remcos | 4cc523e2a7ee81d30a107d2301fe938f1862593329f546f432b3362fc4a59c98

Analysis

max time kernel
147s
max time network
197s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Size

35KB
MD5

338ffcaf3397eb562228788f41c0268a
SHA1

544a8b8d98775ebfd452651cfc62bc1495d33488
SHA256

6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
SHA512

66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

185.19.85.134:6666

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
cupp.exe
copy_folder
cupp
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_jmmfqvqtrcqvysy
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

cupp.execupp.exe

pid process

112 cupp.exe
1164 cupp.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1896 cmd.exe
1700 WerFault.exe
1700 WerFault.exe
1700 WerFault.exe
1700 WerFault.exe
1700 WerFault.exe

pid	process
112	cupp.exe
1164	cupp.exe

pid	process
1896	cmd.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cupp\\cupp.exe\""	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cupp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cupp\\cupp.exe\""	cupp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

pid	process
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

description	pid	process	target process
PID 1988 set thread context of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 112 set thread context of 1164	112	cupp.exe	cupp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1776 1988 WerFault.exe W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1700 112 WerFault.exe cupp.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1788 timeout.exe
564 timeout.exe

pid	pid_target	process	target process
1776	1988	WerFault.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1700	112	WerFault.exe	cupp.exe

pid	process
1788	timeout.exe
564	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1220 PING.EXE

pid	process
1220	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exeWerFault.execupp.exeWerFault.exe

pid	process
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
112	cupp.exe
112	cupp.exe
112	cupp.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1776 WerFault.exe
1700 WerFault.exe

pid	process
1776	WerFault.exe
1700	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exeWerFault.execupp.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Token: SeDebugPrivilege	1776	WerFault.exe
Token: SeDebugPrivilege	112	cupp.exe
Token: SeDebugPrivilege	1700	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cupp.exe

pid process

1164 cupp.exe

pid	process
1164	cupp.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execmd.exeW0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execmd.execupp.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 1460	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1988 wrote to memory of 1460	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1988 wrote to memory of 1460	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1988 wrote to memory of 1460	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1460 wrote to memory of 1788	1460	cmd.exe	timeout.exe
PID 1460 wrote to memory of 1788	1460	cmd.exe	timeout.exe
PID 1460 wrote to memory of 1788	1460	cmd.exe	timeout.exe
PID 1460 wrote to memory of 1788	1460	cmd.exe	timeout.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1988 wrote to memory of 744	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 744 wrote to memory of 1896	744	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1988 wrote to memory of 1776	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	WerFault.exe
PID 1988 wrote to memory of 1776	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	WerFault.exe
PID 1988 wrote to memory of 1776	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	WerFault.exe
PID 1988 wrote to memory of 1776	1988	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	WerFault.exe
PID 1896 wrote to memory of 1220	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1220	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1220	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1220	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 112	1896	cmd.exe	cupp.exe
PID 1896 wrote to memory of 112	1896	cmd.exe	cupp.exe
PID 1896 wrote to memory of 112	1896	cmd.exe	cupp.exe
PID 1896 wrote to memory of 112	1896	cmd.exe	cupp.exe
PID 112 wrote to memory of 864	112	cupp.exe	cmd.exe
PID 112 wrote to memory of 864	112	cupp.exe	cmd.exe
PID 112 wrote to memory of 864	112	cupp.exe	cmd.exe
PID 112 wrote to memory of 864	112	cupp.exe	cmd.exe
PID 864 wrote to memory of 564	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 564	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 564	864	cmd.exe	timeout.exe
PID 864 wrote to memory of 564	864	cmd.exe	timeout.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1164	112	cupp.exe	cupp.exe
PID 112 wrote to memory of 1700	112	cupp.exe	WerFault.exe
PID 112 wrote to memory of 1700	112	cupp.exe	WerFault.exe
PID 112 wrote to memory of 1700	112	cupp.exe	WerFault.exe
PID 112 wrote to memory of 1700	112	cupp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
"C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1788

C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
"C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:1220

C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
"C:\Users\Admin\AppData\Roaming\cupp\cupp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
5⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:564

C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
"C:\Users\Admin\AppData\Roaming\cupp\cupp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1808
5⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 1772
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
6045baccf49e1eba0e674945311a06e6

SHA1
379c6234849eecede26fad192c2ee59e0f0221cb

SHA256
65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58

SHA512
da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b6490a4730dc795c50ad8ee9434b4859

SHA1
56ad746d3064d4d125b7b0c994175a7f6f4c8c3b

SHA256
ac28db362d4de0f7746c8eda970af344cbe05055198145b5bde3864cc3ff71bd

SHA512
38aa8a68057f15c1de73dda2aba79165f89e37079eb443fd9737dab4775e41f632c95563df7fe62ee56bfa07a6f4bebaff5cca853c3405fcdd264ae5088461fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
MD5
1ce0c81c3f00022f95124481eb658eba

SHA1
fd96293f9693f001ff351d80a4c24f320a609867

SHA256
61c71eb5606e7786820dd7834a9c450d68d4424c68582febc17aa450681c22bc

SHA512
1988b09f47898a04f737284081aa4a090ec9f534167cedddfdb5e3d3f40708379d2fbafb8b34104e1f6c50f8adc5c9b65bf4f47c270ef410b36a9f77687c95c6

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
memory/112-75-0x0000000000000000-mapping.dmp

Download
memory/112-77-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/112-82-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/564-85-0x0000000000000000-mapping.dmp

Download
memory/744-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/744-67-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/744-65-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/744-66-0x000000000040FD88-mapping.dmp

Download
memory/864-84-0x0000000000000000-mapping.dmp

Download
memory/1164-87-0x000000000040FD88-mapping.dmp

Download
memory/1164-96-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1220-71-0x0000000000000000-mapping.dmp

Download
memory/1460-63-0x0000000000000000-mapping.dmp

Download
memory/1700-90-0x0000000000000000-mapping.dmp

Download
memory/1700-97-0x0000000000260000-0x00000000002C0000-memory.dmp

Filesize
384KB

Download
memory/1776-81-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1776-69-0x0000000000000000-mapping.dmp

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download
memory/1896-68-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1988-62-0x0000000000960000-0x00000000009BE000-memory.dmp

Filesize
376KB

Download
memory/1988-61-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download