remcos | 0c74cb57c375c6bc50b869c5d502f2922c593cc77ac119181ec680d32d67c49e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_0300304032000.JPG.exe
Size

1.2MB
MD5

e7e4cf0e79b15f20dd87a8b11eeabbc8
SHA1

36612c549b356f26a2e314f9c3a0a643ab1d36eb
SHA256

a6ba56520ba01fe4dd295f81ddbec6d90df6e80ea4a50fd79895a82a0b14b3e9
SHA512

2802049bf02fe966e564524b31f16392e83629c39075bf696dd3862f88447fcd158e1f468b32fd4e1bca6f0df0e15d7708398b7be45c3c03172379db6f264bb3
SSDEEP

24576:j6nVMk+HIj90cstXScO/GBeB0rY9+Q3c7NcJRazowocd5xShmhAJ3/:eVz7tspSv/lOA+Q3c7SL/Qx8Zd

Score

10^/10

remcos aquafina discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

AQUAFINA

december2n.duckdns.org:6241

december2nd.ddns.net:6241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-5TYRFW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 8 IoCs

pid	Process
2628	nboiwrfl.bmp
2976	RegSvcs.exe
1076	nboiwrfl.bmp
2364	RegSvcs.exe
2004	nboiwrfl.bmp
2824	RegSvcs.exe
1556	nboiwrfl.bmp
688	RegSvcs.exe

Loads dropped DLL 8 IoCs

pid	Process
2144	cmd.exe
2628	nboiwrfl.bmp
2708	cmd.exe
1076	nboiwrfl.bmp
2120	cmd.exe
2004	nboiwrfl.bmp
1360	cmd.exe
1556	nboiwrfl.bmp

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "c:\\cooj\\NBOIWR~1.EXE c:\\cooj\\nxaoo.xl"	nboiwrfl.bmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "c:\\cooj\\NBOIWR~1.EXE c:\\cooj\\nxaoo.xl"	nboiwrfl.bmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "c:\\cooj\\NBOIWR~1.EXE c:\\cooj\\nxaoo.xl"	nboiwrfl.bmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "c:\\cooj\\NBOIWR~1.EXE c:\\cooj\\nxaoo.xl"	nboiwrfl.bmp

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 2976	2628	nboiwrfl.bmp	38
PID 1076 set thread context of 2364	1076	nboiwrfl.bmp	56
PID 2004 set thread context of 2824	2004	nboiwrfl.bmp	67
PID 1556 set thread context of 688	1556	nboiwrfl.bmp	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nboiwrfl.bmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc_0300304032000.JPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc_0300304032000.JPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc_0300304032000.JPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nboiwrfl.bmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc_0300304032000.JPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nboiwrfl.bmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nboiwrfl.bmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2068	ipconfig.exe
2716	ipconfig.exe
2760	ipconfig.exe
864	ipconfig.exe
1260	ipconfig.exe
2796	ipconfig.exe
2620	ipconfig.exe
2672	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
2628	nboiwrfl.bmp
1076	nboiwrfl.bmp
1076	nboiwrfl.bmp
1076	nboiwrfl.bmp
1076	nboiwrfl.bmp
1076	nboiwrfl.bmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2768	2304	doc_0300304032000.JPG.exe	30
PID 2304 wrote to memory of 2768	2304	doc_0300304032000.JPG.exe	30
PID 2304 wrote to memory of 2768	2304	doc_0300304032000.JPG.exe	30
PID 2304 wrote to memory of 2768	2304	doc_0300304032000.JPG.exe	30
PID 2768 wrote to memory of 2756	2768	WScript.exe	32
PID 2768 wrote to memory of 2756	2768	WScript.exe	32
PID 2768 wrote to memory of 2756	2768	WScript.exe	32
PID 2768 wrote to memory of 2756	2768	WScript.exe	32
PID 2768 wrote to memory of 2144	2768	WScript.exe	33
PID 2768 wrote to memory of 2144	2768	WScript.exe	33
PID 2768 wrote to memory of 2144	2768	WScript.exe	33
PID 2768 wrote to memory of 2144	2768	WScript.exe	33
PID 2756 wrote to memory of 2620	2756	cmd.exe	36
PID 2756 wrote to memory of 2620	2756	cmd.exe	36
PID 2756 wrote to memory of 2620	2756	cmd.exe	36
PID 2756 wrote to memory of 2620	2756	cmd.exe	36
PID 2144 wrote to memory of 2628	2144	cmd.exe	37
PID 2144 wrote to memory of 2628	2144	cmd.exe	37
PID 2144 wrote to memory of 2628	2144	cmd.exe	37
PID 2144 wrote to memory of 2628	2144	cmd.exe	37
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2628 wrote to memory of 2976	2628	nboiwrfl.bmp	38
PID 2768 wrote to memory of 2208	2768	WScript.exe	39
PID 2768 wrote to memory of 2208	2768	WScript.exe	39
PID 2768 wrote to memory of 2208	2768	WScript.exe	39
PID 2768 wrote to memory of 2208	2768	WScript.exe	39
PID 2208 wrote to memory of 2672	2208	cmd.exe	41
PID 2208 wrote to memory of 2672	2208	cmd.exe	41
PID 2208 wrote to memory of 2672	2208	cmd.exe	41
PID 2208 wrote to memory of 2672	2208	cmd.exe	41
PID 2240 wrote to memory of 2896	2240	doc_0300304032000.JPG.exe	46
PID 2240 wrote to memory of 2896	2240	doc_0300304032000.JPG.exe	46
PID 2240 wrote to memory of 2896	2240	doc_0300304032000.JPG.exe	46
PID 2240 wrote to memory of 2896	2240	doc_0300304032000.JPG.exe	46
PID 2888 wrote to memory of 2672	2888	doc_0300304032000.JPG.exe	48
PID 2888 wrote to memory of 2672	2888	doc_0300304032000.JPG.exe	48
PID 2888 wrote to memory of 2672	2888	doc_0300304032000.JPG.exe	48
PID 2888 wrote to memory of 2672	2888	doc_0300304032000.JPG.exe	48
PID 2896 wrote to memory of 1468	2896	WScript.exe	49
PID 2896 wrote to memory of 1468	2896	WScript.exe	49
PID 2896 wrote to memory of 1468	2896	WScript.exe	49
PID 2896 wrote to memory of 1468	2896	WScript.exe	49
PID 2896 wrote to memory of 2708	2896	WScript.exe	51
PID 2896 wrote to memory of 2708	2896	WScript.exe	51
PID 2896 wrote to memory of 2708	2896	WScript.exe	51
PID 2896 wrote to memory of 2708	2896	WScript.exe	51
PID 1468 wrote to memory of 2068	1468	cmd.exe	53
PID 1468 wrote to memory of 2068	1468	cmd.exe	53
PID 1468 wrote to memory of 2068	1468	cmd.exe	53
PID 1468 wrote to memory of 2068	1468	cmd.exe	53
PID 2708 wrote to memory of 1076	2708	cmd.exe	54
PID 2708 wrote to memory of 1076	2708	cmd.exe	54
PID 2708 wrote to memory of 1076	2708	cmd.exe	54
PID 2708 wrote to memory of 1076	2708	cmd.exe	54
PID 1076 wrote to memory of 2364	1076	nboiwrfl.bmp	56
PID 1076 wrote to memory of 2364	1076	nboiwrfl.bmp	56
PID 1076 wrote to memory of 2364	1076	nboiwrfl.bmp	56

C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe
"C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\iril.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c nboiwrfl.bmp nxaoo.xl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\nboiwrfl.bmp
      nboiwrfl.bmp nxaoo.xl
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2672

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe
"C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\iril.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c nboiwrfl.bmp nxaoo.xl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\nboiwrfl.bmp
      nboiwrfl.bmp nxaoo.xl
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2716

C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe
"C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\iril.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c nboiwrfl.bmp nxaoo.xl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\nboiwrfl.bmp
      nboiwrfl.bmp nxaoo.xl
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:864

C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe
"C:\Users\Admin\AppData\Local\Temp\doc_0300304032000.JPG.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX3\iril.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c nboiwrfl.bmp nxaoo.xl
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\nboiwrfl.bmp
      nboiwrfl.bmp nxaoo.xl
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\asrpliq.xls

Filesize
552B

MD5
bab84210b56174a3f1cfcb8ab6aa4432

SHA1
6c2e949a5ce878ad3f23790f538c5bcb7fe8ee02

SHA256
854bd78e60f8bd7579bd81667bb267430370dc63dd2d8007b9ae5723e4d1652f

SHA512
5be71272f4af9ee969fafe49856abd6011ce06a142262f46dacb063b3f5f2e9411eb584982a1de848466cd543100551a7a860bc3155a11c1bc8368343e6d77f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bphjeptxx.mp3

Filesize
557B

MD5
02fbdd3ba2b15bf0bed97a9b0467bc71

SHA1
67b4fecdded72bf6e09ecbb23d02ac6e1ecefac2

SHA256
9f597408131990b8ef1e654ff6e2bb92633220d8421cb1ba07a2d333a3139e05

SHA512
27430fcc64f36f60cb7b9ebd1cfae2eed0a6722696fa147037ba1a3147e9a4a4ea0a105e85c001a08d6447723014ca7e5113131a9c0d811a114593d62b4a0c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\brkacwg.docx

Filesize
524B

MD5
01148c0d404adc393280d1e3df931b20

SHA1
f1575762e4a8f249484e9c1e79e2d16769dd0aea

SHA256
b07f68cb16d9347b6f0ef65c8e987eeb155e012510431fe926546bee32462999

SHA512
72b99a74c3a50c9a3a0aa8abed51fdf5c514a8dd1b6a0a3eb531fd809269fbc2770024eb84278b7e0cc1d4238fae35365360e29be979aca9896330563eaa3314

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eihojl.icm

Filesize
36KB

MD5
8c98fd5c7af28bf4836abcfdb98f6c04

SHA1
97411fcb00575e42a7189c0d655c9dacc2a0107e

SHA256
a426b8d5776d0960f2ad9759c665568d42c048768b241674aaafe2fbee73b291

SHA512
210cde54cdf1c138199b8777cc71913ae366e4103aa9378ab41d01070c5fa87249e147725405f1562997dc94488431061caeab4f10f3779d6d8e437ef83dd3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eihojl.icm

Filesize
36KB

MD5
9f8aececa46830661ea5edd288be4fa1

SHA1
4b960f2f107add0674fe9764dae6b31173548859

SHA256
e9aeb14a428d61de627a3c4d512e552bc655abf9140b42a8aedcc953b66757bf

SHA512
7d521587039c53cc7f0682fa225b52ca1d4a392301726b8b2f281c2d0b2e2de5bb0a4a7b0c6d15b1c470644e6a6d6c709be7b83cee9e0104aca26e6accca0fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gfom.dll

Filesize
574B

MD5
875c7626a326b1d40900f4673766b3cb

SHA1
c3e4f0445e02bf843b5fcf59aa102b15c07116ee

SHA256
f24a223d2747910690768238e8f924af48f99d250a804a32a3f7c4e5e8687ea0

SHA512
b3603b94595850ee76b3fc2efca612db67ee103889208c682c9e755c028aa60e7b916950fbec8ba0ae78f4fee351e98eb7d63e284e0059333b4ac34d3d2cc45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hckntns.bmp

Filesize
616B

MD5
aa2fec6495fa96c7ce38815d42b30cb3

SHA1
5f298087695ed86c691d5223be3e020a5a9f4987

SHA256
bf5635dd55476f18acde23cf4207b84d674c7bb3642e4b88848e393cc8f5442b

SHA512
342021841312c3f290817e2aa8ef7f3fe3dcc5f77b4508d67684dd14a04dc440d54ddb7fd07685af40d3985e4d10714a13a0479dc414bf978e5d607bfd428871

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ijswgr.txt

Filesize
594B

MD5
af7c681fa95ea19cb3f4b50b5f794461

SHA1
a963421520b5e6a3d24b7dbb342862ad475b9438

SHA256
aa06f47b4ed95ec47964f390e72e85b1fffde74a52de1ee4c44a78fbc787768a

SHA512
413429498410ee97c1a9d9c0be95693abe7698cfcf4337de71c57173dfd2c5ad5da75ce2a11329e029b06df3a5c7d5f86299beadd42d2f8658d6667b11cf7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iril.vbe

Filesize
72KB

MD5
1aa28d9168cfac9a29cc94f87f500005

SHA1
c1e6f3dcc5d59772acb8bb8272f2854a726be7aa

SHA256
c2b3f1bc4d1542ce4077c2e85b9c4e36f4ca18842ceff272d5731ac832ac738e

SHA512
9c7be8656080e9a5709e07f0bc21e5d43c017187e2bcc2511f226993ce30943a7102b43846d2f081002fc840d1ce11e3beec6b5aacdfcdb8177e87e758f829d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jrflbrgk.exe

Filesize
539B

MD5
5250d3aa37bb35aa0dcefe1741d0add3

SHA1
c6690a3c2a82dcbd3503f83c450aa5531853e947

SHA256
b07359ef1e44f475052a669a47250795f3dd5132f598757f53b27b9edfbabb64

SHA512
17eb478c086a4865270dd35c702e8849d71579b4a0a74211db790fa5031df9a7a9520b85481ac51265a8a2075cd17119f2eb7fc2ddd5ef104d0b084fcb2833f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jxiopctd.ppt

Filesize
534B

MD5
e952a8f3a080490ae597a561c6e77e82

SHA1
edb740c052dbad441f7096a82f84d8c0574bb547

SHA256
57126479323bf2baf0a675d89062d4398f685cca06c1a8db364de274769d9399

SHA512
e82370c546716c6dfc07a4be442e278a7a9495d27d97cfd7491fdae47c8e953607960700d11b2e4e44a6c9913f4047a1cb0db7e417981dd1eabc6985def728c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\krrlpuvelc.ppt

Filesize
521B

MD5
365f4ff9df61a1c90f76672a8308fedd

SHA1
bab6329431fd7a31935d163ef82d96be4a8d4c30

SHA256
29b0d5701cc6d0bd68799504590652be46f7c42ae5f2da4ef205ca3b4ccc3ae4

SHA512
0597319da8c8a4a06bdd56fa789339e8666b3f8bec72c7eabff5fabccf21549b19c7aa6a60731071021b0a2fa5d45bb89f509dab5edacffb93678873b972b54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lole.mp3

Filesize
666B

MD5
ffddc993d5ece419097ee86d85be6d10

SHA1
fdb97189e4edb5bcd51d6faf33dc8e3e49fe4593

SHA256
c0a58c137e3c79911d4638a2aaddd84cd304935673b56f3e88ac525cde14b597

SHA512
df19c4c8e2c527afdb62ac40e08e18395deb8ae2ce67860f81aa40df75155b95d23b2e3911b1d42e4ddac0115761faa1ea3eb116df0c5f49808818ec3dee98cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lumxlh.jpg

Filesize
565B

MD5
8cf780d183d6f889e89f948a68b091d0

SHA1
6184c60a15750012cefb1ccd7a568634be4c23fe

SHA256
80e4e6bc204de150776dd281048deac73414866dc7ddcf06b33d73f9a92ccd41

SHA512
e09484a5cf3f89e27f24c3bbf68cee4917e9f5f569166ccd4f55f6f37c73bf389a72a39ba9c0602910ca4a149d08a9ea58f730407581dcab4f68c2ddccf6a26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mllpbspwuh.3gp

Filesize
501B

MD5
de9d5027b4db9c6ab0d599fb2464a054

SHA1
34acab9fea50f6578b44c5655225631863e51ca4

SHA256
973f3a4854983ce0d5106153c28ac28b6e35c3a2ddaed0273804ca470d6bf277

SHA512
86508efd82ff29ad56255b9e175b2f92b294ed01649bc54a0ba7032d0c955382c76bca0ecf087ac946c3ac1a4cd228007d435b470d978bb4e6b88d3270ac5f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\nboiwrfl.bmp

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\phvetqso.dat

Filesize
608B

MD5
7d1ddad1b1e8d5aaac23b500fa3822b4

SHA1
4a902621fde5e5cbb5518af86d13c15428f2689c

SHA256
f47407d1f1663f30b1d29687993a43c9c3282e6bc5948117af1597341e1b1558

SHA512
193c8c6742b892fef091a311d7566b5ebc2e7621423416f140324cced6b1d0dacc002059fd4dcea6421239c5c9ea24968c06fbecf401bf790bbc7aaf5f2383e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qcfdfhil.ppt

Filesize
690B

MD5
c886a35e1a16068868f307f3326ca74d

SHA1
7e558f32cf873ee61d3771f206a513ae7611ab3d

SHA256
7b344bd6a71cae61b00a812e1cd40f3e92b8e9f3f7e809f1c0d0bf44fea5783f

SHA512
2c6da0ec61e655170e91a8d253ce444d47f05fe1365d9efd871554e869a822e990b6ecc4fd0fbca270a6112394cda93d586bcd36a20c9d4c35e9ff91e91c75a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rseq.icm

Filesize
572B

MD5
70f38996d77c6207fae580ed65968ade

SHA1
a47c66d625bcd9044fa2cbc4bebe4546f4e9dd73

SHA256
ee9e4ae97648fa520fc7d76bc319b123de81f1c4f91c487dac6812a01ed3ea66

SHA512
45f808d9e57c564c986d04a1fa7d80d5de7f332ed01d1233184e6e45be92bffdd13a7b24afd025362ec638927f6f7e89f09912a51c6ca50de9423c4b3c6fc710

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rtlrhqqjui.exe

Filesize
644B

MD5
02a75e3900d19866d60f567f658af339

SHA1
e1146e50dfd0c91fe9d3681eb21f01f54ae30adf

SHA256
b13d84ccffced4d226adbd5b460a33efe4883da6019773ee0c8d26fedb121cc3

SHA512
cb1ea4dde0c02d1b2260d6f1b43884b4134878b254ddc0bfab26580ff921c5c6f23ea6e450a5e2945b7b54ea119ecd7bd1db5fb51f053c4234319d1764fc6ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tjvpsq.dat

Filesize
542B

MD5
9477108be7e8d47da2fff8aa8eae3e88

SHA1
fab230e4940953d3afb3bb693e9ddebbeb27d6d7

SHA256
5cfda41920e88b0204fa333889e0facc637bed480825e4a00297c809687455b5

SHA512
e4905b801c34404a6e38a499e11d65288a382483ee312207f5280181e5ba633dde6cccf0a8e1f9fc6344eaed2418f0016b17304a6a462f217c05293051343b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ugkfobbc.mp2

Filesize
540B

MD5
1c2968cb319df2bb46ae286eef72a8d2

SHA1
0fbc2bd7be685a2ebfdbf1d377a4205fcbbc93ba

SHA256
670b1c86f52079acefa5130aa263b993b71ebc9d18518344c9a85b8505768788

SHA512
6c2031ef5939cf5d103b909230c2469e15df8f92d803b4888ba96ca0e8ec3ba85149b3c5c46d4ed6b6bd2d6fe9f1b107311b29854e91c0673e153efbb7b31a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\uvswbok.mp3

Filesize
548B

MD5
a85db88013079615facb8817a4593959

SHA1
0a58c7d0445bc8ac94ddb62d4a0c67efd4e9041a

SHA256
a51c53cd2644b7556f5a77bce39cccb33b82c64ce5976a49e2053e06146a7e77

SHA512
9dcd136a61e0eb9718803ff1144f51af4b4e50f901a7b9799311ca617b5a095ad4b3a694a88278b7dbbeef5ecfaebf733690808623d6510f447ccc43078c6e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vlduqvd.mp3

Filesize
583B

MD5
953d7d44932752a2ef598e52ed9977c9

SHA1
0ab60dc4c2accdd931683e90e9d41fce3bb8564b

SHA256
0105542f1c237d9a8efa6cd0c7cfd93ab77503a1ce59863d054a3e7b02df7752

SHA512
6f07b2ed3dbe8c9f2f5a292cbca559e8e8c6e14da26ad689ae89740666f1f7400c09ac822dbca79ae5585e273c799a96e0588db1e6d3604bba3b894ea36ede55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wcns.xls

Filesize
615B

MD5
e6c413b05af4a897c2ba33f04364d773

SHA1
4593e72aff6f5a75369ee0023803d32223f57f66

SHA256
aa462d1c7a0850e42d784f6c78490af7d1645dd270ccc42fdbdfec50b34fb960

SHA512
21a0dd2da89a3e39ee5f35cd1ed9c805e81c91610d0fcdca766738b7a296c79d843bf02b20d470df3ac6342cd3d7af39dce305e49ac6bc9b942ea9832fb4d38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xaqbvlq.msc

Filesize
560B

MD5
4ba5c84447aebb31b22e8a96d2744a35

SHA1
d8cc92d4977bc1bffb023bcd7e0227061e14cf40

SHA256
9c3553caa8eb85b49ee504bdc249e0237662e93080c5fd09b896399cb1df0fea

SHA512
749e6c746b9de6ebed27556ef9d157e2d43dbf411ba6389a5dc0e82d6d00ad16a6f89ce33848be1165ea612c2e35af9814d5f817ad2f63e25f84811056583c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdsqkk.xsa

Filesize
883KB

MD5
cd69ddd0b78fafcac6cd74a7dd9acdd2

SHA1
643b7b5e6fceea077ff4064ddc769fc5b92e2a79

SHA256
194620122b41ed3a5228b708431b983a4e00a488dc104bc43358c8bb07bfd9b1

SHA512
a3ba92472df212daeb40d4bcb0d03f081c24e8e8a368fa0ebbcb9a944a89819642d409570d42ceb9ae92bcf02b1ba142a262accbb5577ff8408fcb9a8076ad13

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2976-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-161-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-164-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-158-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-163-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-165-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-166-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-167-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-169-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-170-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-171-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-172-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-174-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-176-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-178-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-180-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-182-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-184-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-185-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-186-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-187-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-188-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-190-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-192-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-194-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-196-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-198-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-200-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-202-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-204-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-205-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-206-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-207-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-208-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-209-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-210-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-212-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-214-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-215-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-216-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-217-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-218-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-220-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download
memory/2976-222-0x0000000001180000-0x0000000002180000-memory.dmp

Filesize
16.0MB

Download