remcos | 9273e6c9157cc1846b6b236bc59914161ec91fdfdfe1979090bfabdf0ad06543

Analysis

max time kernel
63s
max time network
120s
platform
windows7_x64
resource
win7v20210410
submitted
14-04-2021 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
Size

2.9MB
MD5

21948d42c2c1e49cadea88e80dfe6880
SHA1

d7f6837f76f3785eef87048c4a28c4b664f99dbd
SHA256

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7
SHA512

14054453d259e53d88881a6b50061960befc06309fc14d1f557d5cb3cbc2ac7e855a805cc483915e8b5ce737c328dd03a8cfbc9a68a670e0238896009befa863

Score

10^/10

remcos link pdf persistence rat

Malware Config

Extracted

Family

remcos

daya4659.ddns.net:8282

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 13 IoCs

pid	Process
1072	remcos_agent_Protected.exe
1572	remcos_agent_Protected.exe
308	remcos.exe
1612	remcos.exe
2024	sfc.exe
1320	driverquery.exe
964	sfc.exe
1524	driverquery.exe
920	driverquery.exe
2008	driverquery.exe
616	driverquery.exe
1196	driverquery.exe
1284	driverquery.exe

Loads dropped DLL 6 IoCs

pid	Process
1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
1072	remcos_agent_Protected.exe
1808	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos_agent_Protected.exe

Suspicious use of SetThreadContext 28 IoCs

description	pid	Process	procid_target
PID 1072 set thread context of 1572	1072	remcos_agent_Protected.exe	36
PID 308 set thread context of 1612	308	remcos.exe	46
PID 1612 set thread context of 1756	1612	remcos.exe	49
PID 1612 set thread context of 676	1612	remcos.exe	50
PID 1612 set thread context of 592	1612	remcos.exe	51
PID 1612 set thread context of 1604	1612	remcos.exe	52
PID 1612 set thread context of 752	1612	remcos.exe	53
PID 1612 set thread context of 1872	1612	remcos.exe	54
PID 1612 set thread context of 1992	1612	remcos.exe	55
PID 1612 set thread context of 2016	1612	remcos.exe	56
PID 1612 set thread context of 1800	1612	remcos.exe	57
PID 1612 set thread context of 1808	1612	remcos.exe	58
PID 1612 set thread context of 1244	1612	remcos.exe	59
PID 1612 set thread context of 1864	1612	remcos.exe	60
PID 1612 set thread context of 316	1612	remcos.exe	61
PID 1612 set thread context of 1608	1612	remcos.exe	62
PID 1612 set thread context of 1048	1612	remcos.exe	63
PID 1612 set thread context of 1824	1612	remcos.exe	64
PID 1612 set thread context of 1624	1612	remcos.exe	65
PID 1612 set thread context of 1580	1612	remcos.exe	66
PID 1612 set thread context of 928	1612	remcos.exe	67
PID 1612 set thread context of 484	1612	remcos.exe	68
PID 1612 set thread context of 904	1612	remcos.exe	69
PID 1612 set thread context of 300	1612	remcos.exe	70
PID 1612 set thread context of 1588	1612	remcos.exe	71
PID 1612 set thread context of 108	1612	remcos.exe	72
PID 1612 set thread context of 1140	1612	remcos.exe	74
PID 2024 set thread context of 964	2024	sfc.exe	77

HTTP links in PDF interactive object 16 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x00040000000130f7-78.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-202.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-206.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-209.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-213.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-214.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-216.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-217.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-218.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-222.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-225.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-226.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-229.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-233.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-234.dat	pdf_with_link_action
behavioral1/files/0x00030000000130fc-235.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1284	schtasks.exe
784	schtasks.exe
1704	schtasks.exe
1656	schtasks.exe
784	schtasks.exe
1892	schtasks.exe
672	schtasks.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1944	AcroRd32.exe
1944	AcroRd32.exe
1944	AcroRd32.exe
1612	remcos.exe
1944	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1072	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	26
PID 1756 wrote to memory of 1072	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	26
PID 1756 wrote to memory of 1072	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	26
PID 1756 wrote to memory of 1072	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	26
PID 1756 wrote to memory of 1944	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	27
PID 1756 wrote to memory of 1944	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	27
PID 1756 wrote to memory of 1944	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	27
PID 1756 wrote to memory of 1944	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	27
PID 1756 wrote to memory of 1744	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	28
PID 1756 wrote to memory of 1744	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	28
PID 1756 wrote to memory of 1744	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	28
PID 1756 wrote to memory of 1744	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	28
PID 1756 wrote to memory of 1752	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	29
PID 1756 wrote to memory of 1752	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	29
PID 1756 wrote to memory of 1752	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	29
PID 1756 wrote to memory of 1752	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	29
PID 1756 wrote to memory of 1788	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 1756 wrote to memory of 1788	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 1756 wrote to memory of 1788	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 1756 wrote to memory of 1788	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 1756 wrote to memory of 1800	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 1756 wrote to memory of 1800	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 1756 wrote to memory of 1800	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 1756 wrote to memory of 1800	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 1756 wrote to memory of 1712	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 1756 wrote to memory of 1712	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 1756 wrote to memory of 1712	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 1756 wrote to memory of 1712	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 1756 wrote to memory of 1700	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 1756 wrote to memory of 1700	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 1756 wrote to memory of 1700	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 1756 wrote to memory of 1700	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 1756 wrote to memory of 1284	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 1756 wrote to memory of 1284	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 1756 wrote to memory of 1284	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 1756 wrote to memory of 1284	1756	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 1572	1072	remcos_agent_Protected.exe	36
PID 1072 wrote to memory of 784	1072	remcos_agent_Protected.exe	37
PID 1072 wrote to memory of 784	1072	remcos_agent_Protected.exe	37
PID 1072 wrote to memory of 784	1072	remcos_agent_Protected.exe	37
PID 1072 wrote to memory of 784	1072	remcos_agent_Protected.exe	37
PID 1572 wrote to memory of 572	1572	remcos_agent_Protected.exe	39
PID 1572 wrote to memory of 572	1572	remcos_agent_Protected.exe	39
PID 1572 wrote to memory of 572	1572	remcos_agent_Protected.exe	39
PID 1572 wrote to memory of 572	1572	remcos_agent_Protected.exe	39
PID 572 wrote to memory of 1808	572	WScript.exe	41
PID 572 wrote to memory of 1808	572	WScript.exe	41
PID 572 wrote to memory of 1808	572	WScript.exe	41
PID 572 wrote to memory of 1808	572	WScript.exe	41
PID 1808 wrote to memory of 308	1808	cmd.exe	45
PID 1808 wrote to memory of 308	1808	cmd.exe	45
PID 1808 wrote to memory of 308	1808	cmd.exe	45
PID 1808 wrote to memory of 308	1808	cmd.exe	45
PID 308 wrote to memory of 1612	308	remcos.exe	46
PID 308 wrote to memory of 1612	308	remcos.exe	46
PID 308 wrote to memory of 1612	308	remcos.exe	46
PID 308 wrote to memory of 1612	308	remcos.exe	46
PID 308 wrote to memory of 1612	308	remcos.exe	46
PID 308 wrote to memory of 1612	308	remcos.exe	46

C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
"C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:676
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:592
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:316
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:904
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:300
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:108
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:1704
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:784
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:1712
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1284

C:\Windows\system32\taskeng.exe
taskeng.exe {44193CFE-DA77-4985-B707-D612B9EB6B9D} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:944
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:1524
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:616
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:784
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2024
- - C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
    "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
    3⤵
    - Executes dropped EXE
    PID:964
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1656
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  2⤵
  PID:2008
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:956
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:1636
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:1728
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:1492
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:1336
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:672
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  2⤵
  PID:1284
- - C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
    "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
    3⤵
    PID:968
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-120-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/676-116-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1244-152-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1572-73-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1572-84-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1612-106-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1756-108-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1756-112-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1756-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1756-87-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1864-156-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads