8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e

General

Target

SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe
Size

546KB
MD5

e7ec2585b8fd04839c9d29fbaf35b6fc
SHA1

c0b524bf9180fc3dbae0e8c72b96fd8c0ddf6e02
SHA256

8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
SHA512

c2ece5ab56dd7637b794e49cd5c0df9413ebd64ec2edf3443184d55e2330ee4450eee23f6d7469196e11ea7b1a5401e8ce935529f1c0cce4483c405f74438259

Score

8^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3684	ieinstal.exe
3684	ieinstal.exe
3684	ieinstal.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3684 set thread context of 2952	3684	ieinstal.exe	56
PID 4044 set thread context of 2952	4044	rundll32.exe	56

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run entry to policy start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 1628 wrote to memory of 3684	1628	SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe	72
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	73
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	73
PID 2952 wrote to memory of 4044	2952	Explorer.EXE	73
PID 4044 wrote to memory of 3832	4044	rundll32.exe	74
PID 4044 wrote to memory of 3832	4044	rundll32.exe	74
PID 4044 wrote to memory of 3832	4044	rundll32.exe	74
PID 4044 wrote to memory of 4036	4044	rundll32.exe	76
PID 4044 wrote to memory of 4036	4044	rundll32.exe	76
PID 4044 wrote to memory of 4036	4044	rundll32.exe	76

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
3684	ieinstal.exe
3684	ieinstal.exe
3684	ieinstal.exe
3684	ieinstal.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe
4044	rundll32.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZRHL-6RHUB = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	rundll32.exe
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	ieinstal.exe
Token: SeDebugPrivilege	4044	rundll32.exe
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE
Token: SeShutdownPrivilege	2952	Explorer.EXE
Token: SeCreatePagefilePrivilege	2952	Explorer.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2952
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Backdoor.Remcos.948.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Adds Run entry to policy start application
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Adds Run entry to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-0-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/4036-10-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/4036-11-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/4036-12-0x00007FF688500000-0x00007FF688593000-memory.dmp

Filesize
588KB

Download
memory/4044-4-0x00000000010B0000-0x00000000010C3000-memory.dmp

Filesize
76KB

Download
memory/4044-8-0x0000000005800000-0x000000000588E000-memory.dmp

Filesize
568KB

Download
memory/4044-7-0x0000000005800000-0x0000000005897000-memory.dmp

Filesize
604KB

Download
memory/4044-3-0x00000000010B0000-0x00000000010C3000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads