remcos | d1499d4246784bf70a4e177d93ab955c51e66729cdc86f75fbc274ab4c2031c5

Analysis

max time kernel
81s
max time network
73s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.eml
Size

19KB
MD5

fb4077a5d8bc6e5074b4c22634011bc7
SHA1

701132530e7f055ae66709da8db08b22ad20ca47
SHA256

d1499d4246784bf70a4e177d93ab955c51e66729cdc86f75fbc274ab4c2031c5
SHA512

50f2a50c970dad206c80eb0bb961e08c6eb0d57cef4b52c590241a539299c37da6286ad02984534ce91b7d948701c1007ac805bcef0f9fc32b0f1bc36242d562
SSDEEP

384:wDGlJmz8iO9ikY4tTNLIMqIAnCZGwPF83uwcckhSCZt/I5K+g9wt:OQJJt9T9Nrqx2VF8+LJv/3/W

Score

10^/10

remcos golgolgol discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

GOLGOLGOL

dfgdfghghfhfh.con-ip.com:1668

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1GL4HH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe"	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d0a3b963721adb01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000003a55adff0f1c2ca11712fe80f3f82f5ba242494410c19bd02cb37912e00e8392000000000e800000000200002000000041f1517d086e2383b64d820e5028f4da16334cab8c11af41d550b6e18c24dcee900000004047c42ba3fa4ea473a3a8a18ee55bccfee1b7623d727c75d9567e318517240dee95bf01fef023c4ac78795313c9958c5b22212844430f855ffa8fdc10acfd057bfb051695fe518fe4a0ea8966dce8f1f5ec674754a3156ef34c9a897c138d687d59968c8dd2a0962c634dbf6f427d01c5ec87d80b68d62522a36cc15414a50d94291de012a737d2b217d3488ab841a24000000021eb422419ee83aa3a5d7325c4656b1a8942afc1c6fe568885f78582d66b02dc2356e08dee59604087740629e62c7f1f7f637a462c2f6a55a4252aa99f0de7b1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10e75972721adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000723ded50b43c768c64c8a73bb3cb66dd50bc6f01a758368a40e6508590a9c4af000000000e8000000002000020000000e1eb89122f7b8ff545f7515a5870862bf3d576f591617a861b62e45b457da7d8200000006bb517b3e7817d6444c2b0fcfdf5d4d5ee7b78f531353954866c4ddf3f3904bf400000001dd7cb32b6f099e104cab0aa825d7389f477203431b2f633cb169deb9dc07664d0e5a659551fdd18bf5e8f6302bab5b8ab00d38ba34a05f813d161aec5e995b2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B7EA591-8665-11EF-8587-EAF82BEC9AF0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\ = "_Explorers"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ = "_PropertyAccessor"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\ = "_SenderInAddressListRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ = "ReminderCollectionEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ = "_Stores"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ = "_MobileItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ = "_OrderField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ = "NavigationPaneEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ = "OlkListBoxEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ = "OlkContactPhotoEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ = "Links"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ = "_OlkInfoBar"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2276	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2276	OUTLOOK.EXE
1600	iexplore.exe
1600	iexplore.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
2276	OUTLOOK.EXE
1600	iexplore.exe
1600	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE
2276	OUTLOOK.EXE
2904	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1600	2276	OUTLOOK.EXE	32
PID 2276 wrote to memory of 1600	2276	OUTLOOK.EXE	32
PID 2276 wrote to memory of 1600	2276	OUTLOOK.EXE	32
PID 2276 wrote to memory of 1600	2276	OUTLOOK.EXE	32
PID 1600 wrote to memory of 980	1600	iexplore.exe	33
PID 1600 wrote to memory of 980	1600	iexplore.exe	33
PID 1600 wrote to memory of 980	1600	iexplore.exe	33
PID 1600 wrote to memory of 980	1600	iexplore.exe	33
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37
PID 2112 wrote to memory of 2904	2112	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1A1l09E8MW6NO4r4eL_Nz423Pv14S6Wbp&data=05%7C02%7Cdeyaniraolivera%40reincorporacion.gov.co%7C02779a08b2464c5da2f308dce87ac0dd%7Cf98cdc17be3b46eabd8e04ae5bf545a8%7C0%7C0%7C638640861475197263%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=X9eq%2FSXlIa2QfjZvo%2F0pAoAIizxTNeXNZ6KWthd77G8%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:980

C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4060e2a195c75239b2631d2182732718

SHA1
491dafe263383a4c9961f3461df4e801d23c6b21

SHA256
05792a59c82ce2f565e28454c5b350da6064b48d844e3fab1512426870c26878

SHA512
2bfffaf8eb3dd5ea9527ab338b66e6e0848504edbee9433296395e9744b709c1618c515b8e6f5ff542ae94af065c5dd50e1d3551177733e1b6611049dc535935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd9e957238bbdfe56de7cb439f4f1d24

SHA1
7375d70f4d381fb0d25b853a80a6e1368ed258a9

SHA256
8fe551e19ff3b774a5c6180ba551fb36ca3176756bfffedeb07d88907aafd700

SHA512
a044cb650024d14f109f4d68fa308f258b884cbc9c5629c013308e7466c022499c3f64b93a0cf20c3821db02f8de599f57577a95844b652404f87a726bf6937c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
698c07381630408c2a350eac10a4174c

SHA1
4e839fe7300c142dc7a3bff6b16e3a569b34f3fd

SHA256
9fffeecc2c25c16cfbfe74aa597e53b65a4d6329879a0584fff548c1d7c49b26

SHA512
3a3d99ac5de70aae4c01926238bbc055c9ed1c122249019b28cf88da936fb3d0c130943e74a2bc16f885d603d67ad4cbe4ef88b0fd55296f1f5ed60116fcab37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4311317d5b971411b14dfceaa6bdc7aa

SHA1
cf944397fb56b305ab753745d505b05c46a80514

SHA256
f37ebfaec396ce5f28f60019f87578e5a751fccfc6e12ff18451f69bbb7559b4

SHA512
5cc9c66185760086ed4b2c82e9817df6c9fc0c1afa5165d1b13d2ec4415d1cb74115b48eea8f765df51564b4407f2d9ff31dd77e6b1a03958a93bdf662cd688d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aafd710be5f68aa30f729f8407f04e6

SHA1
b248a23d5562ca36952232998eccc4b9ba095254

SHA256
927a6e50ecf39847a1b9aa161b07a4c1a7b9c0388fd0f661cb46c483f579a917

SHA512
9b769ff328b1316c7068363998cf8f829ebff3b4613ec21aeea8ff9acb241e97b7aac5c6e3fb95a2a33fbe7a63c1b095040643801858efc91dbc11c3c5465950

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff2aba51fcded96a706b87195203a05a

SHA1
c47f93a849772d089c210542895482dcc65d3601

SHA256
204f0185c0eee2daae0a4cef107ae7ae9184c19b2cc1eb7e9734d806aec19014

SHA512
fd9236d22d3803ac0c9a38e9385311f17ffcd8ad2bf75d02c6ef4472979a79ea9749bc8ff84dd96d842ed5cff594e059586c4de06880f6cf8619f626cb86d19c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eeeeb9062bed6fbff950eed48bcc322

SHA1
66cd487397a4c06af3db861ccdb69c70e8149168

SHA256
1ca11f1e5e69ac9a0a372a0e38e1da6c976df2ecd21443ccc5514a46ece4a4f2

SHA512
05a882480689b622266066812f18e606a5506bd0d444e8a1c213951cc269d8298ffd9e00eba51f74094cdbe0138510d312ca0699361f1a05cf30522817285aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc1f95e064f548866dd4c92ea4cdb949

SHA1
c49544c3235d61d27c44be2ef5e6a064abc3300f

SHA256
233493f063ac49bad058d0492e57851d16f7ea4cdb3bdab84e7824e8d15bb52d

SHA512
c4f14b6895a51b3d145b5c6d7830219ea8c88c19e40aa79b39e4d50efd915f73432bc7a189a848868bfbc342742a0a14f46dd9adb4b308d87f74db6da1b559c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
2b49bbc9fb7d17d2f9888ba9eabfd9f6

SHA1
512d73d9cf9a1617d1dcc6912688bb635de54d3c

SHA256
77515c37b48a934e446bc9aff2b5ad270d56f38731af4c0a146a6f28f4c5b7b4

SHA512
e0f4a1a965bfc1cc53364d3513ad9209a38b2af4c1d46a4211af3c3e2fdb78dd75d4e7616938724c299d64b3bfc0f793989e892accf0feb2a24406d6bf2482c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\MOVIMIENTO%20BANCARIO%20EN%20LINEA%20-%20PAGO%20REALIZADO[1].zip

Filesize
1.5MB

MD5
0856fc28b22b1f0755792502e74c67b4

SHA1
2697ef9ebc1ae31b442fe9c11e09793123ee2027

SHA256
ef6c8eeaa4afdc194d6fc7ca64e94f4bf3cee9f4348167e98fa02f3dbd997280

SHA512
e7e1b29afe67083d85c3abe04cf17163fe9a507fbf93e68900fd30de962dc91626d2ae998950a78823631311260e410b078cfad4d631608b8a4a40378dcaeb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4AD9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4ADA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DCF02A39-B21F-44E1-B493-9722331CD98E}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2112-700-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-699-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-690-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-691-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-692-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-694-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2112-693-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2276-1-0x000000007355D000-0x0000000073568000-memory.dmp

Filesize
44KB

Download
memory/2276-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2276-164-0x000000006AA61000-0x000000006AA62000-memory.dmp

Filesize
4KB

Download
memory/2276-124-0x000000007355D000-0x0000000073568000-memory.dmp

Filesize
44KB

Download
memory/2904-698-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-697-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-695-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-701-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-702-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-705-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-706-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-707-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-708-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2904-709-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads