remcos | bf7d0c3a7e78753f47c0a03debef9d6ade31c1fdec1b438971aac507e68c3144

Resubmissions

03-10-2024 06:29

241003-g9cysayhpk 10

03-10-2024 06:26

241003-g7l4nssgme 10

Analysis

max time kernel
267s
max time network
256s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REGISTRO DEL SIGUIENTE MOVIMIENTO TRANSACCIONAL OCTUBRE 2 DE 2024.msg
Size

124KB
MD5

c04019e5e21fc1cf061de5b0e8caa1c1
SHA1

aa856e33162e2522f82211f9f71c98fe92319412
SHA256

bf7d0c3a7e78753f47c0a03debef9d6ade31c1fdec1b438971aac507e68c3144
SHA512

da3ce691514632a3102603f0803510b12688c0a1644419acc53166c645e81536efa391bb05f8cc75ca9729619ad38f51e6beeeee5cd5a36190813cef62946c38
SSDEEP

1536:C9+FUeAN25Q1yAvfxtMDadI/WQWIW0dDnqvhxoiWGHle1:C9+uTNZtgaSNDngxDFe1

Score

10^/10

remcos xioamort discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

XIOAMORT

vcvfdjvodsuhvf.con-ip.com:1661

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ALVZO2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 13 IoCs

pid	Process
876	TRANSACCION NO 978654567980987654535768900976543457689.exe
2816	TRANSACCION NO 978654567980987654535768900976543457689.exe
2636	TRANSACCION NO 978654567980987654535768900976543457689.exe
2472	TRANSACCION NO 978654567980987654535768900976543457689.exe
2884	TRANSACCION NO 978654567980987654535768900976543457689.exe
2888	TRANSACCION NO 978654567980987654535768900976543457689.exe
1968	TRANSACCION NO 978654567980987654535768900976543457689.exe
568	TRANSACCION NO 978654567980987654535768900976543457689.exe
688	TRANSACCION NO 978654567980987654535768900976543457689.exe
1636	TRANSACCION NO 978654567980987654535768900976543457689.exe
1348	TRANSACCION NO 978654567980987654535768900976543457689.exe
1332	TRANSACCION NO 978654567980987654535768900976543457689.exe
1124	TRANSACCION NO 978654567980987654535768900976543457689.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\GifCamVideoEditor = "C:\\Users\\Admin\\Music\\GifCamUpdater\\GifCamOculus.exe"	TRANSACCION NO 978654567980987654535768900976543457689.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TRANSACCION NO 978654567980987654535768900976543457689.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f07ff3d35d15db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80b68dcd5d15db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000003d2a12201401c0d0e8c56888179e26ca4d8a0741a6d06919a1037ccdd0ef559a000000000e8000000002000020000000dcef2da766c1ce3289d03efb45fd7dc8255e03e5e3ca9384161dce071ade43d9200000006f19a6aee6f356380ae908d402c5ed93d41fc6586ab0123a0713f9d6dd154ec54000000066d2f630eda163d60113256d062068808ba0beb7df7db2546760f7846285330c38dd4a6679e3c129b221fcc897a78018583e78a987ff7290a82a734898d3ff38	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000ee2ffec375d281ba6113dc29aa5d8f65836e63b363e0bc990446463afd3f2709000000000e8000000002000020000000861118a187660a620b4e50614c477fec23e6fbfa6b1ca0833e0447a32d6f504990000000c2c45ccc6cd77f4da76f4898372ef54f2a30dca469ee3fa547a3e78195584ce8074d8cfd26ef60224912cb26663ae8b3d9529026745b53df8c6eab12ec16bc90abed126ab87f3744365a6a1e0b309a378efa0497d20691db61ea04734bb57775f224d4c354f4d900a7e8efe52f42bbdd1052328783e7ce5b39ec14e4156256a21e190161865da31b3dcaeeb2c0a60c1c40000000f95021da1ad534efc8c01da79651fe24d2641259929fcf3df88c3f9153cad294d4d9f4f91ba67a3b872065921306172659f7af8588c37c7f7ed2e7b759531dc0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434098890"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F7BD16D1-8150-11EF-A914-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe230000100090e24d373f126545916439c4925e467b00000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	TRANSACCION NO 978654567980987654535768900976543457689.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2524	7zG.exe
Token: 35	2524	7zG.exe
Token: SeSecurityPrivilege	2524	7zG.exe
Token: SeSecurityPrivilege	2524	7zG.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2788	OUTLOOK.EXE
3000	iexplore.exe
3000	iexplore.exe
2524	7zG.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
3000	iexplore.exe
3000	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
2788	OUTLOOK.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
3000	iexplore.exe
2816	TRANSACCION NO 978654567980987654535768900976543457689.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 3000	2788	OUTLOOK.EXE	31
PID 2788 wrote to memory of 3000	2788	OUTLOOK.EXE	31
PID 2788 wrote to memory of 3000	2788	OUTLOOK.EXE	31
PID 2788 wrote to memory of 3000	2788	OUTLOOK.EXE	31
PID 3000 wrote to memory of 1480	3000	iexplore.exe	32
PID 3000 wrote to memory of 1480	3000	iexplore.exe	32
PID 3000 wrote to memory of 1480	3000	iexplore.exe	32
PID 3000 wrote to memory of 1480	3000	iexplore.exe	32
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 876 wrote to memory of 2816	876	TRANSACCION NO 978654567980987654535768900976543457689.exe	41
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2636 wrote to memory of 2884	2636	TRANSACCION NO 978654567980987654535768900976543457689.exe	45
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 2472 wrote to memory of 2888	2472	TRANSACCION NO 978654567980987654535768900976543457689.exe	46
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 1968 wrote to memory of 1636	1968	TRANSACCION NO 978654567980987654535768900976543457689.exe	50
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 568 wrote to memory of 1348	568	TRANSACCION NO 978654567980987654535768900976543457689.exe	51
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52
PID 688 wrote to memory of 1332	688	TRANSACCION NO 978654567980987654535768900976543457689.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\REGISTRO DEL SIGUIENTE MOVIMIENTO TRANSACCIONAL OCTUBRE 2 DE 2024.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=1DAJFVO9Z-gWVd34mBvP8SheThGfjP8eq
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1480

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27522:170:7zEvent25257
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2524

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2816

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  PID:2884

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  PID:2888

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  PID:1636

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  PID:1348

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688
- C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
  "C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
  2⤵
  - Executes dropped EXE
  PID:1332

C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe
"C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
132B

MD5
1b4cdd40b5503c934f2d891c1d4d6746

SHA1
26dc7c0ae92aac4a9aa888ceed1c9adba6573e4a

SHA256
cb8c360a53e553bd74804db481fb696ffa4e8c488b473c5f1e4387701d225211

SHA512
d6374d350030383b15a6b9fecc1491207dcae3ef6cc83c32049247caa419734125aab9c10cc2e4cb36f8fb774eb7c6306a1ebd8987c181324d5021d85cb041a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
226c896599d24e5a51789f2d38bbbe27

SHA1
c284acf63fd922b33f92baa21653a481b4795f78

SHA256
206fb7c70ff2848bfdb17c7c9695085512d056fb82ff65ffd7028c2d27c10e94

SHA512
b9345e2f72a495d4a8e018f239792ef66967568573063976c6cfd73b77acc8616813e112c8c89aa92f00d383aa22c1129d1460dea6f0efb52c18c1153c6f268b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e9db1682ebc31c0212905ef9dddbb3e

SHA1
3ac78515adaf4f4c55b8a2a34d79d4a3434a10e7

SHA256
f1c8813647ecbc09f93a194457363dab2f2a72f7c8c31be36dd9bf9c9f589ef0

SHA512
e8555b16e926785803052cdff8999eae0c291a55921829ed9eb01587b69a77390b426dbcf44d354be687573172981b9fa57f95c64d5fdfd9475e354a31304a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bea272ada609b9b28a384bed5a4b0cd

SHA1
8bf513c795a01365ccfb0f0d61695669682ff671

SHA256
5d655bce2cee26330712d25c87ed4c3772a062faa228844223432bdba3656ca5

SHA512
d3cd5727d396c7f06d9d54aba083170042220f5cfabb2de4ea274e098f51c0878aeda90d4b3e77a61fe8978e4e619c047d2e40968f3a8d8195760882eec8442d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93ab9873cabdc73052d10a724f480adb

SHA1
362378848d3adf4f356ca99e479acef620674763

SHA256
edb8c83255921b4e04a8d77f28e809995eccb63f503137fc62acc9d31c4f1639

SHA512
c108fe33286dbbec6796ee66ec1fdc347c4581632ed8d269b641f549fd14282e0ea8e972d9e37482cac9b3c0cb945c82a55bf9796877f403007253733b7a09ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae8dbff6608d3351383d661135b8495

SHA1
e6a8cf7d3472a7f1b1131702a64976dcfac9f954

SHA256
3681e6cd3d06a7c9b1b0761782f0a666e290e1a2cf62e645740b5f4185f93d40

SHA512
2d2893bde8a740120cb59cdfb3be75c7ec9a979f9fd46da7a5e804942ceb603d6196d77b8557d1d4c37f9a175fbb32d5b0f46d144d7bf5c2d4c07ce6f3e7f5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9ff9ec8c9d39bb18d8926e73603b0d2

SHA1
bb182c9566bf1896558a42d25b54b0a587d00b14

SHA256
af73121b9f754fa1aa8a746163fd7f6e02a406cd295268675c548d8bf14588f1

SHA512
f060696f5fd7b4f35b17143b84a7d599258465a9404e6ec85c031b3a40f29e65008b98e001fe0d744b9180cfe097382e5ca745f2d1709ffbee40da1389389b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
268e5690d1ab0cc7165eab0f8d9cd627

SHA1
c5389163bdaa2a5ce829f0ca49777e1aa24dce54

SHA256
fa987858722d7dcf808d2f5d1d1b91e097649f4adaad3d93e474dd5ae0c67d42

SHA512
9f0c9306f1692fb1dd2a1b7d5eed9643c3487c2d0b33d4f6965f2c08ab58c4d1eb5d6861c7f955ab9d3622180a47d61f3992552e16a2b8e44ff5c02793c472b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73259acde1b36437fc49d56a39886b41

SHA1
e691656c42f02640498059f8bc2620a18e38adfe

SHA256
8fbf6396c1acf619e78cf608808c049809550ea574057d099d644443faac9427

SHA512
66627e42f5e65ae1dde6c33234ba2e726372d2701758fa36640ddf9a9d115229afaf90f0e66104efdba70e0759451c8903614d8e330a3a90dc60bd71a8615dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
008133f120682afe7065f59cc2744bdf

SHA1
66451917a681a43671e1cc44052e8b7453e76163

SHA256
d63b51c7ca54601f0b682cff8bd7eaf55d6cfc918ce38bdedf2bb1b2111c4b47

SHA512
8a611594d6127f444d53b9c8e53c1310173b4cf6675205d919652370ae8b5986bbc7850ad69015fc7a0c049ce251896d9758c12a9489f128788555d09d1994b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa708987c442952fdc0b23ab4d5a1e3b

SHA1
d3e9d1e5b57aac40bc9d5b47249268be5fb0269b

SHA256
50e7306ebf3d2ab62a14bc83fcbd2c6b2ad14cb1bda50ecdb1059bb9810cd304

SHA512
1acccdbbbebee2033e33419337d3218be53ecb325a408490a192c4f705d79c58d6eb83ebc31e4f248cbbe8c0d8bf7d3be9aa4570c9f8586f41f2b71be0f8eb19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e22c64a46eb86c70fa80123abbbf62b7

SHA1
d40d19d800d437b44672c9441b8ea3782c20ae19

SHA256
f6f3526cc198fa0f43e538b5a9a3c74691f303931db01ec8456f1f9da2c1de79

SHA512
00048098d9c3f5b1aa076dfb7a12f0dc622fb8bc81299074d7c917d3c5f1faa4ec2eceefbe1f73903d4615ecdf8802d90757de0a58b0c30306a2ca99f0a5a101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9013f942fa9293e1102b59470cc5113

SHA1
849d7e31311bd44f9d5d25b9ceec497285045877

SHA256
301a0fb3aabc93aea15e267da2accba7742b2e431c838f8466517de6af95ea6b

SHA512
afc0d7fd422f40f18d7a3479022b972dd6ba8061eae251145574fb39026ee6803eb4ff0ceb67cc63fb75163f663782c8bea5dc1327cbef7604b941ae97c904c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b35fa486f3eddf8f908abfccb141245

SHA1
a9e940f16964f03688248a54a4936485b2e1cc64

SHA256
a117c2fa167e0685236f18b0e8d21c7506ee4e61acdda8fc2089acd95217e17d

SHA512
0769ad2e93665e573077baadcc1c84521c8099ce0fde616a830058fc65cb41f0bf0213fda1393edca95136c4ed170ff31ddff1ce6aece226cac9e26301ac0d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3893b34cf0cbfa5d5920dec4a9e73a46

SHA1
bad5f1c9f8f68627251f3ef553287b5151df1e47

SHA256
e420aca63aa3ce7614bdb0feff47ccb478017217251ac4b108b8d7364b2bc900

SHA512
b8ac1179d7cf8fac7abcb3f4c16a42bcfc97b53757f37762dbae7125058980297b5d300219ac0f29d1562707112ddc3e61074e55bbf931662df42c9327b03200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efa3c898309810ef46ac3e4c92aab526

SHA1
babb11fe598533d98c57da9d861b2543422f644b

SHA256
cb61294dba8b33bf92272c654474ddd3b7d63e9e30244318502241dcfa8ddd27

SHA512
b20e3d1de137d1d1963060cbc72db3d2bc475df968ced4e7552b663c34b082aaf1f9cd3cbd59f642562988ccffae2d99aae4cc08e0898030709d4044520b10c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51df3243ce648053a89e9b21d462047b

SHA1
0dc962cf1e8b1dc0b2004c3040f69b7bca55529d

SHA256
6667c2860dfe1bfdf8744c2b6da6e2e14e7f12fab50158f631d3ba67b937bc23

SHA512
a848206bdd85216abaa0280a715f76014548c9146908256a4e98e5b7ae7a551ae5581c267ca48bfbfb4752441bd63cd3ea30d68a323ad38691a6f15544518ad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb02b9a72ffb9f036b3fc329b6c8cfaf

SHA1
ceba08f823a0031c6a2aee0f3a8856df08829f9c

SHA256
9f91ac482e5ac40338a270a7c64a50de6beaf6ee2b642b4bc5c0cd49da4d1804

SHA512
f0bf5ac1bedff1460af917bd24aae0d9bf7c2f848ff93f01514e56bfd104aa16df1c0879c90cb994bf884852864f87e287921b5f7edf43f819e84694f6343224

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a33f7cb5fa34249c65087e5772af75e2

SHA1
f5d10ead89b84ed15a361d9b385d08a9a8323098

SHA256
ad6c518104eb9742f53dd2318e06a563beae96e6e05bff2cb0f9cb3aa2e996ba

SHA512
976dc56fda76675065480bc205c671b058a2175a17ea73754a81b5160f5ba27636eec94a71bb0fcedec8fcb040d8cd7fdcb8ffb30b8b7ff5577b665c372825b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1981d64f8e15c568e6bd2d4c647427b9

SHA1
4a4593b98f9b30097ebd34c107b69851beb4a670

SHA256
d082d370f82cc5c1c941da8bed523a4b2ac064d53fc947d5d902f3860c1ccc3f

SHA512
1025b09a192290a41dabb69ec04dfc7c8b71c5184c85e54b0cb8887ee3e4d7f1f400e992bb2267a14b7b6a4ee2501aeb25d3fad2963789ca9dae1133962b6242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ebb79b97355f84b6d5f734a8e8ced2b0

SHA1
3dbaaba44f01f289f6a133d5b8f80030e9b70317

SHA256
df893caf2326098e4b9911cf0b2a85a725a75d35990d5c405b1a7278fd83832a

SHA512
8930c1852312560de9d44fa62cfda072c526d5564b52a085de26e134d58a305fe53831a00ae29bca07905b7729509fe30c9c9d7b912b59ff10a710478eae7037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ed2cbed86831b9ff4df85e8b23f2cbd1

SHA1
edee17bc6d8124a8cfd36d1af273e7d9b50290ec

SHA256
5dc39265b379e23caf23ee2f55f569781469ee6498ec4c36ba7912688e079e4d

SHA512
5d4420e18198725a0676978c68329105cd168ea2b9bc53947c0c524e269f100d9859d317a6edef14e353dbd11dbd477dee67360ce14e4821e1fe9c61de1bf2cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
1KB

MD5
1ac725b254cdf4ead2b937c7cf65b9b0

SHA1
b468d6e655e42d66f5f9c41e1fff14fb4a2af4fb

SHA256
857d1f377a876897b7a687352883b34367c956eedee0c43bd8a42bb5625f0a64

SHA512
2cb82a79da4005d52f251292ff25e5e9765ae8babec780fffc5829a7fea0ea6ff0040527aa18ae89b64ecbad5b57ddd00956d422abbc5eeff0cc0a9bebebcd5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\TRANSACCION%20NO%20978654567980987654535768900976543457689[1].zip

Filesize
1.2MB

MD5
0428c8236f3a7d4701b8136785cb91fe

SHA1
aa6df8a7de97b8cd3bb43d8e012615de9c3276e4

SHA256
4eee572588a58b07e9f01ec965f3c4f457777c155344b6bb883e364267c08391

SHA512
d5323f1288cebc17c0509bdf69ee220f92fc85176f6693ac24c5da5e12e551254ec96bbbec518ecfd7de966166658bb1c02e1bd4536109a5825c138917807239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF21D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF220.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DE132B72-4E98-450B-8670-11C56427FA30}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\Downloads\TRANSACCION NO 978654567980987654535768900976543457689.exe

Filesize
2.4MB

MD5
9e5634a01e241113ddc1a5a03265cd3e

SHA1
17f3cba192f573754797b1fb6f644889f9abaaca

SHA256
a8c0001bf62a178870fe526395703f682143078ad37d9b20e50f230dd9059648

SHA512
3cea7ff14f48832b7ca955a5fa2c61115b1f2a5ec9f8df52e32692b07d9d34453fef29ef1d7c62ec666e0f38a4899a89db4a68f615602d267c0103d42fe52156

Download Submit
memory/876-1241-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1234-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1232-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1240-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1230-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1231-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/876-1233-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/1968-1327-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/1968-1330-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/1968-1331-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/2788-162-0x000000006B4C1000-0x000000006B4C2000-memory.dmp

Filesize
4KB

Download
memory/2788-1-0x0000000073B0D000-0x0000000073B18000-memory.dmp

Filesize
44KB

Download
memory/2788-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-124-0x0000000073B0D000-0x0000000073B18000-memory.dmp

Filesize
44KB

Download
memory/2816-1244-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1313-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1238-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-1252-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1251-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1253-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1236-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1281-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1280-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1239-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1245-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1304-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1312-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1249-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1320-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1321-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2816-1248-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2884-1274-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download
memory/2888-1296-0x00000000001C0000-0x0000000000242000-memory.dmp

Filesize
520KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads