Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ISehgzqm2V.zip

Overview

General Information

Sample name:ISehgzqm2V.zip
renamed because original name is a hash value
Original sample name:Shared Folders 2023-Documents-185d3ad07050c2100c225b5d2de56c05.zip
Analysis ID:1514098
MD5:185d3ad07050c2100c225b5d2de56c05
SHA1:5adc8c81f93de473591b8cc028334896c2e22f16
SHA256:c12289182c24af57db335a63c77db2fec8f80b128724fa4fdfdaf6798280b324
Infos:

Detection

Remcos
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Creates autostart registry keys with suspicious names
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6264 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • -1-Shared 2023-Documents pdf.exe (PID: 5408 cmdline: "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
    • -1-Shared 2023-Documents pdf.exe (PID: 5744 cmdline: "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
      • WerFault.exe (PID: 72 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1596 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • cmd.exe (PID: 3908 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2460 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
SourceRuleDescriptionAuthorStrings
00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6c4b8:$a1: Remcos restarted by watchdog!
        • 0x6ca30:$a3: %02i:%02i:%02i:%03i
        00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x6657c:$str_b2: Executing file:
        • 0x675fc:$str_b3: GetDirectListeningPort
        • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x67128:$str_b7: \update.vbs
        • 0x665a4:$str_b9: Downloaded file:
        • 0x66590:$str_b10: Downloading file:
        • 0x66634:$str_b12: Failed to upload file:
        • 0x675c4:$str_b13: StartForward
        • 0x675e4:$str_b14: StopForward
        • 0x67080:$str_b15: fso.DeleteFile "
        • 0x67014:$str_b16: On Error Resume Next
        • 0x670b0:$str_b17: fso.DeleteFolder "
        • 0x66624:$str_b18: Uploaded file:
        • 0x665e4:$str_b19: Unable to delete:
        • 0x67048:$str_b20: while fso.FileExists("
        • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 6 entries

        System Summary

        barindex
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2460, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco
        Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3908, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , ProcessId: 2460, ProcessName: reg.exe
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" , ParentImage: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe, ParentProcessId: 5408, ParentProcessName: -1-Shared 2023-Documents pdf.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ProcessId: 3908, ProcessName: cmd.exe

        Stealing of Sensitive Information

        barindex
        Source: Registry Key setAuthor: Joe Security: Data: Details: 54 96 57 35 6A A2 4A 7C 67 9B AE 18 FD A7 A0 78 D2 99 D2 BE 5C 24 A9 B0 3C 81 10 9D 5A 9C 34 50 33 58 7A 5E B5 A2 6C D5 B5 A2 46 E1 F3 8C EA 33 E5 66 E6 97 66 1E F8 F0 C5 06 E8 D2 36 80 E9 D7 70 03 A6 22 37 B2 5D EE 44 58 31 7E A4 17 7D A8 68 A1 4A 13 CA 74 65 81 51 7C DB BD 32 D0 C1 98 54 9B 90 37 95 70 42 D4 77 53 21 F4 2F 29 76 54 EE 45 5F E3 33 43 85 23 4D 84 9B 08 6B 5B 2B 51 86 BD CD 55 D7 B5 D8 B4 C8 56 E4 BE 27 4E C0 7D 70 B1 91 DF 6F 27 6B 41 32 54 BC A9 32 3F A2 3A 0D FF 95 6A 42 A3 DB E1 4E 39 53 98 B7 F7 C9 3C 46 D3 F1 DB A9 D4 8B C0 B8 D0 1D D2 20 D1 AA 92 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe, ProcessId: 5744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZM1M40\exepath
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-19T20:49:23.982332+020020365941Malware Command and Control Activity Detected192.168.2.1649710193.142.146.2032405TCP
        2024-09-19T20:49:23.982332+020020365941Malware Command and Control Activity Detected192.168.2.1649710193.142.146.2032405TCP
        2024-09-19T20:49:35.676247+020020365941Malware Command and Control Activity Detected192.168.2.1649713193.142.146.2032405TCP
        2024-09-19T20:49:35.676247+020020365941Malware Command and Control Activity Detected192.168.2.1649713193.142.146.2032405TCP
        2024-09-19T20:49:35.852245+020020365941Malware Command and Control Activity Detected192.168.2.1649714193.142.146.2032405TCP
        2024-09-19T20:49:35.852245+020020365941Malware Command and Control Activity Detected192.168.2.1649714193.142.146.2032405TCP
        2024-09-19T20:49:39.210351+020020365941Malware Command and Control Activity Detected192.168.2.1649715193.142.146.2032405TCP
        2024-09-19T20:49:39.210351+020020365941Malware Command and Control Activity Detected192.168.2.1649715193.142.146.2032405TCP
        2024-09-19T20:49:48.256276+020020365941Malware Command and Control Activity Detected192.168.2.1649716193.142.146.2032405TCP
        2024-09-19T20:49:48.256276+020020365941Malware Command and Control Activity Detected192.168.2.1649716193.142.146.2032405TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-09-19T20:49:25.241123+020028033043Unknown Traffic192.168.2.1649711178.237.33.5080TCP
        2024-09-19T20:49:25.241123+020028033043Unknown Traffic192.168.2.1649711178.237.33.5080TCP

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Exploits

        barindex
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

        Networking

        barindex
        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49710 -> 193.142.146.203:2405
        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49716 -> 193.142.146.203:2405
        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49715 -> 193.142.146.203:2405
        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49713 -> 193.142.146.203:2405
        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49714 -> 193.142.146.203:2405
        Source: global trafficTCP traffic: 192.168.2.16:49710 -> 193.142.146.203:2405
        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:49711 -> 178.237.33.50:80
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

        E-Banking Fraud

        barindex
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1596
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
        Source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
        Source: classification engineClassification label: mal92.troj.expl.winZIP@10/5@1/20
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeFile created: C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5744
        Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\462b7dd3-6cc8-4096-8d08-3b3b7e15e800
        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 1596
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: apphelp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: version.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: msimg32.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: oledlg.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: k7rn7l32.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntd3ll.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wldp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winmm.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: urlmon.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iertutil.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: srvcli.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: netutils.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rstrtmgr.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ncrypt.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntasn1.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: sspicli.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: mswsock.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wldp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: profapi.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winhttp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winnsi.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: fwpuclnt.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windowscodecs.dll
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
        Source: ISehgzqm2V.zipStatic file information: File size 67258370 > 1048576

        Boot Survival

        barindex
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
        Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeWindow / User API: threadDelayed 9788
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe TID: 816Thread sleep time: -186000s >= -30000s
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe TID: 816Thread sleep time: -29364000s >= -30000s
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Source: C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZM1M40
        Source: Yara matchFile source: 00000009.00000002.1632250783.00000000027D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.1633806501.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.2380117770.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
        Registry Run Keys / Startup Folder
        11
        Process Injection
        1
        Masquerading
        OS Credential Dumping1
        Security Software Discovery
        Remote ServicesData from Local System1
        Non-Standard Port
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading
        11
        Registry Run Keys / Startup Folder
        1
        Modify Registry
        LSASS Memory2
        Virtualization/Sandbox Evasion
        Remote Desktop ProtocolData from Removable Media1
        Remote Access Software
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading
        1
        Disable or Modify Tools
        Security Account Manager1
        Application Window Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Virtualization/Sandbox Evasion
        NTDS2
        System Information Discovery
        Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Process Injection
        LSA SecretsInternet Connection DiscoverySSHKeylogging2
        Application Layer Protocol
        Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Rundll32
        Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading
        DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        http://geoplugin.net/json.gp0%URL Reputationsafe
        NameIPActiveMaliciousAntivirus DetectionReputation
        geoplugin.net
        178.237.33.50
        truefalse
          unknown
          NameMaliciousAntivirus DetectionReputation
          http://geoplugin.net/json.gpfalse
          • URL Reputation: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          193.142.146.203
          unknownNetherlands
          208046HOSTSLICK-GERMANYNLtrue
          178.237.33.50
          geoplugin.netNetherlands
          8455ATOM86-ASATOM86NLfalse
          52.182.143.212
          unknownUnited States
          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1514098
          Start date and time:2024-09-19 20:48:14 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:20
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          Analysis Mode:stream
          Analysis stop reason:Timeout
          Sample name:ISehgzqm2V.zip
          renamed because original name is a hash value
          Original Sample Name:Shared Folders 2023-Documents-185d3ad07050c2100c225b5d2de56c05.zip
          Detection:MAL
          Classification:mal92.troj.expl.winZIP@10/5@1/20
          Cookbook Comments:
          • Found application associated with file extension: .zip
          • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.182.143.212
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: ISehgzqm2V.zip
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):1.0446724045290923
          Encrypted:false
          SSDEEP:
          MD5:E601BBA7E9BD472ED5559667DB9DD987
          SHA1:A77680BC55A21CD39901004252C6FE1EF3512F44
          SHA-256:5AC5125CE6962D5C355B6EDCBF73E420B1B1CC88F2E11F4D282CF5499E0156B1
          SHA-512:9CA3DDFC61DC24C26652F6BAC4F614B1B2F04536B8B56B9316E7717148F6D9A73F445173ACE73D7BD67D7D277065A45D8657A6F849B9330EFEB35772EDA5BA0F
          Malicious:false
          Reputation:unknown
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.2.4.5.4.3.8.8.7.8.1.8.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.2.4.5.4.3.9.4.0.4.1.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.1.8.3.b.c.3.-.9.f.2.c.-.4.6.6.6.-.b.5.9.8.-.3.6.7.c.f.2.6.2.9.9.b.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.1.f.c.6.7.d.-.9.7.f.6.-.4.d.4.8.-.9.e.a.2.-.1.3.7.f.6.e.6.3.3.d.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.-.1.-.S.h.a.r.e.d. .2.0.2.3.-.D.o.c.u.m.e.n.t.s. .p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.h.p.r.e.a.d.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.7.0.-.0.0.0.1.-.0.0.1.6.-.0.e.3.a.-.5.d.a.4.c.4.0.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.f.5.9.d.a.3.5.9.d.5.9.6.b.2.6.7.7.f.e.0.8.6.7.7.c.0.d.1.6.d.f.0.0.0.0.0.9.0.4.!.0.0.0.0.6.e.d.3.0.c.0.3.7.1.f.e.1.6.7.d.3.
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Thu Sep 19 18:50:39 2024, 0x1205a4 type
          Category:dropped
          Size (bytes):118778
          Entropy (8bit):2.014059744178575
          Encrypted:false
          SSDEEP:
          MD5:2AB46126E6FB73115DAFDE5FB6BCE6B9
          SHA1:588C44CD4FDF3106629A9CC3BC7F438D369D9914
          SHA-256:0D666475904BC9B8074D567451C984B04F9FE8A26BDF950C1B85E41E292D782E
          SHA-512:0CD109292E59616E49953FE8D12B4C5E8EDD1E11599B93A0542094814780DDA8670C3A0D6F29B0E78EEDB77C8C925E989F35981747F97EB0A68866F7A07EA95C
          Malicious:false
          Reputation:unknown
          Preview:MDMP..a..... ........r.f............t...........|...|............R..........T.......8...........T............<.."............!...........#..............................................................................eJ......|$......GenuineIntel............T.......p...2r.f............................. ..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):6436
          Entropy (8bit):3.730302164129926
          Encrypted:false
          SSDEEP:
          MD5:6351BF217BC4ADAD043CDD7718F92D1C
          SHA1:70B5A4DB05957F3491DCEFE60FC205DEE48F66DF
          SHA-256:B1F3399BC7C601D477E988C5BDFC387879A20C2FE02C8C36315BC3D92F5431A5
          SHA-512:804B19CF5718C147B8CDEBA0BEDC623AA1305565D52EE19056EA49A1B756CAA3E4B20BDD0E5AD34357A3830ACCCE4D2970EA17020C330EDBCCF50EB17243D41C
          Malicious:false
          Reputation:unknown
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.4.4.<./.P.i.
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4773
          Entropy (8bit):4.501882621419847
          Encrypted:false
          SSDEEP:
          MD5:DED00AFDD8289F9EADF05D9F64ABBC8A
          SHA1:69E8610F1DC35B2E9739034E1148388CDC085D47
          SHA-256:CB67D99EB4FCFE14574344CD52A8C8E54A71B32670235BB53FE573ECA2319DFC
          SHA-512:55584D5193C6F8DA9A4DF5D8C02CEF8D7A280012277F341706BAE840006DEADE4AD7A2C85F8DEE18F4A381F6B0D4C62C85344A2EC88CFD3F2268A579CBAFFB49
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="507473" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
          Process:C:\Users\user\Desktop\ISehgzqm2V\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe
          File Type:JSON data
          Category:dropped
          Size (bytes):962
          Entropy (8bit):5.013811273052389
          Encrypted:false
          SSDEEP:
          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
          Malicious:false
          Reputation:unknown
          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
          File type:Zip archive data, at least v2.0 to extract, compression method=store
          Entropy (8bit):7.997794270983537
          TrID:
          • ZIP compressed archive (8000/1) 99.91%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
          File name:ISehgzqm2V.zip
          File size:67'258'370 bytes
          MD5:185d3ad07050c2100c225b5d2de56c05
          SHA1:5adc8c81f93de473591b8cc028334896c2e22f16
          SHA256:c12289182c24af57db335a63c77db2fec8f80b128724fa4fdfdaf6798280b324
          SHA512:44c65a32236cf1f9534ebba4077c7aecec017244716736b0e33c487d9ffdbd85a93b76a35b20053ca16e765876d5ad0b9febd0a6f047bcd17f9f393cbd40e447
          SSDEEP:1572864:I/8Ep7PnCeq2FMPjeyJ445zHx6lfCdiGbHQuWCagVjhrdi6TiH:I7ZPvnM7elgzHclfUbzva2FrM2iH
          TLSH:83E733A15C2DF4241E0EE599A76E701CBDAB25B1D26F7E452DC9C403A40CEAF2874BCD
          File Content Preview:PK.........k3Y............ ...Shared Folders 2023-Documents/-/PK.........k3YT..{....ju..,...Shared Folders 2023-Documents/-/REname_mebb3.{.<\.....!....A..`...>:A.D...w.......=z.....=J.h1.F....7.9.=.....w..ky..O.?e=.=g.X,..+H.1.08BF"...:.......Z;...X{[.Ca|
          Icon Hash:1c1c1e4e4ececedc