Analysis
-
max time kernel
158s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 12:35
Static task
static1
Behavioral task
behavioral1
Sample
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe
Resource
win7-20220414-en
General
-
Target
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe
-
Size
267KB
-
MD5
af36518f0a97d140dfcd5afbb9740d8a
-
SHA1
3b8c31dcf501d7e93bf6b3e5ffaf1638942cd47c
-
SHA256
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c
-
SHA512
95cff48acc0e72127f096b0d66d97299433a9a13e4f322195754bd59cef689badf1ec7f447dc3dd25b36cfde665a05c7251c8fa149e0bb5fe3aec97812df9fa8
Malware Config
Extracted
remcos
1.7 Pro
sales
178.175.138.219:200
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
microsoft
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_yyaopwkkmmuwfrk
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
remcos.exeserverbb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" serverbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" serverbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" remcos.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" remcos.exe -
Processes:
remcos.exeserverbb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverbb.exe -
Processes:
serverbb.exeremcos.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" remcos.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
serverbb.exeremcos.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" serverbb.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" remcos.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 3 IoCs
Processes:
serverbb.sfx.exeserverbb.exeremcos.exepid process 1316 serverbb.sfx.exe 3284 serverbb.exe 4528 remcos.exe -
Processes:
resource yara_rule behavioral2/memory/3284-138-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/3284-141-0x0000000002310000-0x000000000339E000-memory.dmp upx behavioral2/memory/4528-148-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4528-151-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4528-152-0x00000000021E0000-0x000000000326E000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exeserverbb.sfx.exeserverbb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation serverbb.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation serverbb.exe -
Processes:
remcos.exeserverbb.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" serverbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" remcos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" serverbb.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
serverbb.exeremcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run\ serverbb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" serverbb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ serverbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" serverbb.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Processes:
serverbb.exeremcos.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" remcos.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
remcos.exedescription ioc process File opened (read-only) \??\P: remcos.exe File opened (read-only) \??\S: remcos.exe File opened (read-only) \??\Z: remcos.exe File opened (read-only) \??\K: remcos.exe File opened (read-only) \??\O: remcos.exe File opened (read-only) \??\R: remcos.exe File opened (read-only) \??\W: remcos.exe File opened (read-only) \??\E: remcos.exe File opened (read-only) \??\F: remcos.exe File opened (read-only) \??\G: remcos.exe File opened (read-only) \??\I: remcos.exe File opened (read-only) \??\Q: remcos.exe File opened (read-only) \??\T: remcos.exe File opened (read-only) \??\V: remcos.exe File opened (read-only) \??\X: remcos.exe File opened (read-only) \??\H: remcos.exe File opened (read-only) \??\J: remcos.exe File opened (read-only) \??\L: remcos.exe File opened (read-only) \??\M: remcos.exe File opened (read-only) \??\N: remcos.exe File opened (read-only) \??\U: remcos.exe File opened (read-only) \??\Y: remcos.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
remcos.exedescription ioc process File opened for modification C:\autorun.inf remcos.exe -
Drops file in Program Files directory 11 IoCs
Processes:
remcos.exedescription ioc process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe remcos.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe remcos.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe remcos.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe remcos.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe remcos.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe remcos.exe -
Drops file in Windows directory 1 IoCs
Processes:
serverbb.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI serverbb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
serverbb.exeremcos.exepid process 3284 serverbb.exe 3284 serverbb.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe 4528 remcos.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
serverbb.exedescription pid process Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe Token: SeDebugPrivilege 3284 serverbb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 4528 remcos.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.execmd.exeserverbb.sfx.exeserverbb.execmd.exeremcos.exedescription pid process target process PID 3204 wrote to memory of 4144 3204 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe cmd.exe PID 3204 wrote to memory of 4144 3204 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe cmd.exe PID 3204 wrote to memory of 4144 3204 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe cmd.exe PID 4144 wrote to memory of 1316 4144 cmd.exe serverbb.sfx.exe PID 4144 wrote to memory of 1316 4144 cmd.exe serverbb.sfx.exe PID 4144 wrote to memory of 1316 4144 cmd.exe serverbb.sfx.exe PID 1316 wrote to memory of 3284 1316 serverbb.sfx.exe serverbb.exe PID 1316 wrote to memory of 3284 1316 serverbb.sfx.exe serverbb.exe PID 1316 wrote to memory of 3284 1316 serverbb.sfx.exe serverbb.exe PID 3284 wrote to memory of 784 3284 serverbb.exe fontdrvhost.exe PID 3284 wrote to memory of 788 3284 serverbb.exe fontdrvhost.exe PID 3284 wrote to memory of 332 3284 serverbb.exe dwm.exe PID 3284 wrote to memory of 2440 3284 serverbb.exe cmd.exe PID 3284 wrote to memory of 2440 3284 serverbb.exe cmd.exe PID 3284 wrote to memory of 2440 3284 serverbb.exe cmd.exe PID 3284 wrote to memory of 2352 3284 serverbb.exe sihost.exe PID 3284 wrote to memory of 2368 3284 serverbb.exe svchost.exe PID 3284 wrote to memory of 2456 3284 serverbb.exe taskhostw.exe PID 3284 wrote to memory of 2940 3284 serverbb.exe Explorer.EXE PID 3284 wrote to memory of 2888 3284 serverbb.exe svchost.exe PID 3284 wrote to memory of 3268 3284 serverbb.exe DllHost.exe PID 3284 wrote to memory of 3356 3284 serverbb.exe StartMenuExperienceHost.exe PID 3284 wrote to memory of 3428 3284 serverbb.exe RuntimeBroker.exe PID 3284 wrote to memory of 3512 3284 serverbb.exe SearchApp.exe PID 3284 wrote to memory of 3836 3284 serverbb.exe RuntimeBroker.exe PID 3284 wrote to memory of 4212 3284 serverbb.exe RuntimeBroker.exe PID 3284 wrote to memory of 3204 3284 serverbb.exe 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe PID 3284 wrote to memory of 3204 3284 serverbb.exe 93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe PID 3284 wrote to memory of 4144 3284 serverbb.exe cmd.exe PID 3284 wrote to memory of 4144 3284 serverbb.exe cmd.exe PID 3284 wrote to memory of 1360 3284 serverbb.exe Conhost.exe PID 2440 wrote to memory of 4624 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 4624 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 4624 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 4528 2440 cmd.exe remcos.exe PID 2440 wrote to memory of 4528 2440 cmd.exe remcos.exe PID 2440 wrote to memory of 4528 2440 cmd.exe remcos.exe PID 4528 wrote to memory of 784 4528 remcos.exe fontdrvhost.exe PID 4528 wrote to memory of 788 4528 remcos.exe fontdrvhost.exe PID 4528 wrote to memory of 332 4528 remcos.exe dwm.exe PID 4528 wrote to memory of 2352 4528 remcos.exe sihost.exe PID 4528 wrote to memory of 2368 4528 remcos.exe svchost.exe PID 4528 wrote to memory of 2456 4528 remcos.exe taskhostw.exe PID 4528 wrote to memory of 2940 4528 remcos.exe Explorer.EXE PID 4528 wrote to memory of 2888 4528 remcos.exe svchost.exe PID 4528 wrote to memory of 3268 4528 remcos.exe DllHost.exe PID 4528 wrote to memory of 3356 4528 remcos.exe StartMenuExperienceHost.exe PID 4528 wrote to memory of 3428 4528 remcos.exe RuntimeBroker.exe PID 4528 wrote to memory of 3512 4528 remcos.exe SearchApp.exe PID 4528 wrote to memory of 3836 4528 remcos.exe RuntimeBroker.exe PID 4528 wrote to memory of 4212 4528 remcos.exe RuntimeBroker.exe PID 4528 wrote to memory of 784 4528 remcos.exe fontdrvhost.exe PID 4528 wrote to memory of 788 4528 remcos.exe fontdrvhost.exe PID 4528 wrote to memory of 332 4528 remcos.exe dwm.exe PID 4528 wrote to memory of 2352 4528 remcos.exe sihost.exe PID 4528 wrote to memory of 2368 4528 remcos.exe svchost.exe PID 4528 wrote to memory of 2456 4528 remcos.exe taskhostw.exe PID 4528 wrote to memory of 2940 4528 remcos.exe Explorer.EXE PID 4528 wrote to memory of 2888 4528 remcos.exe svchost.exe PID 4528 wrote to memory of 3268 4528 remcos.exe DllHost.exe PID 4528 wrote to memory of 3356 4528 remcos.exe StartMenuExperienceHost.exe PID 4528 wrote to memory of 3428 4528 remcos.exe RuntimeBroker.exe PID 4528 wrote to memory of 3512 4528 remcos.exe SearchApp.exe PID 4528 wrote to memory of 3836 4528 remcos.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
serverbb.exeremcos.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" serverbb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" remcos.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe"C:\Users\Admin\AppData\Local\Temp\93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exeserverbb.sfx.exe -piiasedfdsegg09o0i8i0i -dC:\Users\Admin\AppData\Local\Temp4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"7⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exeFilesize
207KB
MD5e6121feb0325525065baad0db96fee62
SHA10f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA2561d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA51272e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exeFilesize
207KB
MD5e6121feb0325525065baad0db96fee62
SHA10f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA2561d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA51272e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.batFilesize
49B
MD5e06f4ac29c4328f453637b572b8aeb0d
SHA1c8a87ca47c44938b374ee225d6df5b86facc6af9
SHA2566700e5fdb3c3c29c207d0c456d94b9e18536d77839724e94da6c34491f96c927
SHA51242e9430a80af2c400440ae259b752e69f665048352dcacd558f0e3f4096bcdeccd81ecf129e3c3533831fa5187faf4fc28efd2b8f2c671f90137c216bd6d2eec
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exeFilesize
164KB
MD5e59cef15630374087f1223583760f64c
SHA1b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA25638d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA5129928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exeFilesize
164KB
MD5e59cef15630374087f1223583760f64c
SHA1b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA25638d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA5129928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
99B
MD576c1687d97dfdbcea62ef1490bec5001
SHA15f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA25679f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeFilesize
164KB
MD5e59cef15630374087f1223583760f64c
SHA1b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA25638d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA5129928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exeFilesize
164KB
MD5e59cef15630374087f1223583760f64c
SHA1b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA25638d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA5129928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ab8b2fb042b251e5b57aa62bde8154f5
SHA1009b86757bf5b2ce3dc117e38e84f227f2c3f680
SHA2568ca04349b2a41a8cb23b73925b9be076f79ba31dd11bec56543f2636ea9f2cba
SHA512945b69a81db3249168f4b83cd9e2a511215d4f5d8fb846b64f201490c33e7097e2af940f3c502d90ce49487a4030d44d23caecfbc4d1f0dc46aa49389b7f407f
-
memory/1316-132-0x0000000000000000-mapping.dmp
-
memory/2440-139-0x0000000000000000-mapping.dmp
-
memory/3284-142-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3284-141-0x0000000002310000-0x000000000339E000-memory.dmpFilesize
16.6MB
-
memory/3284-140-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3284-138-0x0000000002310000-0x000000000339E000-memory.dmpFilesize
16.6MB
-
memory/3284-135-0x0000000000000000-mapping.dmp
-
memory/4144-130-0x0000000000000000-mapping.dmp
-
memory/4528-145-0x0000000000000000-mapping.dmp
-
memory/4528-148-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4528-150-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4528-151-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4528-152-0x00000000021E0000-0x000000000326E000-memory.dmpFilesize
16.6MB
-
memory/4528-153-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4624-144-0x0000000000000000-mapping.dmp