remcos | bf7d0c3a7e78753f47c0a03debef9d6ade31c1fdec1b438971aac507e68c3144

Resubmissions

03-10-2024 06:29

241003-g9cysayhpk 10

03-10-2024 06:26

241003-g7l4nssgme 10

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REGISTRO DEL SIGUIENTE MOVIMIENTO TRANSACCIONAL OCTUBRE 2 DE 2024.msg
Size

124KB
MD5

c04019e5e21fc1cf061de5b0e8caa1c1
SHA1

aa856e33162e2522f82211f9f71c98fe92319412
SHA256

bf7d0c3a7e78753f47c0a03debef9d6ade31c1fdec1b438971aac507e68c3144
SHA512

da3ce691514632a3102603f0803510b12688c0a1644419acc53166c645e81536efa391bb05f8cc75ca9729619ad38f51e6beeeee5cd5a36190813cef62946c38
SSDEEP

1536:C9+FUeAN25Q1yAvfxtMDadI/WQWIW0dDnqvhxoiWGHle1:C9+uTNZtgaSNDngxDFe1

Score

10^/10

remcos xioamort discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

XIOAMORT

vcvfdjvodsuhvf.con-ip.com:1661

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ALVZO2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d09455785d15db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b6a6815d15db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AB9A7D11-8150-11EF-8BBB-46D787DB8171} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000ecae6d707de3e321db00a187cefaf09c4afef69ba5348b6d9d4dbf533b448290000000000e80000000020000200000006e62b0bee240d6d87ebeba21dae022d6e0c12ab9b4d947e9b85c0436a127adc0900000000d6fad947f848cb555dcd6fc41847945f26d6c5279bbfbb8cdbd44f133d5dea40afa08741efcb0b044c276fd9d3e499819f958d95762f46fc8ae2cf82d4c37bb781a1858583e9b395b74876118e25229ad838683138c3e8dba705ec071d796eee9d6fa9ff6bf95bfa7ef44a9321b003d98759578a0d5cc71b67004094db5d40e51e7b6a3273f3103a3d36b4e970d596a40000000ad02fcc7995758a0f88cada546e86fba8df3403d30ce19062192efc0e7d9f026aaaa2037e4086c84763bbc168226dbca88d5971d287e5581a937b04a6d3caf21	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000024e23b916bbff252785dc593e18dcc9af788e1de2dd623d9869e3248782fa05000000000e80000000020000200000006c0d760b3070a2fc72d5468326b23363205aa864f0374cc1a59a0092cce56e1e200000006a768759f1a5e9342a1795d3ce8a7adf6a1ab082e2f0b47eed7b20d774bffe59400000004cd95e03dbff97838a86a0a8529f97eecbc95c75db605bd0a101c41b0e4e053d5639b855e06093be61efd06896294a16122ec4ba80b4524defb0dcdc723472ce	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434098763"	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2632	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1604	AUDIODG.EXE
Token: 33	1604	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1604	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2632	OUTLOOK.EXE
2384	iexplore.exe
2384	iexplore.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2632	OUTLOOK.EXE
2384	iexplore.exe
2384	iexplore.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
2632	OUTLOOK.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
3052	TRANSACCION NO 978654567980987654535768900976543457689.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2384	2632	OUTLOOK.EXE	33
PID 2632 wrote to memory of 2384	2632	OUTLOOK.EXE	33
PID 2632 wrote to memory of 2384	2632	OUTLOOK.EXE	33
PID 2632 wrote to memory of 2384	2632	OUTLOOK.EXE	33
PID 2384 wrote to memory of 1632	2384	iexplore.exe	34
PID 2384 wrote to memory of 1632	2384	iexplore.exe	34
PID 2384 wrote to memory of 1632	2384	iexplore.exe	34
PID 2384 wrote to memory of 1632	2384	iexplore.exe	34
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39
PID 596 wrote to memory of 3052	596	TRANSACCION NO 978654567980987654535768900976543457689.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\REGISTRO DEL SIGUIENTE MOVIMIENTO TRANSACCIONAL OCTUBRE 2 DE 2024.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=1DAJFVO9Z-gWVd34mBvP8SheThGfjP8eq
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2384 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1632

C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSACCION NO 978654567980987654535768900976543457689.zip\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSACCION NO 978654567980987654535768900976543457689.zip\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSACCION NO 978654567980987654535768900976543457689.zip\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_TRANSACCION NO 978654567980987654535768900976543457689.zip\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ca538c77cc5987ba5efd79fa9fe755da

SHA1
25c5825121e7943ccbdfdf634187272bd1f8659d

SHA256
c567d7cdf104a178d6f75339c52ffb83f743410080d39f8ccb6db3a5da82fe81

SHA512
bb2caf7d956cb6c9b387820afc02e03e9b3beedb951ae631b2d645e3397bd95360259ff56a9fd73ee4ea358d7f2e02eacfb4f7a791df53371cbab756e242bc54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e21625edaac3d9490236203df0ee6e58

SHA1
6bd43a212a782e520a083203e9d740afdc31236b

SHA256
e6fa6a8b20cf8e769279b39123a938cc7346712d398e99dabb0c6f180f88727e

SHA512
42cbaf786c7bbe00d273ec43cd093b938c2beb24a9e236c959319106dfcab84a20524efc68571729152b510f64965917fd6ce269e415a0c70ae8f4ed4d7f9495

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec7b66677015f01087ef81ba2fb4eafa

SHA1
c2e727a7159b038f674e402f1430e37293092fe2

SHA256
c61883a948adf99ee27973a67a4988720f2eb9b9361b7a5a3960c1a1da9b2913

SHA512
e5cb4dc97fea2427bbbd5463ce28390bc8147eb20dac1a96c3a3f7a71fd8b7f376327b995315afd9aca1b383bf83a9b6836ac7ba3691c27b778fcb178cbbb622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f32ba92f4ee7e8086537682d5c7e8b1

SHA1
d08e92d3ff0dbc9d303ea03f1a7efcd89a55d535

SHA256
0926f401b94a39660be315d592bfd742f329fd8b9f561afd126ed42a090bf681

SHA512
d2d24ac65194788f368ea72c43f2f4ab987dd28da640b34bf869a8ecd30c1ea6416c575305da1fe62a15a99f55f3cf1625f27f24fa0c9dc6e5335d67ffba7781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c93699cf0af31c08511ba80813951a

SHA1
1a424927b978c522f7bbee3b9432e39552bc10f6

SHA256
7d64fc582c2c57144dda497b01ec8af196ac12d8d6b39e08feea88bd57c4ccf3

SHA512
a37c284c250b3c019c062fa14d5c9de480fb028ae873024917adb1c85b3c14025476d46771534c1133b25dd29819986ce2754921f2c86ab3a0fbed2721161961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55bb4f135a51f21c44f877233937cfab

SHA1
a8acbc526cc12a47bc01b7a7324a77de8485a240

SHA256
090649996d4eeae13d9b4abb47c8b02cb7fc33545cae5f7caf3f493e00e59100

SHA512
afbaab1c90262ad5a45540806dac2facf40cca701cb0c6566eda9ee0c537ad964803cdee5663308f531241fab7bb41f6dd95da7f7a8d6ce9dc8ac5fd3327c791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e3c0e621be3d5b8a2f0c2162eb60d94

SHA1
affc572b8e992fca6808aec477d8bbf6ca85e7be

SHA256
856743df1632c7dc9f7b9279218cd94466f1105e79d5c77b8fe7ba493111a94c

SHA512
7275dd493556198af3374322f021a4023c8446382a6d3d85b2154201eca22635d0e4e318ee43ee313475fb8bf0314c006cf47fa324b76cfb34ea3a1a2c4f8c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
611c3b9fb1cf14f9f1f3b2b494e1ce05

SHA1
1e062e1fc519a097233e9185a66a751cd092d4a8

SHA256
eaefad2b7089e5ef4c03dd7f6b1d480c7008183028e4c9f5692b5b337eb674b0

SHA512
f517145ee82343c7b9965fe8c0831d1f9194c5bae8b98cc076861b0982a5b276088113788d5c6a2754aaac6837535b181dafce3dbe5586183423ff66a05f8f5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1415129f9771908bae4b0ef15227a760

SHA1
56b22ffc8bdf08bfa6e49266b1554ed6a813e12f

SHA256
11394a272d0ffebdcde9fb3073262d0d98ab858520ec9cfa96e84d4b1dc68670

SHA512
05916115047c119fb54f08794d7262bd35be88ce4c6b4e6ecde721045a10128905fbf58bc83c4a6fe80e6588e369d644b4a1e50ac2734c9ab67d3c36c8e34067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07750a1c324225bcc0a9932c73f65b10

SHA1
c0c86dd510e6be38cf605615f1937ddd254aec96

SHA256
8eb18038ca3d1b4d7f1f19b1084b8593e8eb7492aaadd12fc1a2cee23d323ced

SHA512
ca84f288bcf46c357a9cbcfcf2e68e6a1114bbb9c089c8787da54bf1cf9fb84189e0cee718b33d10102dd27b326dadc460e68e411f1e5e5b068ac66c2a8f6c9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
594ab2aa9f909a8fc4f8d7cb04f04b57

SHA1
3dfbad8047af3619aa3f63b13d05ffe9f2c6b062

SHA256
4a90d0603f2d29422684681dae21613f70e9259b7fb10409c268b57361110543

SHA512
7b929424319c15689efd63e789988e99e32022a1aab627669a68a9abf63b1305b0568b03dc46786c6da0a3d65f9ea4de40a989c5afe845225fe7fa467b23453c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3e50ebd3096905fd8007dc075418cc

SHA1
da63126b3aa6ac3ee1262843b96d46c50259d399

SHA256
329f53f62f5e714e9196d7349b47598b8f0c508195b05c7a9f7cae6ee04628c8

SHA512
c7c834f450e865beb2fdb3a5ac7e91f5da7e0eef334536b123fbfc80b8531d51bf9918238bf89ff4b73dc26ea82176dbc78d1a60a2a0672de06741b726480d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e58790ee77f3962a1fb76a71e3ca9948

SHA1
00bed8f982b30382efc0c31ffcbc5bb27ae2e064

SHA256
a5405d9aa4207985f6c57349a54088b7fb38b8f361f8e7ede5d416c51d9f375d

SHA512
78d16ea1aa89681c4d71a30f6009e9aaef0f495fcdbed92ff097d77f7f93e0293430d7bab9e92cd584c579dc340dc6056799c8603385a093cce0285b451433b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba326f3eee0f040476b5452ccbd77160

SHA1
496cdb061cf7fda9a85ecdb5b8c7f5cf6fe5800e

SHA256
68a110d0ccb15ebe414cccf9a514bc2cc6b9a65c58a2f0d4b734faae8496c5cc

SHA512
58f3d85f714c02bb068f328ac79b92dc0fb03536c310103bc95798fefca1bfb4390cc728eb04a44303e1a1eec629ab67bceeb3b2a4808828ae7fbb91f9fd4d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe445a9af3a18c1b1c42df9527c1fed6

SHA1
24617e6c4189db0d1c9c015f950a274e35f3f068

SHA256
b244ccc70052fd9c2457637dcbfccb299b4b7b12bb3a3f960921097cd65fa906

SHA512
3069c1a23e09eab31433ad3ed2dd31052213fdd8d2c56952204b4c12dafcffe74c11fb5d4f27a278226475392a677d29997cec4a555cadeae0f8fa0096a0b775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6469d86748887705e7bda1a2ca6ef891

SHA1
c66860d5172bda4c68a337eefbde426d39436ceb

SHA256
c9bd89b94299efbedf98e50416c13f8bc837584a52824e4fbb8c320d3f195879

SHA512
c91dc6f0b3f0a157849b4b0176ade3ba9c6c8fca25d3d290243a9696906fe2ee7113d482ce71116365daae77f953a2ee34fcf3873f46820df91498161184e480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e1ddf1c2f4d2d08aca0374e98c43b58

SHA1
88d9880293bd1904b777b73fa60cbc9bfaa15184

SHA256
ffd1bc5b9e018513c6fb0eff25af3149e8a18004ccfe70a8bdfe020611a60482

SHA512
e6bd93186e39096629d0e49ff59b296ae7bf297a7929eba1888a8d053fe339cc2798b845115ca8e5dc4fdf2e451f1b5624d5c8a458b2d77f71dfa3268ce5d941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1454903e3f0d4e44d741dbcf4d005c58

SHA1
944c8d2b4bfd00ff8212e2c7ff4d5322aeb75c7e

SHA256
11d62f427d8f7f6bb8ee77ab99a30544adc8b94cee796d78943ccee389d1b6d5

SHA512
29a7ddc6a00744f23e3554a02768831dd2e17d497ba018c6aeadf766559e79edf1521672aabab5d2441c9c59c7dd919c125dda42297866ca31855b4d54109e05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8add6d36f1faeaa8882b74115b43e92d

SHA1
c538e1569da99a3407409cac330c3868b6d5fb8e

SHA256
57d2e5690e6027702633e22f05515e2c228ded0ff53dcc7c21dbfea2b2ed33bc

SHA512
8c456476fe9766ef6cc59e65c8605a10d7ae2714782a86171b6b5365cae57386feed164bfa86eb58649ff89ab3bf8ef5881bcff6ad7481c380322e3003c22684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
947067306a81dc1166ffa6886b451b00

SHA1
efcdd8e31a8623ebac83381b1d2e08b747514b12

SHA256
cb7970b88088ffc192994c7552c5c2c5d7ee72077718a77f098c922228dfab89

SHA512
ad4e81f06e8214a04ccc6dea92ae0301927b49ca1ec07ce3c5d6871c8133a93583b7dc44c02e7267dade6d1ee24a1d15ec60a2c0e8dde0f34389877daa1f1d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
aeb4e3a37cbb8710493f4ce4fc991fcf

SHA1
9208fc7446d956154c8385686c8be6b50915d2c8

SHA256
63bc963ac6e5965060d9f9d9f2de3dee33ca1ba392d0123d67585f6faa951008

SHA512
e663c26e1b71cbf0fdb06adeabb8ed9c7c0cc32e083965946d58363d85121a2cc75007421d82709c232d2b6a7a5959cad7a2f5ab2a606f3e444d0966755c398c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ivwlua0\imagestore.dat

Filesize
1KB

MD5
53e81645718ac24530aecdb0395a447d

SHA1
f24c30262e816eeb592ed13b3885a855d089515d

SHA256
d95507325313ac2bd25a843fb76b67fa0a7f0c01e2ad4e53e970b41c74791696

SHA512
08ad679c4b25b6c9607c24cba320119fa30075fe6ebfe7c6cf175f83a431b055e1b94510015415d181425fb035c174d8887a7802e5af74aecb2a469f0015e8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\TRANSACCION%20NO%20978654567980987654535768900976543457689[1].zip

Filesize
1.2MB

MD5
0428c8236f3a7d4701b8136785cb91fe

SHA1
aa6df8a7de97b8cd3bb43d8e012615de9c3276e4

SHA256
4eee572588a58b07e9f01ec965f3c4f457777c155344b6bb883e364267c08391

SHA512
d5323f1288cebc17c0509bdf69ee220f92fc85176f6693ac24c5da5e12e551254ec96bbbec518ecfd7de966166658bb1c02e1bd4536109a5825c138917807239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AE1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AE4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74980248-0434-4211-8B61-77CB2A773402}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/596-683-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/596-690-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/596-681-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/596-684-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/596-682-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/596-689-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/2632-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2632-161-0x0000000069EF1000-0x0000000069EF2000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x0000000073E3D000-0x0000000073E48000-memory.dmp

Filesize
44KB

Download
memory/3052-706-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-692-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-685-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-691-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-687-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-688-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-695-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-707-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-696-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-703-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-701-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-699-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/3052-698-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads