remcos | 8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05

Resubmissions

27-01-2025 17:18

250127-vvcw5azlbp 10

27-01-2025 16:17

250127-trs89swrcs 10

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u.msi
Size

5.7MB
MD5

f16fddbeda16868ac7935725201c6321
SHA1

6775c120e9607753c83a58006cc435149d2dba91
SHA256

8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05
SHA512

8cff853d33004c0178b433058cdbf3e7c2dc45c9e00e6704839ff811ca0b8ff49561d44e140b4c311b5620e33f0c9be5ee86404dc6d4608eebf55c87d80dbce5
SSDEEP

98304:WRMYywIk8aXRK6SYAEgrrm5OT24gNVOyj7eo76vS6q4we36MxisVYaA7F4t:ycPc86SvbmAMU1S6q49j0sVZA4t

Score

10^/10

remcos enero 20 muchacha discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

remcos

Botnet

ENERO 20 MUCHACHA

restaurantes.pizzafshaioin.info:5508

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
coimostoda
mouse_option
false
mutex
neocivasne-F0VOCL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 2636	1472	steamerrorreporter.exe	44

Executes dropped EXE 12 IoCs

pid	Process
2824	ISBEW64.exe
2732	ISBEW64.exe
2244	ISBEW64.exe
2792	ISBEW64.exe
2652	ISBEW64.exe
2656	ISBEW64.exe
1264	ISBEW64.exe
1100	ISBEW64.exe
2924	ISBEW64.exe
752	ISBEW64.exe
2908	steamerrorreporter.exe
1472	steamerrorreporter.exe

Loads dropped DLL 23 IoCs

pid	Process
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2328	MsiExec.exe
2908	steamerrorreporter.exe
2908	steamerrorreporter.exe
2908	steamerrorreporter.exe
1472	steamerrorreporter.exe
1472	steamerrorreporter.exe
2636	cmd.exe
2636	cmd.exe
2988	toolcli.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2492	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolcli.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2908	steamerrorreporter.exe
1472	steamerrorreporter.exe
1472	steamerrorreporter.exe
2636	cmd.exe
2636	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	toolcli.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1472	steamerrorreporter.exe
2636	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeSecurityPrivilege	2460	msiexec.exe
Token: SeCreateTokenPrivilege	2492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2492	msiexec.exe
Token: SeLockMemoryPrivilege	2492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2492	msiexec.exe
Token: SeMachineAccountPrivilege	2492	msiexec.exe
Token: SeTcbPrivilege	2492	msiexec.exe
Token: SeSecurityPrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeLoadDriverPrivilege	2492	msiexec.exe
Token: SeSystemProfilePrivilege	2492	msiexec.exe
Token: SeSystemtimePrivilege	2492	msiexec.exe
Token: SeProfSingleProcessPrivilege	2492	msiexec.exe
Token: SeIncBasePriorityPrivilege	2492	msiexec.exe
Token: SeCreatePagefilePrivilege	2492	msiexec.exe
Token: SeCreatePermanentPrivilege	2492	msiexec.exe
Token: SeBackupPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeShutdownPrivilege	2492	msiexec.exe
Token: SeDebugPrivilege	2492	msiexec.exe
Token: SeAuditPrivilege	2492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2492	msiexec.exe
Token: SeChangeNotifyPrivilege	2492	msiexec.exe
Token: SeRemoteShutdownPrivilege	2492	msiexec.exe
Token: SeUndockPrivilege	2492	msiexec.exe
Token: SeSyncAgentPrivilege	2492	msiexec.exe
Token: SeEnableDelegationPrivilege	2492	msiexec.exe
Token: SeManageVolumePrivilege	2492	msiexec.exe
Token: SeImpersonatePrivilege	2492	msiexec.exe
Token: SeCreateGlobalPrivilege	2492	msiexec.exe
Token: SeCreateTokenPrivilege	2492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2492	msiexec.exe
Token: SeLockMemoryPrivilege	2492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2492	msiexec.exe
Token: SeMachineAccountPrivilege	2492	msiexec.exe
Token: SeTcbPrivilege	2492	msiexec.exe
Token: SeSecurityPrivilege	2492	msiexec.exe
Token: SeTakeOwnershipPrivilege	2492	msiexec.exe
Token: SeLoadDriverPrivilege	2492	msiexec.exe
Token: SeSystemProfilePrivilege	2492	msiexec.exe
Token: SeSystemtimePrivilege	2492	msiexec.exe
Token: SeProfSingleProcessPrivilege	2492	msiexec.exe
Token: SeIncBasePriorityPrivilege	2492	msiexec.exe
Token: SeCreatePagefilePrivilege	2492	msiexec.exe
Token: SeCreatePermanentPrivilege	2492	msiexec.exe
Token: SeBackupPrivilege	2492	msiexec.exe
Token: SeRestorePrivilege	2492	msiexec.exe
Token: SeShutdownPrivilege	2492	msiexec.exe
Token: SeDebugPrivilege	2492	msiexec.exe
Token: SeAuditPrivilege	2492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2492	msiexec.exe
Token: SeChangeNotifyPrivilege	2492	msiexec.exe
Token: SeRemoteShutdownPrivilege	2492	msiexec.exe
Token: SeUndockPrivilege	2492	msiexec.exe
Token: SeSyncAgentPrivilege	2492	msiexec.exe
Token: SeEnableDelegationPrivilege	2492	msiexec.exe
Token: SeManageVolumePrivilege	2492	msiexec.exe
Token: SeImpersonatePrivilege	2492	msiexec.exe
Token: SeCreateGlobalPrivilege	2492	msiexec.exe
Token: SeCreateTokenPrivilege	2492	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2492	msiexec.exe
2492	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	toolcli.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2460 wrote to memory of 2328	2460	msiexec.exe	31
PID 2328 wrote to memory of 2824	2328	MsiExec.exe	32
PID 2328 wrote to memory of 2824	2328	MsiExec.exe	32
PID 2328 wrote to memory of 2824	2328	MsiExec.exe	32
PID 2328 wrote to memory of 2824	2328	MsiExec.exe	32
PID 2328 wrote to memory of 2732	2328	MsiExec.exe	33
PID 2328 wrote to memory of 2732	2328	MsiExec.exe	33
PID 2328 wrote to memory of 2732	2328	MsiExec.exe	33
PID 2328 wrote to memory of 2732	2328	MsiExec.exe	33
PID 2328 wrote to memory of 2244	2328	MsiExec.exe	34
PID 2328 wrote to memory of 2244	2328	MsiExec.exe	34
PID 2328 wrote to memory of 2244	2328	MsiExec.exe	34
PID 2328 wrote to memory of 2244	2328	MsiExec.exe	34
PID 2328 wrote to memory of 2792	2328	MsiExec.exe	35
PID 2328 wrote to memory of 2792	2328	MsiExec.exe	35
PID 2328 wrote to memory of 2792	2328	MsiExec.exe	35
PID 2328 wrote to memory of 2792	2328	MsiExec.exe	35
PID 2328 wrote to memory of 2652	2328	MsiExec.exe	36
PID 2328 wrote to memory of 2652	2328	MsiExec.exe	36
PID 2328 wrote to memory of 2652	2328	MsiExec.exe	36
PID 2328 wrote to memory of 2652	2328	MsiExec.exe	36
PID 2328 wrote to memory of 2656	2328	MsiExec.exe	37
PID 2328 wrote to memory of 2656	2328	MsiExec.exe	37
PID 2328 wrote to memory of 2656	2328	MsiExec.exe	37
PID 2328 wrote to memory of 2656	2328	MsiExec.exe	37
PID 2328 wrote to memory of 1264	2328	MsiExec.exe	38
PID 2328 wrote to memory of 1264	2328	MsiExec.exe	38
PID 2328 wrote to memory of 1264	2328	MsiExec.exe	38
PID 2328 wrote to memory of 1264	2328	MsiExec.exe	38
PID 2328 wrote to memory of 1100	2328	MsiExec.exe	39
PID 2328 wrote to memory of 1100	2328	MsiExec.exe	39
PID 2328 wrote to memory of 1100	2328	MsiExec.exe	39
PID 2328 wrote to memory of 1100	2328	MsiExec.exe	39
PID 2328 wrote to memory of 2924	2328	MsiExec.exe	40
PID 2328 wrote to memory of 2924	2328	MsiExec.exe	40
PID 2328 wrote to memory of 2924	2328	MsiExec.exe	40
PID 2328 wrote to memory of 2924	2328	MsiExec.exe	40
PID 2328 wrote to memory of 752	2328	MsiExec.exe	41
PID 2328 wrote to memory of 752	2328	MsiExec.exe	41
PID 2328 wrote to memory of 752	2328	MsiExec.exe	41
PID 2328 wrote to memory of 752	2328	MsiExec.exe	41
PID 2328 wrote to memory of 2908	2328	MsiExec.exe	42
PID 2328 wrote to memory of 2908	2328	MsiExec.exe	42
PID 2328 wrote to memory of 2908	2328	MsiExec.exe	42
PID 2328 wrote to memory of 2908	2328	MsiExec.exe	42
PID 2908 wrote to memory of 1472	2908	steamerrorreporter.exe	43
PID 2908 wrote to memory of 1472	2908	steamerrorreporter.exe	43
PID 2908 wrote to memory of 1472	2908	steamerrorreporter.exe	43
PID 2908 wrote to memory of 1472	2908	steamerrorreporter.exe	43
PID 1472 wrote to memory of 2636	1472	steamerrorreporter.exe	44
PID 1472 wrote to memory of 2636	1472	steamerrorreporter.exe	44
PID 1472 wrote to memory of 2636	1472	steamerrorreporter.exe	44
PID 1472 wrote to memory of 2636	1472	steamerrorreporter.exe	44
PID 1472 wrote to memory of 2636	1472	steamerrorreporter.exe	44
PID 2636 wrote to memory of 2988	2636	cmd.exe	47
PID 2636 wrote to memory of 2988	2636	cmd.exe	47
PID 2636 wrote to memory of 2988	2636	cmd.exe	47
PID 2636 wrote to memory of 2988	2636	cmd.exe	47

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\u.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 858EAD243C38A5CFD08181A471E9D096 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{395F4675-84F6-4F7B-89C7-E2C83C44A719}
    3⤵
    - Executes dropped EXE
    PID:2824
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E514375-149C-4330-ABC9-C1A8827B21D6}
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3AB26B34-1513-4698-A376-7A3FAA4290B2}
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7E35381-C3E0-4B99-A5F4-0E1C64DD403F}
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08ACA68A-74DE-4346-A0A0-6FAE3381ABD9}
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ED4198E8-FC81-4390-B1E6-BC354A4D7FAE}
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93D1986B-2D5D-4166-9639-5F19A82BC2DC}
    3⤵
    - Executes dropped EXE
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B92BB31-A2BA-412D-AE94-D8AE4A9B8868}
    3⤵
    - Executes dropped EXE
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3111EE5D-E142-49E8-BB71-F7A43E3E02F0}
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E32FD3BE-8E3D-402D-9B25-A294DB7FB48D}
    3⤵
    - Executes dropped EXE
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
    C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
      C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Users\Admin\AppData\Local\Temp\toolcli.exe
        
        C:\Users\Admin\AppData\Local\Temp\toolcli.exe
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\coimostoda\logs.dat

Filesize
144B

MD5
5e6b8e11947860a87477152036c7505c

SHA1
48b40ca63154259924fe9673008e8569b1e487e3

SHA256
91c923aab1339c29fe146fc19a123cf5a54bee8ee1e5a7cc4194b7e24665c29e

SHA512
ffafd6e7a787dfae396fc095c13bad57aa7cd3ee5f899962cf7f74563a52347a8fd2af1c941e9678e296b5996ce07b3adcbb99933bab134b6de2ce937eeef8a6

Download Submit
C:\ProgramData\coimostoda\logs.dat

Filesize
230B

MD5
8699372644c7ef3767e6386a7f4ce686

SHA1
b2dc70a995996d992b273ebbd3f21a00c620bf33

SHA256
515b4e2d6cb297f32ebb24f8f15a32f9386b66d45158e8e36348f362a09c5c98

SHA512
45b6c0d502e0cc4e570d4e9a90604710ac33fef57b06a23c931e20048153df38d41ac6c528995f5d71487957d134a21a639249d1e896071e7b2638e8addf081e

Download Submit
C:\Users\Admin\AppData\Local\Temp\695e0e49

Filesize
1.6MB

MD5
ec8d5eaf89973947f138c046a2982f8e

SHA1
0566a0d3f01a656c9c1b082be602940824e36903

SHA256
cabc46c21ef4f1396997b3ceb3f983148f8bb8dcf895e8ad23bbf172c457d9fc

SHA512
a2a3f46da359ef9cf9a04e4059f4bc034d311731f2f49d1ae0e0a5f96d6b11e66ec194f9f769a55cce7e99f2f0b386e609f861624ec880a5a029789124364029

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9AB9.tmp

Filesize
171KB

MD5
a0e940a3d3c1523416675125e3b0c07e

SHA1
2e29eeba6da9a4023bc8071158feee3b0277fd1b

SHA256
b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

SHA512
736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9B66.tmp

Filesize
2.5MB

MD5
d1ce6e4950f990b88117cd4ff1bf08c9

SHA1
0d15ffaea45f3bdd3f380321e679ee6e082cdfd0

SHA256
b7e914b990435e23a68bb741c2ef33c7e37aefd4d4167427641a83f2bbb773ee

SHA512
1a66f061793822bda9052c549aae5879726ee35a7de0943e1752f4801c5d1e47d99b87d2f74a7c818856f2a8e44db0603107d5becf9ae2d8ff776552f5fd77e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\roadhouse.zip

Filesize
53KB

MD5
b0390294d22d4775820b22226830ff32

SHA1
36359349e41242960fcc1886963fec7303a046fa

SHA256
fe74fbf9d036721b7b1a7ed2ce14b351cbff58d13b4d1b0ac2a47e9884a4e846

SHA512
da0d08fd4691f1d06ec9e538f14680182a373b1160ae9bf28c22e86c0e472f1647962a5dc036e998c2497e18028ad613f8294845734bec6db900b72b3295a80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\scruple.ics

Filesize
1.1MB

MD5
9a8ca04113c9d851ac054c3454e055cc

SHA1
d3239cb8f59c532189414c425bbb8498b241a91c

SHA256
de0dfe1ffe33c85556900be396bfbd768d312c35ccdd90b875fee310a15cc8e6

SHA512
db6c43d01d55edad0c8a3a27ef2196e95515c744c12af2076bfb260c2c3da4795465ed2574f7b05269ab7f6fe2a35fb843de56cf3a67ba6b06c22012d895c5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\vstdlib_s.dll

Filesize
530KB

MD5
bf433279dfa1820d93ef9417fceaf306

SHA1
21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

SHA256
3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

SHA512
dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

Download Submit
\Users\Admin\AppData\Local\Temp\toolcli.exe

Filesize
433KB

MD5
fea067901f48a5f1faf7ca3b373f1a8f

SHA1
e8abe0deb87de9fe3bb3a611234584e9a9b17cce

SHA256
bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

SHA512
07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

Download Submit
\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\tier0_s.dll

Filesize
330KB

MD5
2ef38c233e7aa6377c668b43d5c2caf9

SHA1
07442db44a4be4e7c8fb639979a4e3579337dc30

SHA256
1d6d62e7087cdbb9bed9898059b27e4f07151b5381404119ad7377cc89be9bbc

SHA512
38f9d132d3b5fa1ad9a450463f4f4809a6488c0435bc70265753412f92f1c3e8405d3a2007e7bb852e2aa3847ebc237e2eb44062c13d810ffaa84afaf2854533

Download Submit
\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISBEW64.exe

Filesize
178KB

MD5
40f3a092744e46f3531a40b917cca81e

SHA1
c73f62a44cb3a75933cecf1be73a48d0d623039b

SHA256
561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

SHA512
1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

Download Submit
\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\ISRT.dll

Filesize
426KB

MD5
8af02bf8e358e11caec4f2e7884b43cc

SHA1
16badc6c610eeb08de121ab268093dd36b56bf27

SHA256
58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

SHA512
d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

Download Submit
\Users\Admin\AppData\Local\Temp\{ED0B4CD9-2082-4C69-9A8E-8950BD3F2811}\_isres_0x0409.dll

Filesize
1.8MB

MD5
7de024bc275f9cdeaf66a865e6fd8e58

SHA1
5086e4a26f9b80699ea8d9f2a33cead28a1819c0

SHA256
bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

SHA512
191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

Download Submit
memory/1472-94-0x0000000073CA0000-0x0000000073E14000-memory.dmp

Filesize
1.5MB

Download
memory/1472-93-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/1472-82-0x0000000073CA0000-0x0000000073E14000-memory.dmp

Filesize
1.5MB

Download
memory/2328-37-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2328-40-0x0000000002ED0000-0x0000000003097000-memory.dmp

Filesize
1.8MB

Download
memory/2636-97-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2636-98-0x0000000073CA0000-0x0000000073E14000-memory.dmp

Filesize
1.5MB

Download
memory/2636-106-0x0000000073CA0000-0x0000000073E14000-memory.dmp

Filesize
1.5MB

Download
memory/2908-65-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2908-64-0x0000000073C10000-0x0000000073D84000-memory.dmp

Filesize
1.5MB

Download
memory/2988-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-117-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/2988-121-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-124-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-132-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-115-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2988-138-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-141-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2988-147-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download