remcos | 7d714cbb29c50203b38dc40fb727d9e6a071f53062f506631717ce9a2f44bb33

Analysis

max time kernel
134s
max time network
133s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO (1).eml
Size

19KB
MD5

0e204a7f452ac12937c29c1ba8ff7e73
SHA1

70a7fffb6318bbae045f6194f20b4c9580394597
SHA256

7d714cbb29c50203b38dc40fb727d9e6a071f53062f506631717ce9a2f44bb33
SHA512

ed17da3e20ca15af013f68b6b16a577df6a2927776fcc7c04fb6dadfa703c681a3fe1444be99d47014e536603f2024b6355f315b5c1561b46030ef9963f80de8
SSDEEP

384:sUKh9yr4zgvrGlgPUGM2tTNLIMqIAnCZGwPF83uwcckhSCZt/I5K+g9wt:0ciEn9Nrqx2VF8+LJv/3/W

Score

10^/10

remcos golgolgol discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

GOLGOLGOL

dfgdfghghfhfh.con-ip.com:1668

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1GL4HH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComfortDesignerEditor = "C:\\Users\\Admin\\Music\\ComfortDesignerUpdater\\ComfortVideo.exe"	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 707532f0781adb01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{287F2591-866C-11EF-9B6B-D681211CE335} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000001481b86883ce3452f0c0f3cb9cd753ac058cb7f136480cb31a22656d4bb308b2000000000e80000000020000200000000d7a414e7a358bff5817810c72a1cfee8d8ffdfc6ce6642c31895e854e10b82990000000cb035258fa02eccdb04757a51c1954f6eff69836d2edb5c1fc07b502e2f2a5de539b746b0776de82367835128b94e3b2844abcfaad51d6442db4b1fa1d213f13561746db80f3e64743abca0bdc7c8fc7f181f66894fbb41a0bbe80d9b1c55e30679b1a9bd22882edae2b96ca5c4c17904b41c0436cd9c0fb430c12e6adc78f0687a8b12c4beb2c0dd1c594b9a9acba2940000000cd4ae5cafd418203eea66b4f3fe0b33d40dafd4c68e2f0fed35bb55deeed07dafa93486c80fb4d45ecbdf6148e22e223705b2cf4445d0e1143e2654373c7d998	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434660323"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e08f93ff781adb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000007aa49e5129e441809fc6fec2400bbaad9e9f821213b5d73f837f97b5efd754b3000000000e800000000200002000000037406133c3361f650fb50aed3238df0710205991ecd7a772f70d1aed79fc6111200000005b8152cf6629f47dab2def34bec0ae4b86af523c9c24053f5e250387b560631b40000000704bced6463b2810e7cb6259535e2eaf43bb9acd48617ef5e40f7fc3c4ce946b15631a6fc5ba73135443620547d27a07e46a931f94acfa8e9fbb73f2ef4c662d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\ = "_OlkPageControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ = "OlkInfoBarEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ = "_OlkSenderPhoto"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ = "_SharingItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ = "OlkPageControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
588	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1124	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
588	OUTLOOK.EXE
2212	iexplore.exe
2212	iexplore.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
588	OUTLOOK.EXE
2212	iexplore.exe
2212	iexplore.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
588	OUTLOOK.EXE
1124	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2212	588	OUTLOOK.EXE	30
PID 588 wrote to memory of 2212	588	OUTLOOK.EXE	30
PID 588 wrote to memory of 2212	588	OUTLOOK.EXE	30
PID 588 wrote to memory of 2212	588	OUTLOOK.EXE	30
PID 2212 wrote to memory of 2424	2212	iexplore.exe	31
PID 2212 wrote to memory of 2424	2212	iexplore.exe	31
PID 2212 wrote to memory of 2424	2212	iexplore.exe	31
PID 2212 wrote to memory of 2424	2212	iexplore.exe	31
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35
PID 2372 wrote to memory of 1124	2372	MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO (1).eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fuc%3Fexport%3Ddownload%26id%3D1A1l09E8MW6NO4r4eL_Nz423Pv14S6Wbp&data=05%7C02%7Czaydawilchez%40reincorporacion.gov.co%7C02779a08b2464c5da2f308dce87ac0dd%7Cf98cdc17be3b46eabd8e04ae5bf545a8%7C0%7C0%7C638640861475391590%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C40000%7C%7C%7C&sdata=4mdAWhVRdN7Ak6lvEXmHuS44W%2FvqDuUdv%2BtbW3ljHqQ%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2424

C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.zip\MOVIMIENTO BANCARIO EN LINEA - PAGO REALIZADO.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
212B

MD5
e101c0279ca386e69385c07acc6b6b81

SHA1
3c7b34773ec39ff02d2d3545845831c47f0c67ef

SHA256
ba10ad118e09831f01dbc561023fb9b6c002c20ab8120f46a1e8d7dfbf207a93

SHA512
1e889f9b6475f774ec3f55f981a3172ee4bcfa926287ab8fc020c29b1542c91c54402eec926c7b1c468bc3f202f122d1609a22440c7a7efaa2197b40eed0701a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d3426c3b710d6404971d7787911b14bb

SHA1
0ea73664e1db511e752d51e8614498f89c64796c

SHA256
53ce2df4d8d2c7a002bff9d252a487900f95971f8e1ea7f87aaa100a044cc6e9

SHA512
5e1124a479cfc10f4139ce1c5b9318956163ddbb933c793fae969988fc4153ced2c7d9d5139af758005c3cbd5c40ecd946874cf2be5c4cc68549b916b932f32f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e4159e4889c5f43261392e101556e78

SHA1
1484d899c188f0f8c3510a25004a33f88cacbbc6

SHA256
21ec94fec3548d87308f6c85dc6816988e969b81ab370a1a71df33004e10c3f7

SHA512
29f3d0c5afa9305b929cc2e7e2b3f37a22ee42888b2b8921f781a876e01f6088a898b938150b3c836118653d6375106776813d0f9f9b1dd06f5e8e77f50a8e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36f63b0b9deb8dec46dc893390de785e

SHA1
547bcdbc904bd69ab0959b99656ad8f4f21ca365

SHA256
ce82434dc15a9a396bbe2f518726298ada85d03a34b7c82f60e05bfbe6dc1e11

SHA512
9945bcaf00d393a78b227ca1d5ce677ab77a7e2595ad4001b1b39339c66379046d73b3396efccc9c468f8f0e19a4cb71ba50501fe526b2b132b01c5a3e03e5a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afb7f2803f8b40428768bc653076de14

SHA1
4a1a0336a31725ffbcbb10c371ac64d943a98c33

SHA256
c2fe86168b5050b01ae64f614e997d1fd512c32ecc44cb03c09917c8d591015b

SHA512
a436cc82946a86932712d561729778d41f586e93c1ef1047bf44b2e0e04ae1dc6dddd25b4d362400f22eb7957886fb23ba7c6156cecf93a0ce95885c46152c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84b0af407f403b884748c32881727ced

SHA1
a8dbbcce30721a938120e1156f3fad7ed423a509

SHA256
c44cc8bf827a06404cc81b9eaf965a85a6b53d47a9b880fe3e634e5392067639

SHA512
deaf4be9bb6fa557a000bbf25805dc3c55c4849b051dafa2e8e7c831a98a851d25ae9ad2f73fc8fdd8d1de942fe185b5beb652c5a10ca5209b13bc14e17b2002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bae5836b95389bbba051ceb85642c080

SHA1
d7ca210f16a6f0256c507204d80b4fa1aacf4e23

SHA256
2bba32b50bf772ce5d85a5fbde887e27b64c0fd01716aee75ca76cf5c6ee9a4f

SHA512
5c2ff29a37140ffd09dae8b75f0950eed75c98264b37b8b3cc0c676dbf8233545b7bf525ae4d906e89f2d85a35e5bb5f64af317f6a29203f82f6aa4d4105ac18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73575e8bd334f420cb97bcd50e68959a

SHA1
9d1e32e88d171019cc489cabb28359af25ceb977

SHA256
cc2c770646c16f929bee939053a792b5c7055e86b8bfc56aeda6de654f16ea3b

SHA512
e2561fe538423236f1c9d32c31ae4acbac258b474f64ac0cfedd1227bda6d487041de75e38f8e1c831fcd51d0e6233068b0986ed0cae7c75af8bbb1a1a6a8a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0891dce5e9b0d74184beffabf8d2b414

SHA1
dfef41261130801ceac5e4eeae6762304760e817

SHA256
3f592e96a08e03ae325e69b545440766f9df9bfe1b22a43807da9c63705973ee

SHA512
56aed06174dcde1039a9c7a73c642dba2e73917ab00e59ba2e3463f0dfa81ba8b572bf0261c02e8f967d6599a9902058db24812d887015b53bd256c6a0310947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb859a8a73c7f6c32fa9df6912fd0228

SHA1
592db65bbae2ce0d8d8699d8ce2c94dea8889b02

SHA256
531f197c4ddf819569cce0ff15f639fccca7bb4b29b1eb8610b3d33e57d521fc

SHA512
b66d2b0b5f79f6071118d7dee3bc53fb75332c71fa17bc0786cd92747ff3376440e2ecd8bf63f295cf6be99cbe9f679fbaa8a43c893db13999bf7b3cf60b2af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
548f1c395790977648b8b31e3ba850ea

SHA1
12d429d1ff8936cf91f10c31935ad3b56fe72276

SHA256
5923c27c3f673612f7fce2810e151cbfbc3e9b44664f7dab3f5bade2f74abe05

SHA512
74bdbbdc16210982ab4f6783463dc254c0becdc1a0da58d2ff9989932c34563d788d1cad272d841bfcca7cd2d97952b24c7be88215522501c7b6ba0abb9f45f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4369b7a0ef80e2ed12bc502675107eb

SHA1
9f86aa48793b27e42c11f3eb5f6cae986f1f4882

SHA256
73b63975a86aae7d201068f0b0292352a15d56af24bd6b9b05e9214f6da0fe4c

SHA512
e0bc52cab701b1070c9e2c82545e55974b564c6786fa4643b954cb75ef1844a0eebfb7c2fdf9ec68b19cb10e192d14f1c97968c3bfb708ec6636fca323ddce61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11cb0404614d4a1939311de6598817d9

SHA1
dd43c6a0e240fa35e0413842cca7485c1e3d9b18

SHA256
00d644045c999d542868c011a41eaa395beef30869e429fefbfbc896fc33759e

SHA512
97e7aca87ccda82a64b86af0876829869f7e364ae64973930fe4812051cdf9be523ba373ea51ebd654725b7c521eba6e3e18702fc41d94d8f0a177c0c8160be4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b805dbcee29ee7c9ae27490093ba2cf

SHA1
4d35637d86bb45ac5b566d59581090d7ddbd0483

SHA256
68b0528f337a13bbfd1751884e7731f8dc89c84e65abcc4e26ba0c4a9613b7fc

SHA512
4215eafa253cf132ff3daa3da3df39d689ffd106df0fb1b96e32c4e9854f406df6a172f68c596e4cb7052f21f1d19246282817096e25d444e62b9d9f027f878d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbd4037405b54afd2b6757acbd30daac

SHA1
c6c1c2325d7fba79af4282edca0387ced67b0ddb

SHA256
51d61eecfc9e2a954d03bb7da093e3cb37b15b0bf6f9d8085773b586f5ea8b9d

SHA512
80c418c455bf5276fbe4641edbf3caec99dcb60c0e62ceb512b5ca65a45869460064b13efd2025a7e4606c7e9b99d174516ae1e8693a1dd38ca05c9b0adc9c0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb0863622f84d963238dfe92dda5d39e

SHA1
703cbfb84acb87ecd12e6d8401f980d1ef09469a

SHA256
198cba6bc80bf83f9ce70b72cea776889b9b2731c81f12ce83dfceadf040a7f6

SHA512
59eecdb59e8dc2b07eb0f28acd5a38104fbe893ca5857c26615bcedf0af5ee4af466cb3854c2e1569e9c37b50b8812998618f0a8467073bfad6db7d2cd0591a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9752d17f4ba007bd65c96a142293e6c2

SHA1
7ece58bd719505de1ce5714f5be115ab1244d0d2

SHA256
1e97917115765c580b5ffab3214963888f5c3cd0a074bf098b178b082e8948de

SHA512
6b576a2d4127057a578c8ecdefd11f0db3ff06e0e1eeeda8b1e083ae2a30e8bf9c68c0e35b3d8dd59f1b7707095b218606f5880353639641635c8c4f76d2a7e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00824cd6a28c3eb267902560a0bbf9ad

SHA1
197268c8bb645d24a4d1b04f63c8d83d81731359

SHA256
bf6e68f589c3bfb168920fb67c69dfdbb9c42798e55a18db7fbb19f2f77dff10

SHA512
5964a3ebc767d1e57c391a31a9bcdd83f8f9b268b41841f409c3053009dacf8c09e9bd3f773b7eeaa40c6c8315f538232a68634ee71affab5d3f86f921daa031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c46c48732d6c5c003f46294625a6caa

SHA1
bdc92f14c366551b1dd9533a30d23533da8295a0

SHA256
45ed39f9fa94f09a79ff317d2aef1ed93221f4a4e54b0bb0b48feb8ba75eed20

SHA512
69a2d256e89bf9872a1f7bef01192f3b085fb8d38d5099985cbd68855bd651040ae8a2dd3a5932ad8545c2dcb8ae792627f549aa307fd91fb844b46177ff5663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e32e3336153598566045374e56e7c35

SHA1
982a0b545b4188114cee273d9724e33b55d7c1bb

SHA256
5a45b5af1735d1d717016d71a168169564dd8706e3e64c93b2014a83b2cea084

SHA512
5bee1e3a30fe1bcbf9724b03fbd0a5dfd3ce5fecd5923eb5fac0871aba4252a34d39e8b4751e608c98c64cb154e386f53d0472c9634c383322ac4e9f21fdaa44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f40b79e2f20cc2f855528aac2e32af1a

SHA1
62ff5113be167425f08ac16b2ad391d19d2a6bb1

SHA256
bf23ea3dbfedea415066cd00bdf1579d7dd061775146102440f67ca68d5d49c5

SHA512
22bc6410d2576eef137a2c52a11a88d4e2c91a05318c9c45331d287a32df34523294e80c0b6a3a1f3426ba52b789a126e3cb99fed3a80867a47703378155fed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f84c4541e663c5a48650bf20643e800

SHA1
fc8c986362faa0d190a02eb7b635246bc11f7d53

SHA256
946e66d1e04ffbff72c71e4490642c3fa66285d21748766fa9aaf58315343d17

SHA512
3377bf184f3e826e45dd92e13e1085951ce00c1555555f252f8b8006d79df5e6c5a74d3c89d6c94f57d2221318be29221d463f82d29c499e7c96e9896d1b1774

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20931b41dbe582e4834a19d03a948c15

SHA1
d2b0e00b4e71cfe51dfcb40b4cb00464564f58ed

SHA256
7e5f6dc41593f04a1f38ae61bdf8d391b0ee57b2c799c74868583a3fcbf30ef0

SHA512
accacfa776d2db9622f3794318471305c6bcaec51e2c373eb8401b7a56a4e8e5309f6ade49f9d82a5b09fab9cea4b8511d098fd24d26772311cb2ee1f572e6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63d6ee8800ae16f12adde4f68ec2a481

SHA1
5442effc33259a57c035466ba37ada396dd668e1

SHA256
03e14f7ae8dbf83eff02e2eed9da3e661b9a44b279be6a1053513b54f3b51777

SHA512
f61ab8520afa8fed1225f885be1abf066dcaf5c3dea9737d89f9c5dae674785a8d152f309759793b843dd741b640d6037dc241df06942a5b2da69142f58893ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb23aa22a8f82f7930d2afd45664c71b

SHA1
800276e3df7ac294e6fd32d96519a3ac6c735059

SHA256
a7d48a689dae4b5747eb07f5e53a3171aa7e84ebcce204ea8b645d379a43a69f

SHA512
f2e75ad11b7160e8bab63818dc29d491e9c4f8a01aeecdb54fdf0bfefb30abeca75be36c263c4ec04a88e4628229768b8790981d0f37c27a0b313ff4af7614ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cee1dd9ba257cbfc0b2fd5fda4c65812

SHA1
6e005ae96cbde5e1488ab3ab500a42874095937a

SHA256
6f55098c661867b374666f792deea00e93aa0b798db30c85cd7fcee43eda4d30

SHA512
9e8854c655a98c38e64a5fb755c4defa7fa0fb8283521ef46924af56fb4f3b6e34d87172165f5d5fcbf06da914c2536549bb213bf37e71acdc2d19cc71cd043b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
4b2ddd62ce20871a720ef46b6c82ab38

SHA1
27175c902276dfb0871ca401ad508b2e434ec282

SHA256
3037e19680fb47c153800935fba11c004fcdd85a49b7b36a060a6cf41b7cc6fd

SHA512
90b961ea7ef6a4b4bbcf73997953232e7c79c6ef068711a24dfe6b88a663cfdc9d5b17648907f4d6eb8bee5b1088239426f3568db1d69f14e9bcb86ca3f4d330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pzrzu69\imagestore.dat

Filesize
1KB

MD5
0d8359a3aeb0cc4102215cdb95e6f045

SHA1
6be68688c61a176529ee0a418e1cc1ad7ef9bec9

SHA256
5f2e480596f6d971320a274956e2fdf382c445b7b509626169de93544120ef80

SHA512
366528b0052247672cb78c24cab218a4dcc1ff3a4cbdcd728f4b17f30a18e16d52d685e210766515772bb5a1d1f7b218a63bafd53ddc23e02c3528e82bef4883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\MOVIMIENTO%20BANCARIO%20EN%20LINEA%20-%20PAGO%20REALIZADO[1].zip

Filesize
1.5MB

MD5
0856fc28b22b1f0755792502e74c67b4

SHA1
2697ef9ebc1ae31b442fe9c11e09793123ee2027

SHA256
ef6c8eeaa4afdc194d6fc7ca64e94f4bf3cee9f4348167e98fa02f3dbd997280

SHA512
e7e1b29afe67083d85c3abe04cf17163fe9a507fbf93e68900fd30de962dc91626d2ae998950a78823631311260e410b078cfad4d631608b8a4a40378dcaeb53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5B2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA5B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6FD68D00-1BD5-42BD-A378-CE79A9D47D2E}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
memory/588-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/588-1-0x00000000739DD000-0x00000000739E8000-memory.dmp

Filesize
44KB

Download
memory/588-124-0x00000000739DD000-0x00000000739E8000-memory.dmp

Filesize
44KB

Download
memory/588-164-0x0000000069621000-0x0000000069622000-memory.dmp

Filesize
4KB

Download
memory/1124-696-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-706-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-1279-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-702-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-701-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-692-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1124-717-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-693-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-704-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-1278-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-1270-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-705-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-718-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-697-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/1124-690-0x00000000001D0000-0x0000000000252000-memory.dmp

Filesize
520KB

Download
memory/2372-687-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-689-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-686-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-688-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-694-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-695-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download
memory/2372-685-0x0000000000400000-0x0000000000745000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads