Malware analysis REQUISICIÓN FISCAL 989232T - REVISAR JULIO 26 DE 2024.msg Malicious activity

Add for printing

File name:	REQUISICIÓN FISCAL 989232T - REVISAR JULIO 26 DE 2024.msg
Full analysis:	https://app.any.run/tasks/1d7e06b0-ca30-4f32-8036-5c6648f6f96d
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	July 29, 2024, 15:19:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	dkim-fail rat remcos remote keylogger evasion
Indicators:
MIME:	application/vnd.ms-outlook
File info:	CDFV2 Microsoft Outlook Message
MD5:	1839A71F14F79A7AB8AC366703A0DF18
SHA1:	E562854E3BEA7B7584C7E9DE4CB18750CF05DA44
SHA256:	7EC1A5D81277A5890C330EAFC460A188482E034D8EB0D6A1421728A3D0B608F6
SSDEEP:	1536:/RrYeCa8Nva5I1WBisxrkEjjTuUGuW+W/IUmawWrWnWipGLCLt+p74mWQqzR:/REeE8rVjfuU5VWqpRZO7RO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 7724)
- REMCOS has been detected
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- REMCOS has been detected (SURICATA)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- REMCOS has been detected (YARA)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
SUSPICIOUS
- Application launched itself
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 7724)
- Contacting a server suspected of hosting an CnC
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Connects to unusual port
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Writes files like Keylogger logs
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- There is functionality for taking screenshot (YARA)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Reads security settings of Internet Explorer
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Checks for external IP
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
INFO
- Email verification fail (SPF, DKIM or DMARC)
  - OUTLOOK.EXE (PID: 3400)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 6440)
- The process uses the downloaded file
  - msedge.exe (PID: 1428)
  - WinRAR.exe (PID: 7964)
- Checks proxy server information
  - slui.exe (PID: 2996)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Checks supported languages
  - identity_helper.exe (PID: 8036)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 7724)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Reads the software policy settings
  - slui.exe (PID: 2996)
- Manual execution by a user
  - WinRAR.exe (PID: 7964)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 7724)
- Reads Environment values
  - identity_helper.exe (PID: 8036)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Reads the computer name
  - identity_helper.exe (PID: 8036)
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 7964)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7964)
- Application launched itself
  - msedge.exe (PID: 6440)
- Creates files in the program directory
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Reads the machine GUID from the registry
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)
- Creates files or folders in the user directory
  - REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe (PID: 1292)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Remcos

(PID) Process(1292) REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe

C2 (1)muchodinerohoy.con-ip.com:1667

BotnetAMORE

Options

Connect_interval1

Install_flagFalse

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-T2SV5Q

Keylog_flag1

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%ProgramFiles%

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

No Malware configuration.

Add for printing

TRiD

.msg	\|	Outlook Message (58.9)
.oft	\|	Outlook Form Template (34.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

203

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

308

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6836 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

308

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=8112 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1292

"C:\Users\admin\Downloads\REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe"

C:\Users\admin\Downloads\REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe

REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe

User:

admin

Company:

TrueCrypt Foundation

Integrity Level:

MEDIUM

Description:

TrueCrypt

Version:

7.1a

Modules

Images
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\cryptsp.dll

Remcos

(PID) Process(1292) REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe

C2 (1)muchodinerohoy.con-ip.com:1667

BotnetAMORE

Options

Connect_interval1

Install_flagFalse

Install_HKCU\RunTrue

Install_HKLM\RunTrue

Install_HKLM\Explorer\Run1

Install_HKLM\Winlogon\Shell100000

Setup_path%LOCALAPPDATA%

Copy_fileremcos.exe

Startup_valueFalse

Hide_fileFalse

Mutex_nameRmc-T2SV5Q

Keylog_flag1

Keylog_path%LOCALAPPDATA%

Keylog_filelogs.dat

Keylog_cryptFalse

Hide_keylogFalse

Screenshot_flagFalse

Screenshot_time5

Take_ScreenshotFalse

Screenshot_path%APPDATA%

Screenshot_fileScreenshots

Screenshot_cryptFalse

Mouse_optionFalse

Delete_fileFalse

Audio_record_time5

Audio_path%ProgramFiles%

Audio_dirMicRecords

Connect_delay0

Copy_dirRemcos

Keylog_dirremcos

1428

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5860 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1720

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7560 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1764

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7516 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1768

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8328 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2152

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7976 --field-trial-handle=2396,i,2255538671368032551,14320355673322874386,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2284

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2996

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

34 867

Read events

34 227

Write events

556

Delete events

Modification events


(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	6
Value: 01941A000000001000B24E9A3E06000000000000000600000000000000
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\3400
Operation:	write	Name:	0
Value: 0B0E10473CE47C9DA496459A670B867213EAB7230046998385DAACB9B8ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C81AD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootCommand
Value:
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootFailureCount
Value:
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	CantBootResolution
Value: BootSuccess
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	SessionId
Value: C3D8E96E-C1AF-4750-8D52-F4E28119C131
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:	write	Name:	BootDiagnosticsLogFile
Value: C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20240718T1116060318-1644.etl
(PID) Process:	(3400) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	ProfileBeingOpened
Value:

Add for printing

Executable files

Suspicious files

409

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3400	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1c3a80.TMP		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1c3a90.TMP		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1c3a90.TMP		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1c3a90.TMP		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6440	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1c3ace.TMP		—
		MD5:—	SHA256:—
3400	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		pgc
		MD5:E8E1D4985C21856C17A53F54B1E36C97	SHA256:3105484306ACE3E31A9C6EEA6F1168ECCD35D9C2744E67E9732D312BE0B7D2FE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

216

DNS requests

135

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4424	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
3400	OUTLOOK.EXE	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
3676	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.52.220:80	http://www.mailcontrol.com/http-resources/notification-pages/notification.css	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.52.220:80	http://www.mailcontrol.com/http-resources/bootstrap/css/bootstrap-responsive.css	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.52.220:80	http://www.mailcontrol.com/http-resources/notification-pages/empty.js	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.52.220:80	http://www.mailcontrol.com/http-resources/notification-pages/icons60/warning.png	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.52.220:80	http://www.mailcontrol.com/http-resources/notification-pages/2020/notification_page_logo_145x35.png	unknown	—	—	whitelisted
7216	msedge.exe	GET	200	85.115.58.180:80	http://webdefence.global.blackspider.com/favicon.ico	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
2856	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5368	SearchApp.exe	104.126.37.163:443	www.bing.com	Akamai International B.V.	DE	unknown
5368	SearchApp.exe	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
488	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5368	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 20.73.194.208	whitelisted
t-ring-fdv2.msedge.net	13.107.237.254	unknown
www.bing.com	104.126.37.163 104.126.37.168 104.126.37.176 104.126.37.155 104.126.37.146 104.126.37.152 104.126.37.160 104.126.37.171 104.126.37.161 104.126.37.170 104.126.37.154 104.126.37.169 104.126.37.162 104.126.37.128 104.126.37.184 104.126.37.139 104.126.37.185 104.126.37.177 104.126.37.123 104.126.37.186 104.126.37.144 104.126.37.145 104.126.37.153	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
google.com	142.250.185.110	whitelisted
login.live.com	40.126.32.68 40.126.32.133 40.126.32.138 40.126.32.136 20.190.160.17 20.190.160.22 40.126.32.140 20.190.160.20	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted

Threats

PID	Process	Class	Message
2284	svchost.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
2284	svchost.exe	Potentially Bad Traffic	ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)
1292	REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
1292	REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
1292	REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
1292	REQ NO 786857674565687565846576 JULIO 2666 DE 2024.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

REQUISICIÓN FISCAL 989232T - REVISAR JULIO 26 DE 2024.msg

1839A71F14F79A7AB8AC366703A0DF18

E562854E3BEA7B7584C7E9DE4CB18750CF05DA44

7EC1A5D81277A5890C330EAFC460A188482E034D8EB0D6A1421728A3D0B608F6

1536:/RrYeCa8Nva5I1WBisxrkEjjTuUGuW+W/IUmawWrWnWipGLCLt+p74mWQqzR:/REeE8rVjfuU5VWqpRZO7RO

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

REMCOS has been detected

REMCOS has been detected (SURICATA)

REMCOS has been detected (YARA)

SUSPICIOUS

Application launched itself

Contacting a server suspected of hosting an CnC

Connects to unusual port

Writes files like Keylogger logs

There is functionality for taking screenshot (YARA)

Reads security settings of Internet Explorer

Checks for external IP

INFO

Email verification fail (SPF, DKIM or DMARC)

Reads Microsoft Office registry keys

The process uses the downloaded file

Checks proxy server information

Checks supported languages

Reads the software policy settings

Manual execution by a user

Reads Environment values

Reads the computer name

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Application launched itself

Creates files in the program directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Malware configuration

Remcos

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Remcos

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats