7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87

Analysis

max time kernel
93s
max time network
93s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 22:45

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
Size

481KB
MD5

f9c6ffd9d3156c7701ddcceb42181ee3
SHA1

210be4e3d3b29cd46b3ace1ce94404451e7fc97c
SHA256

7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87
SHA512

146838fb33b68cb22d77f8c4f91bd47ad1203ba91ff819a6a671a37ef936c7fce445cd82825ac47e601b7a8a1d6fcd045b4b06a2835a8881c7e87307b467a20d
SSDEEP

12288:NuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSe+DY:A09AfNIEYsunZvZ19Z9s

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2992	shutdown.exe
Token: SeRemoteShutdownPrivilege	2992	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 600	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	30
PID 2380 wrote to memory of 600	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	30
PID 2380 wrote to memory of 600	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	30
PID 2380 wrote to memory of 600	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	30
PID 600 wrote to memory of 1044	600	cmd.exe	32
PID 600 wrote to memory of 1044	600	cmd.exe	32
PID 600 wrote to memory of 1044	600	cmd.exe	32
PID 600 wrote to memory of 1044	600	cmd.exe	32
PID 2380 wrote to memory of 2868	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	35
PID 2380 wrote to memory of 2868	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	35
PID 2380 wrote to memory of 2868	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	35
PID 2380 wrote to memory of 2868	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	35
PID 2380 wrote to memory of 2988	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	37
PID 2380 wrote to memory of 2988	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	37
PID 2380 wrote to memory of 2988	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	37
PID 2380 wrote to memory of 2988	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	37
PID 2380 wrote to memory of 1152	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	39
PID 2380 wrote to memory of 1152	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	39
PID 2380 wrote to memory of 1152	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	39
PID 2380 wrote to memory of 1152	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	39
PID 2380 wrote to memory of 2252	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	41
PID 2380 wrote to memory of 2252	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	41
PID 2380 wrote to memory of 2252	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	41
PID 2380 wrote to memory of 2252	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	41
PID 2380 wrote to memory of 904	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	43
PID 2380 wrote to memory of 904	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	43
PID 2380 wrote to memory of 904	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	43
PID 2380 wrote to memory of 904	2380	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	43
PID 904 wrote to memory of 2992	904	cmd.exe	45
PID 904 wrote to memory of 2992	904	cmd.exe	45
PID 904 wrote to memory of 2992	904	cmd.exe	45
PID 904 wrote to memory of 2992	904	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart disk 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\3.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\reinicio.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2992

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2432

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
94afb607764352b6de78da9a46edb7b3

SHA1
6e8e0683fb80005b04c39c59d647ae7b221d4d48

SHA256
96c3e72be3d0591f7ced41981dd494e3488acc89af5346341487089a38cdd93f

SHA512
b7de6af93d0f38f195f6d96c2622b2c4f2b01aa6c4aafc97937a1fb7a1c29e7c82384a6c8e2799d03a40f1feea04219575f1af59a4eff22c7156a188f73f01de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
23B

MD5
55356dbca07bafdf1047142bdb6723b2

SHA1
cdabcb68dae1d1ac7dab301a05d6d076d28ccb8c

SHA256
1913270e24d752035390649a518afe87943fa297107d742f2b4a4c443ca35285

SHA512
ba52c20120135634c80c39d63a41cceafcae6d53ef7de889492846f5200338038a93f7c9aeeaae85df1250776e3d7b51384661dbe584613cba69537ebe411473

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
6B

MD5
373d5cc730dd449760c437daf3d5a6d5

SHA1
cb97f9f662d25cf7b5092a30138f7a43fe80e803

SHA256
3aa78388a06d8af18054241b5f1370dab815d6344f6c70de2676b7f876cbabac

SHA512
afb44345f9872f947cd1c73a7a9db728944c4d47b0ca25eeb5e7e4e33a57d8467df762feff88a3902ba36a720aad09d41e33c6088360e0b099b4bf5ba0364fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.bat

Filesize
13B

MD5
40a43584ccccdaf0766634be67aeb09c

SHA1
f1393bf1d6eb71f8703918e19f65dd58c9580550

SHA256
84411e63e39fce42977374dd7dca3ff9a74605a5865f7dbc286bfb929af14759

SHA512
3f89ad072a9df464fec8e220c7d26a2cff8fb08fb9a267588396da7ddc8b6e5c2ddcf9262c0ebb6baa92a6dcf100ec10f3a469af2a1e2d29af9e17c3f50739c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.bat

Filesize
17B

MD5
b65ffd49cc304920a12a088785bab529

SHA1
767647cd1fa4d8b633d00829e1b24dcf181076c2

SHA256
760d044760ec106676f4ac76f8cf50ae7e33fa482fced5c024e4f5598e2d2f09

SHA512
c6800a1da7d3010ca0e3ebf97bb7c03caf343e4d090f38dd35378115fa65da5896d7fda7987c34374dafcf18312f382624cf5a3070ac8e66e8251ea79df4efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.bat

Filesize
13B

MD5
0b0be53db5b104e82c3bb71bd1cf4cfd

SHA1
4f14040cd261a4730bfd96c4ac95698a5b1cb7fc

SHA256
5474221ce9ad0e471a1b3fd9b806490f47f3a63618fc5641c4217c3094013b84

SHA512
f282f0a15cbbd84395534c13727873505f49313bceab751dbb8fd097e7a04b0e6959edf7d72bb10e765c51d5122f98812902169cb156bc2f682f0a32a95e82a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reinicio.bat

Filesize
16B

MD5
c0f80d321aa72472fc0154cfd140005c

SHA1
6012d51e6035ef92e9f32179eae815459ee4ff5a

SHA256
76763b5fcc2a8c1ffdd1470aff31e19ebaa82592697a0dda4d92bdd2ecff1146

SHA512
2b7e54034f8e322ee9adaa317adea6a4d7062bf059dc3814f5ff990f43130ee09a178b8d402a4964c27dc1e19c97df0c42f4e9877bb9ad0357986822ad3075ab

Download Submit