Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
formulario_agendamiento_citas.msi
Resource
win10ltsc2021-20250113-en
General
-
Target
formulario_agendamiento_citas.msi
-
Size
5.1MB
-
MD5
b0b0ce5887fe4e050976eb7b6dcca652
-
SHA1
f1b214aa8d48ed152dfe93e897b871751363f0c2
-
SHA256
8e6981d8311dae27119abc5f7a20989372cae47881f7c746c880decef4dfc3b3
-
SHA512
611344cc69e0560684cf65f94f243a7402c769e8668a15c9a3eda12ca61839c765612bc10ba812e11163fd6de4fdb0b105210d8065d241f40b4a732268007c40
-
SSDEEP
98304:6ZR9azHni3R3ousBqztSdq0doM+a76WmUydgul2bajywVmBTfnCAwvnZJ:6ZnaiG3Bq5UPRrul4imRnClv
Malware Config
Extracted
remcos
NOVIEMBRE 13 MUCHACHA
imaxatmonk.imaxatmonk.com:2204
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Acobatlg.exe
-
copy_folder
edqelofh
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
vlitanhs
-
mouse_option
false
-
mutex
necoclior-AOS1YP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3736 set thread context of 4984 3736 Mp3tag.exe 93 -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\e578a9e.msi msiexec.exe File created C:\Windows\Installer\e578a9c.msi msiexec.exe File opened for modification C:\Windows\Installer\e578a9c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{A2D5B6FB-42D3-467E-8F1A-4F9320A68712} msiexec.exe File opened for modification C:\Windows\Installer\MSI8B58.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 3924 Mp3tag.exe 3736 Mp3tag.exe -
Loads dropped DLL 5 IoCs
pid Process 3924 Mp3tag.exe 3924 Mp3tag.exe 3736 Mp3tag.exe 3736 Mp3tag.exe 3404 LmaSystemv5.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2688 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LmaSystemv5.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000057ded11c23971b510000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000057ded11c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090057ded11c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d57ded11c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000057ded11c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2424 msiexec.exe 2424 msiexec.exe 3924 Mp3tag.exe 3736 Mp3tag.exe 3736 Mp3tag.exe 4984 cmd.exe 4984 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3736 Mp3tag.exe 4984 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2424 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2688 msiexec.exe Token: SeLockMemoryPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeMachineAccountPrivilege 2688 msiexec.exe Token: SeTcbPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeLoadDriverPrivilege 2688 msiexec.exe Token: SeSystemProfilePrivilege 2688 msiexec.exe Token: SeSystemtimePrivilege 2688 msiexec.exe Token: SeProfSingleProcessPrivilege 2688 msiexec.exe Token: SeIncBasePriorityPrivilege 2688 msiexec.exe Token: SeCreatePagefilePrivilege 2688 msiexec.exe Token: SeCreatePermanentPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 2688 msiexec.exe Token: SeAuditPrivilege 2688 msiexec.exe Token: SeSystemEnvironmentPrivilege 2688 msiexec.exe Token: SeChangeNotifyPrivilege 2688 msiexec.exe Token: SeRemoteShutdownPrivilege 2688 msiexec.exe Token: SeUndockPrivilege 2688 msiexec.exe Token: SeSyncAgentPrivilege 2688 msiexec.exe Token: SeEnableDelegationPrivilege 2688 msiexec.exe Token: SeManageVolumePrivilege 2688 msiexec.exe Token: SeImpersonatePrivilege 2688 msiexec.exe Token: SeCreateGlobalPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 3860 vssvc.exe Token: SeRestorePrivilege 3860 vssvc.exe Token: SeAuditPrivilege 3860 vssvc.exe Token: SeBackupPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 msiexec.exe 2688 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3404 LmaSystemv5.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2244 2424 msiexec.exe 89 PID 2424 wrote to memory of 2244 2424 msiexec.exe 89 PID 2424 wrote to memory of 3924 2424 msiexec.exe 91 PID 2424 wrote to memory of 3924 2424 msiexec.exe 91 PID 3924 wrote to memory of 3736 3924 Mp3tag.exe 92 PID 3924 wrote to memory of 3736 3924 Mp3tag.exe 92 PID 3736 wrote to memory of 4984 3736 Mp3tag.exe 93 PID 3736 wrote to memory of 4984 3736 Mp3tag.exe 93 PID 3736 wrote to memory of 4984 3736 Mp3tag.exe 93 PID 3736 wrote to memory of 4984 3736 Mp3tag.exe 93 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 PID 4984 wrote to memory of 3404 4984 cmd.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\formulario_agendamiento_citas.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:42⤵PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\Kerb\Mp3tag.exe"C:\Users\Admin\AppData\Local\Temp\Kerb\Mp3tag.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Roaming\Authload_2\Mp3tag.exeC:\Users\Admin\AppData\Roaming\Authload_2\Mp3tag.exe3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\LmaSystemv5.exeC:\Users\Admin\AppData\Local\Temp\LmaSystemv5.exe5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3404
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e7e0c67643cbd48086e9d1ddea73da8f
SHA186c4240bf670379d209745c0e1773007f196d56f
SHA2566f7841257ad7b041e7a8493875453a4ffc9b8c1970c0587d8e1eaf442b627753
SHA5121d0efe617dcd93e1ee168e4607b71a38834c613f2e883083fca4a251d8e9622193c50503561b4365fced9df13f5ef9c96a8f1e8afec6ecff86bba86b902a4068
-
Filesize
144B
MD5c49cbf7985236a89f7fae38380a08f3e
SHA135ef21478171d4aa988f297429568c94f9abef99
SHA256770614b3dc3cf45685e1a40f9a78598729fd64eae0d7fb32ecde542ba8ebc7b7
SHA512180150668a7e36a59bf460fd91cb7b7d79e685c60766c0947442dea70e5b7a5a1dcd73abbc49273de4b42128d020598557060765cfe709a63cd7bebdeb8fa328
-
Filesize
1.6MB
MD511f8583a9f17ef9ed05d8c4ce862f230
SHA10181b29c81325159a012819585cedbcd971e0ee7
SHA25646ae65c480a19e60a5ef93e7cb340d95de806d9a62aeb7e8668cafa917495537
SHA5122a1082d432162cc4171ab1585ee1f744027f1f937639a4dea4b0373f0a983ebd45ba8ba825c8eec01e05c1756c7c713de91e115a315fefdec5386e8e2469dc57
-
Filesize
12.0MB
MD5a7118dffeac3772076f1a39a364d608d
SHA16b984d9446f23579e154ec47437b9cf820fd6b67
SHA256f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
SHA512f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890
-
Filesize
1.1MB
MD5b7626f9bde903c0bbb5cd1591433e1ce
SHA1487adcc0ee7f4ee88ebb7d49a5281cb02636d350
SHA2562d345940b1eedbc610f38c240f2295543536131c94a155d1f4262278fc25d2a4
SHA512176711122486190252e263902a4786b3c8d368c8e3c9ad76ff7605654dbee0aa35d513779c39d51ea455cb5f65d4ce08602cff8d8dcab476a3d1d644851a0c7c
-
Filesize
16KB
MD58676b6f972be116e4031801380b253fd
SHA1d2401aa086f7c1d6ba1771426584de52b8c34bbc
SHA256e16559555888a2d450b17f7bb998c38295bd603138431a346ad3de7dbde88246
SHA512dcf8bfe59cdcb11b25ec7e739e4ca2b1270bf8805ceed14f2fb506dd9fc01df8c766c025b3adde18b13c76f1a699fad21976df417b08c49c69593f229b0e27bc
-
Filesize
315KB
MD54dd5f2fb7782a1b8400db7c005c45c7b
SHA1605e679e5a9c4b6324dfa992b60514dcbb5186b8
SHA256dfd7da942d4e5ae820f788f56eeca312c916c5c3478e4cd898c1c19b3431991f
SHA51278bedf7c602aa7618342e50e2659cc9615beb39b6782ffc4697848a08f0c1c696e4f1f7b4fecdcb51e07f9a6e93b448bca0b4cefe60817a141f68ae6c13840d1
-
Filesize
433KB
MD5fea067901f48a5f1faf7ca3b373f1a8f
SHA1e8abe0deb87de9fe3bb3a611234584e9a9b17cce
SHA256bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152
SHA51207c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023
-
Filesize
5.1MB
MD5b0b0ce5887fe4e050976eb7b6dcca652
SHA1f1b214aa8d48ed152dfe93e897b871751363f0c2
SHA2568e6981d8311dae27119abc5f7a20989372cae47881f7c746c880decef4dfc3b3
SHA512611344cc69e0560684cf65f94f243a7402c769e8668a15c9a3eda12ca61839c765612bc10ba812e11163fd6de4fdb0b105210d8065d241f40b4a732268007c40
-
Filesize
23.9MB
MD578f1ab1aa7cdd07a0ed08747610387e7
SHA127fa0fd21fae5c287a5baac813f54d51a9f42b18
SHA256faab1e196155045e5b99f7aa3caa538200297fbe51e8aa379910f2fd86095066
SHA512284d5c7f324f3fa428d8630c7579507b534bdc6bf025559abd4eb1c240a1974fb7de15bb7daaff84b7d3dd3497a728f50e165a2b0b578623d917354f2fb41495
-
\??\Volume{1cd1de57-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a58a0e81-8ecb-4ac2-92ea-99de8af9a813}_OnDiskSnapshotProp
Filesize6KB
MD521c77201d69046b9405eb97d50e52342
SHA1839856268b7c083cbbe380116315721fa6d89e7e
SHA256f4bc86024acc07c6c693ee4e82a93263afc7e47d15630fe16e23657fc98cc523
SHA5122096b3d823335ed6ad7c7c5a6616c023c342d3829e9df412da4ef622f64537a97a4883a69e5f39e2badcf1eb1f4f1404c74b360f748fc1be58f95f0be0b89eaf