remcos | 8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u.msi
Size

5.7MB
MD5

f16fddbeda16868ac7935725201c6321
SHA1

6775c120e9607753c83a58006cc435149d2dba91
SHA256

8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05
SHA512

8cff853d33004c0178b433058cdbf3e7c2dc45c9e00e6704839ff811ca0b8ff49561d44e140b4c311b5620e33f0c9be5ee86404dc6d4608eebf55c87d80dbce5
SSDEEP

98304:WRMYywIk8aXRK6SYAEgrrm5OT24gNVOyj7eo76vS6q4we36MxisVYaA7F4t:ycPc86SvbmAMU1S6q49j0sVZA4t

Score

10^/10

remcos enero 20 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

ENERO 20 MUCHACHA

restaurantes.pizzafshaioin.info:5508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
coimostoda
mouse_option
false
mutex
neocivasne-F0VOCL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 596 set thread context of 2184	596	steamerrorreporter.exe	44

Executes dropped EXE 12 IoCs

pid	Process
2808	ISBEW64.exe
2816	ISBEW64.exe
2760	ISBEW64.exe
3068	ISBEW64.exe
2652	ISBEW64.exe
2880	ISBEW64.exe
560	ISBEW64.exe
1496	ISBEW64.exe
3036	ISBEW64.exe
1368	ISBEW64.exe
2936	steamerrorreporter.exe
596	steamerrorreporter.exe

Loads dropped DLL 30 IoCs

pid	Process
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
1712	MsiExec.exe
2936	steamerrorreporter.exe
2936	steamerrorreporter.exe
2936	steamerrorreporter.exe
596	steamerrorreporter.exe
596	steamerrorreporter.exe
2184	cmd.exe
2184	cmd.exe
2264	toolcli.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe
1000	WerFault.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3004	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	2264	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolcli.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2936	steamerrorreporter.exe
596	steamerrorreporter.exe
596	steamerrorreporter.exe
2184	cmd.exe
2184	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
596	steamerrorreporter.exe
2184	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	2308	msiexec.exe
Token: SeTakeOwnershipPrivilege	2308	msiexec.exe
Token: SeSecurityPrivilege	2308	msiexec.exe
Token: SeCreateTokenPrivilege	3004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3004	msiexec.exe
Token: SeLockMemoryPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeMachineAccountPrivilege	3004	msiexec.exe
Token: SeTcbPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeLoadDriverPrivilege	3004	msiexec.exe
Token: SeSystemProfilePrivilege	3004	msiexec.exe
Token: SeSystemtimePrivilege	3004	msiexec.exe
Token: SeProfSingleProcessPrivilege	3004	msiexec.exe
Token: SeIncBasePriorityPrivilege	3004	msiexec.exe
Token: SeCreatePagefilePrivilege	3004	msiexec.exe
Token: SeCreatePermanentPrivilege	3004	msiexec.exe
Token: SeBackupPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeDebugPrivilege	3004	msiexec.exe
Token: SeAuditPrivilege	3004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3004	msiexec.exe
Token: SeChangeNotifyPrivilege	3004	msiexec.exe
Token: SeRemoteShutdownPrivilege	3004	msiexec.exe
Token: SeUndockPrivilege	3004	msiexec.exe
Token: SeSyncAgentPrivilege	3004	msiexec.exe
Token: SeEnableDelegationPrivilege	3004	msiexec.exe
Token: SeManageVolumePrivilege	3004	msiexec.exe
Token: SeImpersonatePrivilege	3004	msiexec.exe
Token: SeCreateGlobalPrivilege	3004	msiexec.exe
Token: SeCreateTokenPrivilege	3004	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3004	msiexec.exe
Token: SeLockMemoryPrivilege	3004	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3004	msiexec.exe
Token: SeMachineAccountPrivilege	3004	msiexec.exe
Token: SeTcbPrivilege	3004	msiexec.exe
Token: SeSecurityPrivilege	3004	msiexec.exe
Token: SeTakeOwnershipPrivilege	3004	msiexec.exe
Token: SeLoadDriverPrivilege	3004	msiexec.exe
Token: SeSystemProfilePrivilege	3004	msiexec.exe
Token: SeSystemtimePrivilege	3004	msiexec.exe
Token: SeProfSingleProcessPrivilege	3004	msiexec.exe
Token: SeIncBasePriorityPrivilege	3004	msiexec.exe
Token: SeCreatePagefilePrivilege	3004	msiexec.exe
Token: SeCreatePermanentPrivilege	3004	msiexec.exe
Token: SeBackupPrivilege	3004	msiexec.exe
Token: SeRestorePrivilege	3004	msiexec.exe
Token: SeShutdownPrivilege	3004	msiexec.exe
Token: SeDebugPrivilege	3004	msiexec.exe
Token: SeAuditPrivilege	3004	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3004	msiexec.exe
Token: SeChangeNotifyPrivilege	3004	msiexec.exe
Token: SeRemoteShutdownPrivilege	3004	msiexec.exe
Token: SeUndockPrivilege	3004	msiexec.exe
Token: SeSyncAgentPrivilege	3004	msiexec.exe
Token: SeEnableDelegationPrivilege	3004	msiexec.exe
Token: SeManageVolumePrivilege	3004	msiexec.exe
Token: SeImpersonatePrivilege	3004	msiexec.exe
Token: SeCreateGlobalPrivilege	3004	msiexec.exe
Token: SeCreateTokenPrivilege	3004	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3004	msiexec.exe
3004	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 2308 wrote to memory of 1712	2308	msiexec.exe	31
PID 1712 wrote to memory of 2808	1712	MsiExec.exe	32
PID 1712 wrote to memory of 2808	1712	MsiExec.exe	32
PID 1712 wrote to memory of 2808	1712	MsiExec.exe	32
PID 1712 wrote to memory of 2808	1712	MsiExec.exe	32
PID 1712 wrote to memory of 2816	1712	MsiExec.exe	33
PID 1712 wrote to memory of 2816	1712	MsiExec.exe	33
PID 1712 wrote to memory of 2816	1712	MsiExec.exe	33
PID 1712 wrote to memory of 2816	1712	MsiExec.exe	33
PID 1712 wrote to memory of 2760	1712	MsiExec.exe	34
PID 1712 wrote to memory of 2760	1712	MsiExec.exe	34
PID 1712 wrote to memory of 2760	1712	MsiExec.exe	34
PID 1712 wrote to memory of 2760	1712	MsiExec.exe	34
PID 1712 wrote to memory of 3068	1712	MsiExec.exe	35
PID 1712 wrote to memory of 3068	1712	MsiExec.exe	35
PID 1712 wrote to memory of 3068	1712	MsiExec.exe	35
PID 1712 wrote to memory of 3068	1712	MsiExec.exe	35
PID 1712 wrote to memory of 2652	1712	MsiExec.exe	36
PID 1712 wrote to memory of 2652	1712	MsiExec.exe	36
PID 1712 wrote to memory of 2652	1712	MsiExec.exe	36
PID 1712 wrote to memory of 2652	1712	MsiExec.exe	36
PID 1712 wrote to memory of 2880	1712	MsiExec.exe	37
PID 1712 wrote to memory of 2880	1712	MsiExec.exe	37
PID 1712 wrote to memory of 2880	1712	MsiExec.exe	37
PID 1712 wrote to memory of 2880	1712	MsiExec.exe	37
PID 1712 wrote to memory of 560	1712	MsiExec.exe	38
PID 1712 wrote to memory of 560	1712	MsiExec.exe	38
PID 1712 wrote to memory of 560	1712	MsiExec.exe	38
PID 1712 wrote to memory of 560	1712	MsiExec.exe	38
PID 1712 wrote to memory of 1496	1712	MsiExec.exe	39
PID 1712 wrote to memory of 1496	1712	MsiExec.exe	39
PID 1712 wrote to memory of 1496	1712	MsiExec.exe	39
PID 1712 wrote to memory of 1496	1712	MsiExec.exe	39
PID 1712 wrote to memory of 3036	1712	MsiExec.exe	40
PID 1712 wrote to memory of 3036	1712	MsiExec.exe	40
PID 1712 wrote to memory of 3036	1712	MsiExec.exe	40
PID 1712 wrote to memory of 3036	1712	MsiExec.exe	40
PID 1712 wrote to memory of 1368	1712	MsiExec.exe	41
PID 1712 wrote to memory of 1368	1712	MsiExec.exe	41
PID 1712 wrote to memory of 1368	1712	MsiExec.exe	41
PID 1712 wrote to memory of 1368	1712	MsiExec.exe	41
PID 1712 wrote to memory of 2936	1712	MsiExec.exe	42
PID 1712 wrote to memory of 2936	1712	MsiExec.exe	42
PID 1712 wrote to memory of 2936	1712	MsiExec.exe	42
PID 1712 wrote to memory of 2936	1712	MsiExec.exe	42
PID 2936 wrote to memory of 596	2936	steamerrorreporter.exe	43
PID 2936 wrote to memory of 596	2936	steamerrorreporter.exe	43
PID 2936 wrote to memory of 596	2936	steamerrorreporter.exe	43
PID 2936 wrote to memory of 596	2936	steamerrorreporter.exe	43
PID 596 wrote to memory of 2184	596	steamerrorreporter.exe	44
PID 596 wrote to memory of 2184	596	steamerrorreporter.exe	44
PID 596 wrote to memory of 2184	596	steamerrorreporter.exe	44
PID 596 wrote to memory of 2184	596	steamerrorreporter.exe	44
PID 596 wrote to memory of 2184	596	steamerrorreporter.exe	44
PID 2184 wrote to memory of 2264	2184	cmd.exe	47
PID 2184 wrote to memory of 2264	2184	cmd.exe	47
PID 2184 wrote to memory of 2264	2184	cmd.exe	47
PID 2184 wrote to memory of 2264	2184	cmd.exe	47

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\u.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3004

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F324B61CE71881A033CED946A75EF8D0 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D42D7AE3-DD00-46DE-AFB4-3B98005BA501}
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{16EA0548-9B63-4A41-97DD-5976A4EFEB1C}
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3DA59818-AB55-40B7-BAFD-ABD617283701}
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E197BD57-DA51-4032-BAD7-75E50E1EE12E}
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{16E092C3-5F1E-4697-9465-9D3D2A9AE361}
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{353B576D-6B6A-458A-881B-D4C1D024CD9B}
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A860B71-08FD-4084-A845-1E9F42469913}
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27DD065A-4EEA-4027-8D9F-B4E8DF6BD268}
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A9797328-9038-475C-BA15-F1EF16D10145}
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8ACEBF9E-669B-4BEC-897A-567057E9BB68}
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
    C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
      C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\toolcli.exe
        
        C:\Users\Admin\AppData\Local\Temp\toolcli.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 172
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74918f5d

Filesize
1.6MB

MD5
d99710aed6d11484ee87e150ae177975

SHA1
6221af5771c02e8d548a56af48646db53f9c6ce1

SHA256
782b0d683812efbe0c14e3c795a83115404ce84ec2ccc07f3ae30f80b6a7842a

SHA512
dddb9174041827030eeb3eeac41dc6b4e36679093adeaff697a39cbe1bcb659524678acc8261910feb16f779e2b342d677a83deb7e8d1941153d347c10574748

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA0B2.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA14F.tmp

Filesize
2.5MB

MD5
d1ce6e4950f990b88117cd4ff1bf08c9

SHA1
0d15ffaea45f3bdd3f380321e679ee6e082cdfd0

SHA256
b7e914b990435e23a68bb741c2ef33c7e37aefd4d4167427641a83f2bbb773ee

SHA512
1a66f061793822bda9052c549aae5879726ee35a7de0943e1752f4801c5d1e47d99b87d2f74a7c818856f2a8e44db0603107d5becf9ae2d8ff776552f5fd77e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\roadhouse.zip

Filesize
53KB

MD5
b0390294d22d4775820b22226830ff32

SHA1
36359349e41242960fcc1886963fec7303a046fa

SHA256
fe74fbf9d036721b7b1a7ed2ce14b351cbff58d13b4d1b0ac2a47e9884a4e846

SHA512
da0d08fd4691f1d06ec9e538f14680182a373b1160ae9bf28c22e86c0e472f1647962a5dc036e998c2497e18028ad613f8294845734bec6db900b72b3295a80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\scruple.ics

Filesize
1.1MB

MD5
9a8ca04113c9d851ac054c3454e055cc

SHA1
d3239cb8f59c532189414c425bbb8498b241a91c

SHA256
de0dfe1ffe33c85556900be396bfbd768d312c35ccdd90b875fee310a15cc8e6

SHA512
db6c43d01d55edad0c8a3a27ef2196e95515c744c12af2076bfb260c2c3da4795465ed2574f7b05269ab7f6fe2a35fb843de56cf3a67ba6b06c22012d895c5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\tier0_s.dll

Filesize
330KB

MD5
2ef38c233e7aa6377c668b43d5c2caf9

SHA1
07442db44a4be4e7c8fb639979a4e3579337dc30

SHA256
1d6d62e7087cdbb9bed9898059b27e4f07151b5381404119ad7377cc89be9bbc

SHA512
38f9d132d3b5fa1ad9a450463f4f4809a6488c0435bc70265753412f92f1c3e8405d3a2007e7bb852e2aa3847ebc237e2eb44062c13d810ffaa84afaf2854533

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\vstdlib_s.dll

Filesize
530KB

MD5
bf433279dfa1820d93ef9417fceaf306

SHA1
21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

SHA256
3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

SHA512
dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

Download Submit
\Users\Admin\AppData\Local\Temp\toolcli.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
\Users\Admin\AppData\Local\Temp\{37134155-1944-4667-A9B9-58B9FF39D48B}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
memory/596-92-0x0000000074570000-0x00000000746E4000-memory.dmp

Filesize
1.5MB

Download
memory/596-93-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/596-94-0x0000000074570000-0x00000000746E4000-memory.dmp

Filesize
1.5MB

Download
memory/1712-40-0x0000000002ED0000-0x0000000003097000-memory.dmp

Filesize
1.8MB

Download
memory/1712-37-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2184-97-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2184-98-0x0000000074570000-0x00000000746E4000-memory.dmp

Filesize
1.5MB

Download
memory/2184-106-0x0000000074570000-0x00000000746E4000-memory.dmp

Filesize
1.5MB

Download
memory/2264-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2264-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2264-117-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/2264-126-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/2936-65-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2936-64-0x00000000736F0000-0x0000000073864000-memory.dmp

Filesize
1.5MB

Download