Edit tour

Windows Analysis Report
Marys Organizer 2023 Release.zip

Overview

General Information

Sample name:	Marys Organizer 2023 Release.zip
Analysis ID:	1518514
MD5:	e2e67e92cc1d95783a0d5f19edc451d8
SHA1:	c8c5a9002de6c1e69dc700115b21f2f6ee452c3c
SHA256:	68f4332560b060339063e982589becd336a8b1024c6c9bb62207ff2b6b58fb91
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Malicious sample detected (through community Yara rule)

Sigma detected: Remcos

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Injects a PE file into a foreign processes

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Suricata IDS alerts with low severity for network traffic

Uses reg.exe to modify the Windows registry

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 2840 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

OpenWith.exe (PID: 6956 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe" MD5: 4864A55CFF27F686023456A22371E790)

MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe" MD5: 4864A55CFF27F686023456A22371E790)

build.exe (PID: 3000 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 55FC1A86363D371667FFC9D4DF110A5E)

build.exe (PID: 1264 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 55FC1A86363D371667FFC9D4DF110A5E)

cmd.exe (PID: 6316 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 1444 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b9c6:$a1: Remcos restarted by watchdog! 0x6bf3e:$a3: %02i:%02i:%02i:%03i
00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x14b8:$a1: Remcos restarted by watchdog! 0x1a30:$a3: %02i:%02i:%02i:%03i
00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6b3b6:$a1: Remcos restarted by watchdog! 0x6b92e:$a3: %02i:%02i:%02i:%03i
00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 1444, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6316, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , ProcessId: 1444, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe" , ParentImage: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, ParentProcessId: 7036, ParentProcessName: MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ProcessId: 6316, ProcessName: cmd.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: CC 4D 9F 5C 9A 24 4A B9 C3 55 EF 3D 15 EE E4 6A DC D6 3E 8F 8A 58 0D 54 E1 D6 15 7F B1 07 E6 E3 A4 24 E3 93 2F 64 14 F9 AB 3B 17 A4 FD 46 7E CA F8 CA 53 E3 15 F2 BC 85 9F AD D7 DE 16 76 C9 AF CF 6C 89 A8 13 25 0C EB C5 68 B6 A8 DC 8F 1F E2 74 99 35 4D 21 FD 68 BD DA 94 49 21 71 F4 B4 3D 9E DE B1 49 18 86 D5 31 9B E6 96 14 70 99 3B 46 2C FB AA CD 7C 6E 0B 5A BE 36 5E 63 31 A7 0D 7B FF 26 AA 07 1A E1 0A 31 ED 3B C3 47 E4 79 1F F2 7D 49 D5 3C 83 C5 2B EB 75 CF 77 EE 66 B0 BC 26 66 B3 11 24 7B FB 06 6E EB 88 0C 75 6C A4 B9 89 8E E5 DE BF 81 0E C0 61 B0 8E 1A 55 1B EC 2C 97 94 1C 8F CC 03 F4 68 39 4B 70 F5 BA E7 19 F5 24 2E 75 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe, ProcessId: 7136, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-9QRTYQ\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T19:06:45.365896+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49712	172.111.163.227	9583	TCP
2024-09-25T19:06:47.826978+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49714	172.111.163.227	9583	TCP
2024-09-25T19:07:10.535019+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49715	45.74.48.2	9774	TCP
2024-09-25T19:07:31.539228+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49718	45.74.48.2	9774	TCP
2024-09-25T19:07:32.159137+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49719	45.74.48.2	9774	TCP
2024-09-25T19:07:35.783133+0200	2036594	1	Malware Command and Control Activity Detected	192.168.2.17	49720	45.74.48.2	9774	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-25T19:06:47.366552+0200	2803304	3	Unknown Traffic	192.168.2.17	49713	178.237.33.50	80	TCP
2024-09-25T19:07:13.381327+0200	2803304	3	Unknown Traffic	192.168.2.17	49716	178.237.33.50	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49714 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49712 -> 172.111.163.227:9583
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49715 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49719 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49720 -> 45.74.48.2:9774
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.17:49718 -> 45.74.48.2:9774

Source: global traffic

TCP traffic: 192.168.2.17:49715 -> 45.74.48.2:9774

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49713 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.17:49716 -> 178.237.33.50:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: privmerkt.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: nwemarkets.com

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1866004314.0000000000E7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.expl.evad.winZIP@14/3@3/21

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"

Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: k7rn7l32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntd3ll.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll

Source: C:\Windows\System32\OpenWith.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Marys Organizer 2023 Release.zip

Static file information: File size 66873356 > 1048576

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	File created: \my organizer 2023 mortgage interest paymentspdf.exe

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

File created: C:\Users\user\AppData\Local\Temp\build.exe

Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\SysWOW64\reg.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress
Source: C:\Users\user\AppData\Local\Temp\build.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BluetoothExpress

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Window / User API: threadDelayed 9840

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep count: 9840 > 30
Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe TID: 348	Thread sleep time: -29520000s >= -30000s

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Process created: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe "C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe"

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\build.exe

Memory written: C:\Users\user\AppData\Local\Temp\build.exe base: 800000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f

Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-9QRTYQ
Source: C:\Users\user\AppData\Local\Temp\build.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-WREC50

Yara detected Remcos RAT

Source: Yara match	File source: 00000011.00000002.1620343071.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1621692866.0000000010163000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1864206574.00000000006CF000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2328371032.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2328340039.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Disable or Modify Tools	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
http://geoplugin.net/json.gp	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
privmerkt.com	172.111.163.227	true	true	unknown
nwemarkets.com	45.74.48.2	true	true	unknown
geoplugin.net	178.237.33.50	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.111.163.227	privmerkt.com	United States	32489	AMANAHA-NEWCA	true
45.74.48.2	nwemarkets.com	United States	3223	VOXILITYGB	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518514
Start date and time:	2024-09-25 19:04:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Marys Organizer 2023 Release.zip
Detection:	MAL
Classification:	mal100.troj.expl.evad.winZIP@14/3@3/21
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.209.189, 2.23.209.156, 2.23.209.130, 2.23.209.135, 2.23.209.187, 2.23.209.150, 2.23.209.154, 2.23.209.185, 2.23.209.140
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Marys Organizer 2023 Release.zip

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\build.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013811273052389
Encrypted:	false
SSDEEP:
MD5:	18BC6D34FABB00C1E30D98E8DAEC814A
SHA1:	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
SHA-256:	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
SHA-512:	8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
Malicious:	false
Reputation:	unknown
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\json[1].json

Download File

Process:	C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.013130376969173
Encrypted:	false
SSDEEP:
MD5:	F61E5CC20FBBA892FF93BFBFC9F41061
SHA1:	36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
SHA-256:	28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
SHA-512:	5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
Malicious:	false
Reputation:	unknown
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\build.exe

Download File

Process:	C:\Users\user\Desktop\Marys Organizer 2023 Release\MY ORGANIZER 2023 Mortgage Interest PaymentsPDF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4085760
Entropy (8bit):	6.868424606379789
Encrypted:	false
SSDEEP:
MD5:	55FC1A86363D371667FFC9D4DF110A5E
SHA1:	97AB0AF74FCB6F2254BFBCCE912F1BCCCD58463B
SHA-256:	A3A4B56DAAC71B1CE0B62F548C200323E603555438C7FB1452268BCA37C8E94F
SHA-512:	48BB6583532676A3C53A1E5CFCFA51DFF63A3CD7D4C2EDC9E5C88091AF5670BE488602F0A0D766090CEBD36A14DE44A0F1F63EFE24027AE82FFA871761E04D47
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y......{#1..{#3q..{#2.....+.....+K.....+....C....S..........+......+.....?...W.....+..Rich..................PE..L...}..f..................!.........{.........!...@..........................0?...........@..................................F+.,.....,..z...................p=.X....(.T....................(.....(.(.@.............!.<............................text...o.!.......!................. ..`.rdata..v.....!.......!.............@..@.data...hp...p+......T+.............@....rsrc....z....,..\|...",.............@..@.reloc..X....p=.......<.............@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.9981086398924095
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Marys Organizer 2023 Release.zip
File size:	66'873'356 bytes
MD5:	e2e67e92cc1d95783a0d5f19edc451d8
SHA1:	c8c5a9002de6c1e69dc700115b21f2f6ee452c3c
SHA256:	68f4332560b060339063e982589becd336a8b1024c6c9bb62207ff2b6b58fb91
SHA512:	50fa3652d60cb8a751f736b157b4530767ae74b31ba51fbfc89bdeb230737b2f39f2afeb4e63c760d7ab7ea829654a1328633c608d2271da205a4361a6b77bce
SSDEEP:	1572864:SaSH6nwAKr99h5U8BhyxoKgO30T21I09OP74sgu/+aOe5ZcMzCH:SaU6fKpb5U8B5rxTE9OP3+Ve5Sd
TLSH:	A9E73301D263EA475885801BB113D9BDB23D37AEDDBE64EFA8862805125E7432B1BFD1
File Content Preview:	PK........;.9Yp.........$.....msimg32.dll..y\|SU.?...PV..........%m.&i.4I.&i.^.Y.......cSH..q..E...G.A..@`(.ZJK.tPqF..RZR....y..=7i.....~...y<........k..n.4oHXHHH8......#.....?...-$.......M.#....z....,\:......a.3...~..%...yr../>;l......a.,....~.z........}f

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Marys Organizer 2023 Release.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\96LGQ1XY\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GO30WR0E\json[1].json

C:\Users\user\AppData\Local\Temp\build.exe

Static File Info

General

File Icon

Windows Analysis Report
Marys Organizer 2023 Release.zip