remcos | 4cc523e2a7ee81d30a107d2301fe938f1862593329f546f432b3362fc4a59c98

General

Target

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Size

35KB
MD5

338ffcaf3397eb562228788f41c0268a
SHA1

544a8b8d98775ebfd452651cfc62bc1495d33488
SHA256

6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20
SHA512

66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Score

10^/10

remcos host persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

185.19.85.134:6666

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
cupp.exe
copy_folder
cupp
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_jmmfqvqtrcqvysy
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

cupp.execupp.exe

pid process

992 cupp.exe
2528 cupp.exe

pid	process
992	cupp.exe
2528	cupp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cupp\\cupp.exe\""	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cupp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cupp\\cupp.exe\""	cupp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 34 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

pid	process
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execupp.exe

description	pid	process	target process
PID 1852 set thread context of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 992 set thread context of 2528	992	cupp.exe	cupp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3856 1852 WerFault.exe W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3512 timeout.exe
1952 timeout.exe

pid	pid_target	process	target process
3856	1852	WerFault.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe

pid	process
3512	timeout.exe
1952	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2208 PING.EXE

pid	process
2208	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exeWerFault.execupp.exe

pid	process
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
3856	WerFault.exe
992	cupp.exe
992	cupp.exe
992	cupp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cupp.exe

pid process

2528 cupp.exe

pid	process
2528	cupp.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exeWerFault.execupp.exe

description	pid	process
Token: SeDebugPrivilege	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
Token: SeRestorePrivilege	3856	WerFault.exe
Token: SeBackupPrivilege	3856	WerFault.exe
Token: SeDebugPrivilege	3856	WerFault.exe
Token: SeDebugPrivilege	992	cupp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cupp.exe

pid process

2528 cupp.exe

pid	process
2528	cupp.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execmd.exeW0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.execmd.execupp.execmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 2504	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1852 wrote to memory of 2504	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 1852 wrote to memory of 2504	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 2504 wrote to memory of 3512	2504	cmd.exe	timeout.exe
PID 2504 wrote to memory of 3512	2504	cmd.exe	timeout.exe
PID 2504 wrote to memory of 3512	2504	cmd.exe	timeout.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 1852 wrote to memory of 3708	1852	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
PID 3708 wrote to memory of 740	3708	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 3708 wrote to memory of 740	3708	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 3708 wrote to memory of 740	3708	W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe	cmd.exe
PID 740 wrote to memory of 2208	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 2208	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 2208	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 992	740	cmd.exe	cupp.exe
PID 740 wrote to memory of 992	740	cmd.exe	cupp.exe
PID 740 wrote to memory of 992	740	cmd.exe	cupp.exe
PID 992 wrote to memory of 1240	992	cupp.exe	cmd.exe
PID 992 wrote to memory of 1240	992	cupp.exe	cmd.exe
PID 992 wrote to memory of 1240	992	cupp.exe	cmd.exe
PID 1240 wrote to memory of 1952	1240	cmd.exe	timeout.exe
PID 1240 wrote to memory of 1952	1240	cmd.exe	timeout.exe
PID 1240 wrote to memory of 1952	1240	cmd.exe	timeout.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe
PID 992 wrote to memory of 2528	992	cupp.exe	cupp.exe

C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
"C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3512

C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe
"C:\Users\Admin\AppData\Local\Temp\W0rld cup_QATAR 2022 STADIUM PROJECT ONGOING PR0JECT.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:2208

C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
"C:\Users\Admin\AppData\Roaming\cupp\cupp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
5⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:1952

C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
"C:\Users\Admin\AppData\Roaming\cupp\cupp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2368
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.bat
MD5
1ce0c81c3f00022f95124481eb658eba

SHA1
fd96293f9693f001ff351d80a4c24f320a609867

SHA256
61c71eb5606e7786820dd7834a9c450d68d4424c68582febc17aa450681c22bc

SHA512
1988b09f47898a04f737284081aa4a090ec9f534167cedddfdb5e3d3f40708379d2fbafb8b34104e1f6c50f8adc5c9b65bf4f47c270ef410b36a9f77687c95c6

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
C:\Users\Admin\AppData\Roaming\cupp\cupp.exe
MD5
338ffcaf3397eb562228788f41c0268a

SHA1
544a8b8d98775ebfd452651cfc62bc1495d33488

SHA256
6654c75acd136f37aad63d828eea396361326bb422a91563998ff0302de2bd20

SHA512
66512d06d54a70ae5e5d4a095d0fde690dc3a126546691cb08b56afb858eaa07575d9d9fdce659ccc15099c5fc2fd2e42926c1e9905452cf7b19358ec1e80557

Download Submit
memory/740-124-0x0000000000000000-mapping.dmp

Download
memory/992-134-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/992-128-0x0000000000000000-mapping.dmp

Download
memory/1240-136-0x0000000000000000-mapping.dmp

Download
memory/1852-116-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/1852-121-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/1852-117-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/1852-118-0x0000000001400000-0x000000000145E000-memory.dmp

Filesize
376KB

Download
memory/1852-114-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1952-137-0x0000000000000000-mapping.dmp

Download
memory/2208-126-0x0000000000000000-mapping.dmp

Download
memory/2504-119-0x0000000000000000-mapping.dmp

Download
memory/2528-140-0x000000000040FD88-mapping.dmp

Download
memory/2528-142-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3512-120-0x0000000000000000-mapping.dmp

Download
memory/3708-127-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3708-123-0x000000000040FD88-mapping.dmp

Download
memory/3708-122-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads