7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87

Reason

Machine shutdown

General

Target

173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
Size

481KB
MD5

f9c6ffd9d3156c7701ddcceb42181ee3
SHA1

210be4e3d3b29cd46b3ace1ce94404451e7fc97c
SHA256

7a67aa0f4b0c33b1bd9acf18ea4e96d357e8198c5eaaab2404e9f6802db3fb87
SHA512

146838fb33b68cb22d77f8c4f91bd47ad1203ba91ff819a6a671a37ef936c7fce445cd82825ac47e601b7a8a1d6fcd045b4b06a2835a8881c7e87307b467a20d
SSDEEP

12288:NuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSe+DY:A09AfNIEYsunZvZ19Z9s

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	diskpart.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2448	shutdown.exe
Token: SeRemoteShutdownPrivilege	2448	shutdown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
3124	LogonUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 5012	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	99
PID 2928 wrote to memory of 5012	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	99
PID 2928 wrote to memory of 5012	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	99
PID 5012 wrote to memory of 3000	5012	cmd.exe	101
PID 5012 wrote to memory of 3000	5012	cmd.exe	101
PID 5012 wrote to memory of 3000	5012	cmd.exe	101
PID 2928 wrote to memory of 2056	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	106
PID 2928 wrote to memory of 2056	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	106
PID 2928 wrote to memory of 2056	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	106
PID 2928 wrote to memory of 2604	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	108
PID 2928 wrote to memory of 2604	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	108
PID 2928 wrote to memory of 2604	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	108
PID 2928 wrote to memory of 1524	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	110
PID 2928 wrote to memory of 1524	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	110
PID 2928 wrote to memory of 1524	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	110
PID 2928 wrote to memory of 4944	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	112
PID 2928 wrote to memory of 4944	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	112
PID 2928 wrote to memory of 4944	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	112
PID 2928 wrote to memory of 4756	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	114
PID 2928 wrote to memory of 4756	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	114
PID 2928 wrote to memory of 4756	2928	173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe	114
PID 4756 wrote to memory of 2448	4756	cmd.exe	116
PID 4756 wrote to memory of 2448	4756	cmd.exe	116
PID 4756 wrote to memory of 2448	4756	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe
"C:\Users\Admin\AppData\Local\Temp\173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\diskpart.exe
    diskpart disk 1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reinicio.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -r -t 8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2448

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38df855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
cbead74366938503b3ff92ad434f6f22

SHA1
ac1771be0747caf67e6a509b0e2c0411caa45b74

SHA256
6159cc890a5749a5672c48fab9f4870dcfdbd507634728c29f5825c6050ddde2

SHA512
589e969df9e0c4623ca9e882021f68d957de85143aebc5b362a83c700de3569c64cc3322f4b518bdfc5855e3630c3745910004a921b2df65da1539f2d6eb82ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
23B

MD5
55356dbca07bafdf1047142bdb6723b2

SHA1
cdabcb68dae1d1ac7dab301a05d6d076d28ccb8c

SHA256
1913270e24d752035390649a518afe87943fa297107d742f2b4a4c443ca35285

SHA512
ba52c20120135634c80c39d63a41cceafcae6d53ef7de889492846f5200338038a93f7c9aeeaae85df1250776e3d7b51384661dbe584613cba69537ebe411473

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
6B

MD5
373d5cc730dd449760c437daf3d5a6d5

SHA1
cb97f9f662d25cf7b5092a30138f7a43fe80e803

SHA256
3aa78388a06d8af18054241b5f1370dab815d6344f6c70de2676b7f876cbabac

SHA512
afb44345f9872f947cd1c73a7a9db728944c4d47b0ca25eeb5e7e4e33a57d8467df762feff88a3902ba36a720aad09d41e33c6088360e0b099b4bf5ba0364fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.bat

Filesize
13B

MD5
40a43584ccccdaf0766634be67aeb09c

SHA1
f1393bf1d6eb71f8703918e19f65dd58c9580550

SHA256
84411e63e39fce42977374dd7dca3ff9a74605a5865f7dbc286bfb929af14759

SHA512
3f89ad072a9df464fec8e220c7d26a2cff8fb08fb9a267588396da7ddc8b6e5c2ddcf9262c0ebb6baa92a6dcf100ec10f3a469af2a1e2d29af9e17c3f50739c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.bat

Filesize
17B

MD5
b65ffd49cc304920a12a088785bab529

SHA1
767647cd1fa4d8b633d00829e1b24dcf181076c2

SHA256
760d044760ec106676f4ac76f8cf50ae7e33fa482fced5c024e4f5598e2d2f09

SHA512
c6800a1da7d3010ca0e3ebf97bb7c03caf343e4d090f38dd35378115fa65da5896d7fda7987c34374dafcf18312f382624cf5a3070ac8e66e8251ea79df4efaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.bat

Filesize
13B

MD5
0b0be53db5b104e82c3bb71bd1cf4cfd

SHA1
4f14040cd261a4730bfd96c4ac95698a5b1cb7fc

SHA256
5474221ce9ad0e471a1b3fd9b806490f47f3a63618fc5641c4217c3094013b84

SHA512
f282f0a15cbbd84395534c13727873505f49313bceab751dbb8fd097e7a04b0e6959edf7d72bb10e765c51d5122f98812902169cb156bc2f682f0a32a95e82a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reinicio.bat

Filesize
16B

MD5
c0f80d321aa72472fc0154cfd140005c

SHA1
6012d51e6035ef92e9f32179eae815459ee4ff5a

SHA256
76763b5fcc2a8c1ffdd1470aff31e19ebaa82592697a0dda4d92bdd2ecff1146

SHA512
2b7e54034f8e322ee9adaa317adea6a4d7062bf059dc3814f5ff990f43130ee09a178b8d402a4964c27dc1e19c97df0c42f4e9877bb9ad0357986822ad3075ab

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads