Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe
Resource
win10v2004-20241007-en
General
-
Target
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe
-
Size
1.2MB
-
MD5
552044ce92b78bf4b68d242c2c380afe
-
SHA1
2ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
-
SHA256
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
-
SHA512
4dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
-
SSDEEP
24576:6YdgfvzmIzxWOwxzCJYC3PPoKb0Eci5ihjJVxw9bYOd+8:qzmmWXRCaePPjb0Eci5ih7xw9bYI
Malware Config
Extracted
remcos
RemoteHost
212.162.149.226:9285
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
AppUpdate
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-VCJ8ZS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
AppUpdate
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1772 powershell.exe 2912 powershell.exe 2712 powershell.exe 2768 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
remcos.exeremcos.exepid process 1700 remcos.exe 664 remcos.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1148 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AppUpdate = "\"C:\\ProgramData\\AppUpdate\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exeremcos.exedescription pid process target process PID 2368 set thread context of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 1700 set thread context of 664 1700 remcos.exe remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exepowershell.exeschtasks.exepowershell.exeremcos.exepowershell.exeschtasks.exepowershell.execac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exeWScript.execmd.exeremcos.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2828 schtasks.exe 2360 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exepid process 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe 2712 powershell.exe 2768 powershell.exe 1700 remcos.exe 1700 remcos.exe 1700 remcos.exe 1772 powershell.exe 2912 powershell.exe 1700 remcos.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exepowershell.exepowershell.exeremcos.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2768 powershell.exe Token: SeDebugPrivilege 1700 remcos.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.execac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exeWScript.execmd.exeremcos.exedescription pid process target process PID 2368 wrote to memory of 2712 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2712 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2712 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2712 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2768 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2768 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2768 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2768 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe powershell.exe PID 2368 wrote to memory of 2828 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe schtasks.exe PID 2368 wrote to memory of 2828 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe schtasks.exe PID 2368 wrote to memory of 2828 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe schtasks.exe PID 2368 wrote to memory of 2828 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe schtasks.exe PID 2368 wrote to memory of 2656 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2656 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2656 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2656 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2368 wrote to memory of 2880 2368 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe PID 2880 wrote to memory of 2264 2880 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe WScript.exe PID 2880 wrote to memory of 2264 2880 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe WScript.exe PID 2880 wrote to memory of 2264 2880 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe WScript.exe PID 2880 wrote to memory of 2264 2880 cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe WScript.exe PID 2264 wrote to memory of 1148 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 1148 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 1148 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 1148 2264 WScript.exe cmd.exe PID 1148 wrote to memory of 1700 1148 cmd.exe remcos.exe PID 1148 wrote to memory of 1700 1148 cmd.exe remcos.exe PID 1148 wrote to memory of 1700 1148 cmd.exe remcos.exe PID 1148 wrote to memory of 1700 1148 cmd.exe remcos.exe PID 1700 wrote to memory of 1772 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 1772 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 1772 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 1772 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 2912 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 2912 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 2912 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 2912 1700 remcos.exe powershell.exe PID 1700 wrote to memory of 2360 1700 remcos.exe schtasks.exe PID 1700 wrote to memory of 2360 1700 remcos.exe schtasks.exe PID 1700 wrote to memory of 2360 1700 remcos.exe schtasks.exe PID 1700 wrote to memory of 2360 1700 remcos.exe schtasks.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe PID 1700 wrote to memory of 664 1700 remcos.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uCItbEGgKu.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uCItbEGgKu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D9E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"2⤵PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"C:\Users\Admin\AppData\Local\Temp\cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\AppUpdate\remcos.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\ProgramData\AppUpdate\remcos.exeC:\ProgramData\AppUpdate\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uCItbEGgKu.exe"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uCItbEGgKu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86DC.tmp"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2360
-
-
C:\ProgramData\AppUpdate\remcos.exe"C:\ProgramData\AppUpdate\remcos.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:664
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5552044ce92b78bf4b68d242c2c380afe
SHA12ef4efa20f4fd0d05d8f49ccb22c9afeada93a62
SHA256cac29565b48f92e8c7a43b7dcca13294bae02890c26df75ae5e5ee31a464e4f3
SHA5124dc5ef0fb4b80a81015f4507422a67309074ea01787c9ed0d18c850a1d98ea1e3a444993a1d08428331e2ff044390c873d20c31ffbae049e325a82b64d5a3967
-
Filesize
392B
MD5046708368578d720d91fb9ceecec742e
SHA11dc732f67f48a1d5694f4cf14a8d279dbd1d6ee6
SHA25604f4edc28e97a16f93cf7acac864aba17cc467282550ae61baac719262be6f5e
SHA5129106f645ee74c9e061fcb396a00d706512d41054a356125f26a10d42390d8f0d3ea3dd785393bf5de358b62464ec3c0f7d2e27411e87bb408581f820c427e7f0
-
Filesize
1KB
MD5c7efb1ec7d931b19bd57c265f3c3cb4e
SHA183e90e4593fa5ff744b28435def9a998ed63336f
SHA2561c5a3cdd171902141ce19baa95e30453ea61d597e0bfd25fd4a9824caf0c3935
SHA5125f281aba6f4512b65e5e161a2858725fe52a50cd1d68a382b5d357a9aab1e8fb2122b4a34931a1e4fb07ffcaac67c59a686ef5d06d99cb2fc9618306396bea5c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD515166c9df02ce56789895942e2057f65
SHA151e2f7712a11c7e1b6c90bc1801a66536375be50
SHA256e2ad17f119b32ce962080ae918fccf85747e9006bde3263e1a0ca500829c714b
SHA512589620a59693403be35e926889dadfb85baacae206003e7bbfa8a07cf426d3456e480c62ee8e75412b9f7d79a31496364343041293669d161dc900513cd900b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5579a1498371eb411f89824fa6523aa94
SHA139094c3d9fff8ed3af890f550fb9904ad7590b46
SHA256cb5077615a1e3d574e19c9258829f502d4afb0f439280c0e14c48666572f4d6b
SHA512d83c40c8f77ef43329b6488d1ac80305fa56aef2d08b27a8b1d115a89290045552a5bcf9eeda9ac65340fb7276dd7cb1757eba21b6a2fd255f2f08860d29f294
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e