remcos | ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

Analysis

max time kernel
169s
max time network
173s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
24-07-2022 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Size

340KB
MD5

77e6c7f57c85396bcc9cb835a24107d1
SHA1

6a243d09ed09f339935577c746d0326c0dff2e38
SHA256

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80
SHA512

0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Score

10^/10

remcos gold persistence rat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GOLD

sub.thebest1jewels.waw.pl:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-TP8KCR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

1512 remcos.exe
108 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

392 cmd.exe

pid	process
1512	remcos.exe
108	remcos.exe

pid	process
392	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exeremcos.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exeremcos.exeremcos.exe

description	pid	process	target process
PID 880 set thread context of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1512 set thread context of 108	1512	remcos.exe	remcos.exe
PID 108 set thread context of 976	108	remcos.exe	svchost.exe
PID 108 set thread context of 1028	108	remcos.exe	svchost.exe
PID 108 set thread context of 1920	108	remcos.exe	svchost.exe
PID 108 set thread context of 1800	108	remcos.exe	svchost.exe
PID 108 set thread context of 1240	108	remcos.exe	svchost.exe
PID 108 set thread context of 1724	108	remcos.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1500 schtasks.exe
1796 schtasks.exe

pid	process
1500	schtasks.exe
1796	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ff629b94a0d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C58D9D01-0C87-11ED-8EFA-EE9964564EAD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f000000000200000000001066000000010000200000008eedb314407d4337a389351eb79905caaaa3a40eb52812fa98f9e25cfb0868cb000000000e8000000002000020000000c2cb06ce9037748b3b094293994415195a259aac1a6f2d3bda2a6d344f825d4320000000b05a985bae1747d38a857afb3fdace1eb2bbc9c2efd04593334112e929b2cabd40000000ffd1bd5f544bc605533802508c63ba2c6464687f1957c11b291fc978e4595ebfb909547570ce9e65ad34e9576d34df29b21b090f72f2f4ea930ea51277d1a848	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004281fce5e1fefc478c7ba169937a5e5f00000000020000000000106600000001000020000000d05afe0f559bef2cf4f03f8dbcef23fd626ab154177d64b6dc50e4d156e8027b000000000e8000000002000020000000ea270bbdbcab868f5c0218127c98bae072e8d8ee7521a8d4fe8762ab76cce47090000000d78d7ba5d371dfa18012a7e16260d8dc977502edf02bbdd8789f979fa36333b6ba15b5a31b7b8bcdd79481f9c37c386139346867d00771ef3c2447bd3e29f0fbec42a93c917aff1241edd7f56863671ecbd461b206d8f4599d668b7cd35ebaf530196477e488bb5a9366d206ef3b4611964a984364221564d966860400c28b840930c12132d1b4a70c7e4e35290f9c144000000017eca447136968f156cada4a1af923e9a5c7d49e494550970266bdd83599f5fb5388177105a239a8becef5f5bbb044d54cf51445de3638b376151507feb9d4c4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iexplore.exe

pid process

1644 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1644 iexplore.exe

pid	process
1644	iexplore.exe

pid	process
1644	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

remcos.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
108	remcos.exe
1644	iexplore.exe
1644	iexplore.exe
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE
392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exeec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exeWScript.execmd.exeremcos.exeremcos.exesvchost.exe

description	pid	process	target process
PID 880 wrote to memory of 1500	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 880 wrote to memory of 1500	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 880 wrote to memory of 1500	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 880 wrote to memory of 1500	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	schtasks.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 880 wrote to memory of 1452	880	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
PID 1452 wrote to memory of 1996	1452	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	WScript.exe
PID 1452 wrote to memory of 1996	1452	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	WScript.exe
PID 1452 wrote to memory of 1996	1452	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	WScript.exe
PID 1452 wrote to memory of 1996	1452	ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe	WScript.exe
PID 1996 wrote to memory of 392	1996	WScript.exe	cmd.exe
PID 1996 wrote to memory of 392	1996	WScript.exe	cmd.exe
PID 1996 wrote to memory of 392	1996	WScript.exe	cmd.exe
PID 1996 wrote to memory of 392	1996	WScript.exe	cmd.exe
PID 392 wrote to memory of 1512	392	cmd.exe	remcos.exe
PID 392 wrote to memory of 1512	392	cmd.exe	remcos.exe
PID 392 wrote to memory of 1512	392	cmd.exe	remcos.exe
PID 392 wrote to memory of 1512	392	cmd.exe	remcos.exe
PID 1512 wrote to memory of 1796	1512	remcos.exe	schtasks.exe
PID 1512 wrote to memory of 1796	1512	remcos.exe	schtasks.exe
PID 1512 wrote to memory of 1796	1512	remcos.exe	schtasks.exe
PID 1512 wrote to memory of 1796	1512	remcos.exe	schtasks.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 1512 wrote to memory of 108	1512	remcos.exe	remcos.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 976	108	remcos.exe	svchost.exe
PID 976 wrote to memory of 1644	976	svchost.exe	iexplore.exe
PID 976 wrote to memory of 1644	976	svchost.exe	iexplore.exe
PID 976 wrote to memory of 1644	976	svchost.exe	iexplore.exe
PID 976 wrote to memory of 1644	976	svchost.exe	iexplore.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe
PID 108 wrote to memory of 1028	108	remcos.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ooPeZfpRVlcO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp149B.tmp"
2⤵
- Creates scheduled task(s)
PID:1500

C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ooPeZfpRVlcO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp993.tmp"
6⤵
- Creates scheduled task(s)
PID:1796

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
8⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:4207618 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:316

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275470 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:472080 /prefetch:2
9⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1920

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
7⤵
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
0ebdc7dd7f1167c653836d0e5e553ad8

SHA1
214f48795999f1dc847b004732f9482db1e026c2

SHA256
843241cfc38314fec3d0e693ae6f03681c88faab9f866756ee282b9f937a35ab

SHA512
97cc52417d582666605b38e116803cbee14c85d2b7d07f4e7ce304852ea4f620b028959449aedef21e8140c47569bfea50100a68c44e135fe183e0b24f15d1fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
4e9065fd581f8bc3a371df65fb8e7291

SHA1
6f664803432930a50828f36879900a20a5ae03df

SHA256
344ab9f86c72c79d96e8d8f302aff7acb0ba385d17144c000536232738b82e56

SHA512
beeac925639928c35e25fe219f74b44e43609398c823ed3a2fa338163f749b1736cb828df2ad3a38f53ecff914134629acffdfe7f4e13a0c7a142b57cb3a53ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
de5253537852819456a76e8e831b9ab9

SHA1
668670ed700469ff602cb41a42c16f76e3186923

SHA256
4f32bc6ec338fb69e55c4f3f11e3b36236e8c336cf874c5745a70977b323342f

SHA512
97a981a265fa4216d3f99c77d489ddc8750b785291e4cab73890eb6f63bc4ddb873cc8089a586a751c66beb9eec087cd90a239b3ee3655826a26cbed859ea7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp149B.tmp
Filesize
1KB

MD5
215bbd1b9c7cd86ff6f7a9916fde1073

SHA1
f234f1cbf241bbbfaacc01387fd532ee6727f001

SHA256
7cdb48bbd376b50f9f6007bb8ae72e2ea01c83c0001ba8ae64a7c797197b1cb8

SHA512
f66cbf94dc3c091dbc64c15d6ae6ab6422ba74142990e8b0d5197fab5e2bd9edf2cbe71c3b18f86e0f596fd96af6b7875d4109b53f1ef045736ab93f4370bb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp993.tmp
Filesize
1KB

MD5
215bbd1b9c7cd86ff6f7a9916fde1073

SHA1
f234f1cbf241bbbfaacc01387fd532ee6727f001

SHA256
7cdb48bbd376b50f9f6007bb8ae72e2ea01c83c0001ba8ae64a7c797197b1cb8

SHA512
f66cbf94dc3c091dbc64c15d6ae6ab6422ba74142990e8b0d5197fab5e2bd9edf2cbe71c3b18f86e0f596fd96af6b7875d4109b53f1ef045736ab93f4370bb79

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
340KB

MD5
77e6c7f57c85396bcc9cb835a24107d1

SHA1
6a243d09ed09f339935577c746d0326c0dff2e38

SHA256
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

SHA512
0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
340KB

MD5
77e6c7f57c85396bcc9cb835a24107d1

SHA1
6a243d09ed09f339935577c746d0326c0dff2e38

SHA256
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

SHA512
0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
340KB

MD5
77e6c7f57c85396bcc9cb835a24107d1

SHA1
6a243d09ed09f339935577c746d0326c0dff2e38

SHA256
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

SHA512
0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Download Submit
\Users\Admin\AppData\Roaming\remcos\remcos.exe
Filesize
340KB

MD5
77e6c7f57c85396bcc9cb835a24107d1

SHA1
6a243d09ed09f339935577c746d0326c0dff2e38

SHA256
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80

SHA512
0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd

Download Submit
memory/108-103-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/108-153-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/108-99-0x0000000000413A84-mapping.dmp

Download
memory/108-105-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/392-79-0x0000000000000000-mapping.dmp

Download
memory/880-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/880-71-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/880-56-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/880-55-0x0000000074440000-0x00000000749EB000-memory.dmp

Filesize
5.7MB

Download
memory/976-110-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-112-0x00000000004566BE-mapping.dmp

Download
memory/976-111-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-114-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-116-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-109-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-107-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/976-106-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1028-124-0x00000000004566BE-mapping.dmp

Download
memory/1028-126-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1028-128-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1240-161-0x00000000004566BE-mapping.dmp

Download
memory/1452-69-0x0000000000413A84-mapping.dmp

Download
memory/1452-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1452-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1500-57-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-82-0x0000000000000000-mapping.dmp

Download
memory/1512-85-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-86-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-176-0x00000000004566BE-mapping.dmp

Download
memory/1796-87-0x0000000000000000-mapping.dmp

Download
memory/1800-148-0x00000000004566BE-mapping.dmp

Download
memory/1920-136-0x00000000004566BE-mapping.dmp

Download
memory/1920-138-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1920-140-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1996-75-0x0000000000000000-mapping.dmp

Download