba4959fb147a00829163ff219256da294
SHA512

e799518669e2c6ca1306a59053559e64f64eeb7781bd207c6be7c5da7385eefe7fddb4f4bab6e379e12d4b5ee66e41ee6c083034be8fd732cc66a7d26b97df1e
SSDEEP

1536:2HRfzfgBjIL2lWBzEkKW4XvSmURjrIb2kWXDi1k:uRLmK2cokEXvSmIa29i1

Score

10^/10

remcos enfocadoe discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

ENFOCADOE

agosto21.con-ip.com:7775

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7BZCZN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 4 IoCs

pid	Process
2656	0001222365589556623514578484512245784452.exe
688	0001222365589556623514578484512245784452.exe
2764	0001222365589556623514578484512245784452.exe
408	0001222365589556623514578484512245784452.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webex = "C:\\Users\\Admin\\Pictures\\Webex\\WebexMeetingClient.exe"	0001222365589556623514578484512245784452.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webex = "C:\\Users\\Admin\\Pictures\\Webex\\WebexMeetingClient.exe"	0001222365589556623514578484512245784452.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0001222365589556623514578484512245784452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0001222365589556623514578484512245784452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0001222365589556623514578484512245784452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4013c328d7fdda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000e0d7ac3a29378d8229444c142a159236639c3844ac8f3886961b4c2faf3873ff000000000e800000000200002000000031167c0f667b5818875072c5bd0180aa7559e45e635ab85eeb3d8fcec84bebf12000000017af3fb496fa7857a4d2cdceac01b3abf1157188674d5e9f1f5dab4d8dbd4fd740000000bb89ea41a27ef65f6eb566ebaf9d96a939a54f51608f733b278f8905213d288f0dc4f0f38ab0e5a435079955432d03b75f24d5ce95148d6e00fb914775e1c592	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000e3587616685316311303aadcb7a18e193ad30c6ff2509ef634fe803cbee50980000000000e80000000020000200000003339cb6cea5adad1387f4471908ac437a77bd46ba93e6143204e406cf42d0c1a900000009644f0f29fd6974db866e3624c021b28697fcbb28f5e38403dd90830b85d378e775344799fc9be980994555d24abb22a89162fd7349708d392ef74ff4b02c0c016afbcc877dc2358938d5ffca080e7ea89584b74b63a3678071a019076ac56f22110e5c1ed596ab6898c784231daaed66e0d07d8da135d8d0e8a187673ca9df58815de3ddca10025c167a62502f6f8124000000045434c547ae3aca0258630eae6435c78fc4a67a6b2b3387d0ec6f1bc1b78ee3c5ca87bbc1ee21cefdfde0eeb705371067b828ac52e9b7353d84140716798f9a8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431512207"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{60BC7341-69CA-11EF-969B-D60C98DC526F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40239037d7fdda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2988	7zG.exe
Token: 35	2988	7zG.exe
Token: SeSecurityPrivilege	2988	7zG.exe
Token: SeSecurityPrivilege	2988	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2420	OUTLOOK.EXE
448	iexplore.exe
448	iexplore.exe
2988	7zG.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
2420	OUTLOOK.EXE
448	iexplore.exe
448	iexplore.exe
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
2420	OUTLOOK.EXE
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
688	0001222365589556623514578484512245784452.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 448	2420	OUTLOOK.EXE	31
PID 2420 wrote to memory of 448	2420	OUTLOOK.EXE	31
PID 2420 wrote to memory of 448	2420	OUTLOOK.EXE	31
PID 2420 wrote to memory of 448	2420	OUTLOOK.EXE	31
PID 448 wrote to memory of 1516	448	iexplore.exe	32
PID 448 wrote to memory of 1516	448	iexplore.exe	32
PID 448 wrote to memory of 1516	448	iexplore.exe	32
PID 448 wrote to memory of 1516	448	iexplore.exe	32
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2656 wrote to memory of 688	2656	0001222365589556623514578484512245784452.exe	40
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42
PID 2764 wrote to memory of 408	2764	0001222365589556623514578484512245784452.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\NOTA CREDITO FACTURA FECG-36060.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1SDKzVX8CnQi3u88rp8cCi-GoR6rjct2w&data=05%7C02%7Cramon.ramirez%40adres.gov.co%7Cc5f30a40488c4f2b6e8208dcc1f2dcfc%7C806240d03ba34102984c4f5d6f1b3bc4%7C0%7C0%7C638598496087858129%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=S%2BZM4EyJUMcD52JnUnJ66drDwJqC2SkCPROXf7hkrDA%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:448 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1516

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2248

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap9464:148:7zEvent25746
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe
"C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe
  "C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:688

C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe
"C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe
  "C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe"
  2⤵
  - Executes dropped EXE
  PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ace72ad392e828052a73e476637b1788

SHA1
78b6b282685f23c1ebed82bc4d1b9b0252dd5a5f

SHA256
df6d590558910f9345f71a22e65b288e8a29461eca7e3d98e63bfc750b720f81

SHA512
60660fca7ef5ca22eb06b0192984d58b2c89891dffb1555190a0b75935104cb0f2f9a7f10f39fd91a31a2b222702403fc51bb775f9c2ed21931c0a277257a695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8089075fd511fa8d58d0059a257ee7d

SHA1
907d80e5e6e23349b6fc0722a89235f1604bc97d

SHA256
c8dd88abd7f43d23725dfa2509469ee0cf24e63c7d9b9bca22c416f49424fafd

SHA512
9421610a5a9849c69ac106061fb8160cba6ec1c627c44fa8ee7b4487c812022197a7b9ec74dddd37f8fd69a9587f09f5c26885ceb01c42b3e15a8ec28ebc75db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29b99e7b20eb25a551c6bba1b2146f42

SHA1
147d2bd1ae48d25451433f15c1596a10497d5805

SHA256
15a6669d2c288485b496cfad74ef1f753e1e24d2c69a38d37d0aadae3c123f2d

SHA512
a02d40a8e52f7d526076a4240e0dd8ad890f165985da5d66ad895f0cfa0b58814622a50b3a9cc1a4f96d513e7c34b7990daa7d4ed3a4505a9b43a6bc0b6c579e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7c9a8dfae5ce67714b3bea589422aa3

SHA1
01817ac1a6cf78c8467179167dd94418ed87d3d0

SHA256
5af1a60b9112482fac10569e08ebaeb258fea5ecc68c06a5fa1f2e220bebff7c

SHA512
439a007797cd90cfb9443cae22240c5ad54eeb2f5f7c891bed9443b9781da7f6388f97b0aa603c830d56c4fa44552d30acb5c59f586d7cbc8976faad93f38d50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5c1065d10893a22d7dbc179eb3a7dcd

SHA1
a5fbb74e801f784e1442bb73b1eca980c4652a22

SHA256
b1b13a3143b6d24f2b6ed5acd83986b4d9673588aa83343ffe961498589ba0e4

SHA512
5ed0cb8ebbe6c9ae14d214118e70356af5688b37c16e7e82a59a6f7389725256f576f4c32537de961391aad285f66ae77c876ae919c0338f2e2b31ecf99c5df8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f0731bee2dd04a8b94244602775838d

SHA1
03c6f27b680b06524de9909bd75d749c1b29716a

SHA256
82ef57e0f6ee94ad21f626baad2e0f60633fcf2c8663afcab77f9bab253ccc1a

SHA512
8261f67042bbd5a08a1db1a1dbd70b5ed7ada46e93f58e95ef6617a3ee5757b0c787e7b2841b0556113a50220d2bb41737b5cfa0df3ba5404982fd284f6c6972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f607a8e5795a4b8ed61018e3a12db380

SHA1
43eed415c450f79ff223c25a47bf7144ba6c0c28

SHA256
9aecbe2a893421a9226778048f3ee12659a35039d9fbf5f7378013e193ccfa06

SHA512
b00ce00c5ba229b236c0b03a26c8b492ae8836fb5c3ceede5c482956bb3a1f0004433eabbe72f520b8d083c295d23d5a10c6bb8b2ce8b15dd8a1889bbc794c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99159694eadacc0e415828915fc8319e

SHA1
4902ca5e81b4d5bee8660f84273d9be542e1df63

SHA256
9169941444d7e18e2032d442126c1892f42ed6a830d3d44acf51174a503178f5

SHA512
54b3cab20d2d30f1e208f4bb2ce9e7bc22a79273b42d7a318fa131c83cc19371c87389551f384e29376119f8d087b7e65b3d545fdd597a99d45a4d5ccdd139bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
902a1a8a47f15277b3aa8c8a1189ba74

SHA1
50e838684bcff125565c2d1f9c846fb0101bff53

SHA256
3cce61d2b3edc325f7a24d1d9c923360b42c653b81cef560a116347ee9a73490

SHA512
b1c94bf501461c30a8cb38e36d64e54c22a3997f32cf3f6fbb06071e070219af3bb941b8f21fe04896dd57a97fcdcc99638066c4c983fc1fbf3cfaa509be50ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a379ef54c45c32ba71ab11ac01b8b734

SHA1
f59bad6a4bcf6aa09aa5556cdf8969e283077f45

SHA256
d52536e230a56cc953e44632c76adb0af418e23a7509f0b9306b43e6a83f7947

SHA512
f368e9c417be83b83276d59facb1737c3dfea92f525cc7b6a430af49c3c2b5153acfe184d354be776cf3f14eb05d4ea513638101f59c62f86b9232500e1f9e3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ced3c4d8a5334ee880face1ebcd862cf

SHA1
9d8bfdb4f4320bb5e2da2f1777e2068fa9bcd0df

SHA256
9c230e74311a1cdc2f23f7aa5bb1ae6b8081c490ec9dc3928bb32858bdd3c11f

SHA512
f47c6491d3efd8863650a9e5754767c83550679b34b114b9b6c92532e7c5b3298f1bbfe6166cdb53ccf71f29e3f149060774d11f27bbd69da2d52339c8eb0218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5baafdfe3dc9f1fefaecdf50090988b9

SHA1
cb1e4bcbccc969a0c023810ae7c6092b416b6a62

SHA256
5659dc083c743c07d3a9ec5db81d33a5086e8b2c32d162ff89066ad98155d30d

SHA512
ca1858e9744d326cfca70109d2c6d8244ff790555488bc63a58b13d8f6328650e6ce2d9e04719d331133ffda5f9ea6af389b2cb4b6b0223cef44b9dcf305496c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
071ef9d9e56bd14b3abae0e76baf3f5c

SHA1
f50e416ae965a2afbfd31fb00cb1aa9dd46cf035

SHA256
ae9383f4be42c95b3df679ca21e05fe294417c4e4cae700068abc34988d539a3

SHA512
79f9ba3a7bcc24cbca724564b7b97c5cd62be89b0d283ed74bd0ba72be676970d3b50ace8e5fd1132390149078eb49a5ac159aacbef5c8fb1b82d2d07fc427be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6666eed3b817c908c7b09d6bf86f7d58

SHA1
9c0ef04c3c86c830a09059a0c8f5730268a45921

SHA256
52ac0cfd11b50610783a369bbc6669a6472607b20750de9711416e47eb341851

SHA512
65963729d602268d2f7ac7c8ccf162ff05f200b490e5126202f61025fadd9e70188d5b02d3b71f8f26596bf1ef032f400c029ec21ef9866259a978a899d631d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e690e97a306290a57a1bfc2e20b207a8

SHA1
2f8dd0720dfbddd954864ed0d67be50c80f52325

SHA256
cceb26441f7d92a28b1719b76200a12349248c452b82cb59266aedfb5d50cd63

SHA512
4706b8401ba793e4fbea9966f811053b1479016703dc773cd19923ca10146981ab320df7a82e938b5472a0cd49a651df5bc72e0365e8bcf1950f245a7833a12c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b4686ae0c84d47c68f2d86b7e704d3b

SHA1
b50ace2ea9a2835f84dbc40dffc65614ef396bf9

SHA256
21880f6323af6a450dd481e26031850eaa1659a049eeb7ebc17642ac6cb536fe

SHA512
f078394820589c955d2ab9ffc604fa18366997e2f7f2908ac9f0cf8b6ba2c97b218d7a75511bc7efc962e4d503b954205835448b3253472b8dde0212ffe2f348

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36cd7925c0be5cdfe369a30ae7bdf013

SHA1
4fae52e8da2dc3084ce976357d3b0bd7f3fc6a21

SHA256
4ff999bd579c79a9fd9e710f3c158df84fbd16834643133da41c62124ab44faf

SHA512
5b95dd8bb0f1dd72c0f1c2fcd326277b362a35581dc531ce96e909d339f0e94b192e3db8be535e7aee60cfa951f012764c50cab7e7479d028377c814b3a439bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31ad256a9ee33fbbe6d3ee2b6068f9b2

SHA1
afe85a730dd209aede8dbc5d968886b37a92cfd1

SHA256
59c4320af46f699d5cd3e447837db1cb4b86d640d5e8bbe8cb5aeb447e847dce

SHA512
debc12725ebf909dfdabc2a0c145627400c702b1a9ab14cd93bea1f1e60975ff40cc4a1335bcecace92e9279e889c20e9aeb5dae529e66761c68d254dc47e67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
663c761ff9e7c08a2d61e28ca8fe5fbf

SHA1
e3faca9be0bd1cdb522e6bbea7633e758ee3a5c7

SHA256
bbc6756e2c785ef2c42ef083dcbf8ed2f50bb4a45decf215495671f044725397

SHA512
3e29ea01a8c4835d207cc356664a1960f0a5bbea5438f4fd0b09c629fe6453e2b2844e4c4131c271c81d15202753f1def71017e89b528b014b83a7f4eab45ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03b7ea82afc759695cd142f3028ca175

SHA1
89a4d881664ebe1674ee4f3f09188b7fb6c20d65

SHA256
acd6f3fe0906f6a55eec06275d3b106825a0524ba9a540f2d15f292d084166e1

SHA512
add8cd55ef0fdcc302ecf310a97837aa6c476436b1700df9dfefcad997596529d00fd68c684882e6af19d012fcb980446227ca7451bcfe7ad943abd99b462f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
d827307da3d7fe11ba4e8e605df91711

SHA1
87d39608c0aa05f7dd511f83e552eab83585fc70

SHA256
d4aab9540851a55a8dd9339f3a56aab1cf7c1c0ae6a5eb764b83eeb29d8437a9

SHA512
bd9ab0dc3cb2862704821f6e98da45393c43e2c9cbc37f710eeb795518b2de4a22a5f3a34df3b3c894eb370987857977cf24ce834d5cd7196de43f5030e2d29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
b00db8682de9d603daa000a8ff42a27b

SHA1
6c3d5aa292583e65dba985482c103c2828346cf6

SHA256
2c2a2da03d5ec6cad9f8e810341a97f3e5e31aa707ba861b490ad6e81abf8464

SHA512
8d0eebb294312b413238792ee55db53998934c38b3eda93e6cb58b0353cf86cc41d6fa731ff47e3b236f0b82ae7c3b6889c2e7a77a0ff695c6f0c5f148b4fa95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
0d100cbc02b26afd2bec81f0b44aeb73

SHA1
61572af8ad244a4d09fc3e95deb7fe7cf69f7f0a

SHA256
274321da7126b5bfd46539c24d9daec818715dc5f89f0971757b3cf0dc018ef3

SHA512
61cb6b89eb6d8c80187ee45493e7c61627fb7278614aa3f92ba6ad5966c0578884091cedaaff16cac97c5d3d2fb1f260b76eab16b36edda401ecc987f793c283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\0001222365589556623514578484512245784452.tar[1].gz

Filesize
1.4MB

MD5
faef59f8573d911c67eccf47edbab74c

SHA1
eb2cccd011a79aedee57d442e616f502b16b42df

SHA256
cc954e90f5da21ad92ddea419a2a2520ebee6bc02275588b529e6a426e573428

SHA512
4c573cca69f9431fc49160099178f1cbbab4d27d8641d7b47e2e462f0283c177c5b10360620b747b92e4f3d2f642c5c2cbd059bc5186dea62ebf52584490c2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6C1E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C2F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F4C7B51B-4461-4E97-8E75-B27BBB8C6920}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\Downloads\0001222365589556623514578484512245784452.exe

Filesize
3.6MB

MD5
88b93c9f46399e63c0c713211077d4cd

SHA1
b30086dba9cc981226a3e36d593e5bf69a0954b9

SHA256
0fe731eac32f92d3da0c90f990e37205a99e374f715902a469524205092bf951

SHA512
f5ce76651ccd514b60402937853a569762e799c41d814898b0ffe50efb86ba81fe75a79069d984b9b8fd469363aa5523be03227ea211efbbc57cbd5ffbe93cbf

Download Submit
memory/408-1163-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1138-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1149-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1180-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1181-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1179-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1134-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1186-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1130-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1128-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1135-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/688-1139-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1141-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1142-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1143-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1144-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1146-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1147-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1148-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1178-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1150-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1153-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1185-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1184-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1176-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1164-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1166-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1167-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1168-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1169-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1172-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1173-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1174-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/688-1175-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2420-1-0x0000000073DDD000-0x0000000073DE8000-memory.dmp

Filesize
44KB

Download
memory/2420-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2420-162-0x0000000069C11000-0x0000000069C12000-memory.dmp

Filesize
4KB

Download
memory/2420-124-0x0000000073DDD000-0x0000000073DE8000-memory.dmp

Filesize
44KB

Download
memory/2656-1125-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/2656-1131-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/2764-1159-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download
memory/2764-1154-0x0000000000400000-0x00000000007B3000-memory.dmp

Filesize
3.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads