remcos | 57f458ba299ffb24f922e3ad863f510ccdc1fd0fee44c3ab8b134186d9ddfc01

Analysis

max time kernel
269s
max time network
265s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
Size

1023.0MB
MD5

91e9ce49b650ce147c174a6e17001c70
SHA1

bc427a785e32378edffcd314179fc08510d8237a
SHA256

4704066f7fdf1f819c4d8a25a07dbf021a5a3e47949edfdacc10fa6d98f23225
SHA512

cfdd721244deba2c449a2af27072e43dd8475c61b1ce2fad02abb83e86c7d9c8a5d1678f2f2ece01a8f7d3d4a84b50e9a89c69417b925f7f4af9d998f7c9e178
SSDEEP

12288:75RVeIv1Jyhik2XF62YPtnsMg9t4q78cjNgT8Yz48h7UJ:9RVeIv1JygrV6XtsRVUS81UJ

Score

10^/10

remcos plata discovery rat

Malware Config

Extracted

Family

remcos

Botnet

PLATA

comercio43.con-ip.com:1835

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
registros.dat
keylog_flag
false
keylog_folder
data34
mouse_option
false
mutex
kiustong-7N6PEP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Capturas de pantalla
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 5 IoCs

pid	Process
2520	AppData.exe
776	AppData.exe
1732	AppData.exe
2948	AppData.exe
1892	AppData.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2520 set thread context of 1236	2520	AppData.exe	41
PID 776 set thread context of 2440	776	AppData.exe	51
PID 1732 set thread context of 1136	1732	AppData.exe	60
PID 2948 set thread context of 1736	2948	AppData.exe	69
PID 1892 set thread context of 2136	1892	AppData.exe	78

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe
2704	schtasks.exe
2792	schtasks.exe
1768	schtasks.exe
2336	schtasks.exe
2204	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2748	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2748	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 2748	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	30
PID 2864 wrote to memory of 1332	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	31
PID 2864 wrote to memory of 1332	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	31
PID 2864 wrote to memory of 1332	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	31
PID 2864 wrote to memory of 1332	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	31
PID 2864 wrote to memory of 2632	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	33
PID 2864 wrote to memory of 2632	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	33
PID 2864 wrote to memory of 2632	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	33
PID 2864 wrote to memory of 2632	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	33
PID 2632 wrote to memory of 1768	2632	cmd.exe	35
PID 2632 wrote to memory of 1768	2632	cmd.exe	35
PID 2632 wrote to memory of 1768	2632	cmd.exe	35
PID 2632 wrote to memory of 1768	2632	cmd.exe	35
PID 2864 wrote to memory of 2652	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	36
PID 2864 wrote to memory of 2652	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	36
PID 2864 wrote to memory of 2652	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	36
PID 2864 wrote to memory of 2652	2864	ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe	36
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2416 wrote to memory of 2520	2416	taskeng.exe	40
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 1236	2520	AppData.exe	41
PID 2520 wrote to memory of 2820	2520	AppData.exe	42
PID 2520 wrote to memory of 2820	2520	AppData.exe	42
PID 2520 wrote to memory of 2820	2520	AppData.exe	42
PID 2520 wrote to memory of 2820	2520	AppData.exe	42
PID 2520 wrote to memory of 3004	2520	AppData.exe	44
PID 2520 wrote to memory of 3004	2520	AppData.exe	44
PID 2520 wrote to memory of 3004	2520	AppData.exe	44
PID 2520 wrote to memory of 3004	2520	AppData.exe	44
PID 3004 wrote to memory of 2336	3004	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe
"C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\ADJUNTO ARCHIVO CON CUENTA DE COBRO POR $2.000.000, FAVOR DESCARGAR PARA SU PAGO OPORTUNO.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {2A673C2D-744C-4937-BBCD-3B267CF39363} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:624
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  C:\Users\Admin\AppData\Roaming\AppData\AppData.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\data34\registros.dat

Filesize
230B

MD5
50d3869d09cbfdf6461685aec7d797b0

SHA1
52e07558bbd511f7a62fe9232025505cc1a0af7f

SHA256
146d90c609bf145403f91f7a2abcd79fdc89beb5b0f6e3ac015dd73d7b618ce3

SHA512
553a9fe5dde5ae8ce579d387efb851211f4dde9fa413012e1cf6f13115d7038e1e50adb80c052acc595cf37ac24f0ed2795f75ccef8c0abe034e71f07df8877c

Download Submit
memory/776-91-0x0000000000ED0000-0x0000000000FB6000-memory.dmp

Filesize
920KB

Download
memory/1236-71-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/1236-65-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/1236-70-0x0000000000090000-0x0000000000112000-memory.dmp

Filesize
520KB

Download
memory/1732-130-0x0000000001300000-0x00000000013E6000-memory.dmp

Filesize
920KB

Download
memory/1892-208-0x00000000000E0000-0x00000000001C6000-memory.dmp

Filesize
920KB

Download
memory/2520-41-0x0000000000B50000-0x0000000000C36000-memory.dmp

Filesize
920KB

Download
memory/2748-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-5-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2748-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2864-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/2864-38-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-2-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2864-1-0x0000000001210000-0x00000000012F6000-memory.dmp

Filesize
920KB

Download
memory/2948-169-0x0000000001300000-0x00000000013E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads