remcos | 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b

General

Target

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Size

774KB
MD5

2479c3d14c7d3127b996787da9222db4
SHA1

46a343df094095b8edfcf85f7f5604c9b5619feb
SHA256

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b
SHA512

f118b9e83452722f8c0ae14b6c6622b3eaf4605a0fd927f26c744ed8c30c52aae210c246f3ab3ca3574e49767e65c55485d300916faeaed5aef88d0f17bc0642
SSDEEP

24576:WloNG3Dp09hOX3Mq3jaXhMsFjCshXMQJvTEzNksiD1:WV3DW9hWcqT8Xh8EbG

Score

10^/10

remcos sunshine persistence rat

Malware Config

Extracted

Family

remcos

Botnet

sunshine

C2

sunshine08.ddns.net:5687

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BQS99W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\E84B069075A54125AA11CD0ED16723FD = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe\""	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exe

description	pid	process	target process
PID 816 set thread context of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1736 set thread context of 1656	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 1068	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 868	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 1484	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 272	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 1988	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2228	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2408	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2604	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2652	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2928	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2972	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 3060	1736	CasPol.exe	svchost.exe
PID 1736 set thread context of 2360	1736	CasPol.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703f3c377109d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000295c410bf06c5248b623205f8d7eed8600000000020000000000106600000001000020000000db4afaf6b748b7a7e2e8066d3b388f35ca0ed1b50f326bb36c05e8517d105d3e000000000e8000000002000020000000c944ad0454147659b589eafed9b4da6725e76b98601232d087d6356a3580fd832000000021ec2c51b47b4c2f42d74ad9689595e31edb78f275492d4b031ab2f219d2d05e400000000e3eca92f315cddb178d1cc1fbba07bbb70b9eeef135685f2aa57f9f3c090ceddb6bff02c054c406d9f6135ee3e83c84ebc42cee6c9faa7c6ccbbce26ef92bc2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000295c410bf06c5248b623205f8d7eed86000000000200000000001066000000010000200000006f6dc4368230e55a3ce1fcb81fad78c7cd8507612ad1b8fd43adf3245e1c9d0b000000000e80000000020000200000007a8599368722145e166eaa02520e6bd21b7456e9a88a42a5b0c87c2c2786f31b90000000246a0d96de1ea9cf99e9db5f4ecc002d6b01c1e392b3ec91b77fed0482e357491564e17e2195e5e7f6d3422050abe5591aa2543359fa810d720d724f448a05fcdd713d60ac312a4066bfe0d05552cd5d14206a91949467748d44527771d94321a622e55f533786ba397008b915894394fcbf1c7a7c4281db42e86defdeea25eee66e82272d811ddf0782e278304bce4440000000e9aea8a2532af7fe532c938bd9dd68cdb21a1a6db445d3132fb210cf01d7e7195bf8c3098cdd83ac2e319593dda173bb14a349b2ac75982ea8fdcb5c03bb26de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BDC21B1-7564-11ED-85E0-FE41811C61F5} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DF3B711-7564-11ED-85E0-FE41811C61F5} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

iexplore.exe

pid process

276 iexplore.exe
276 iexplore.exe
276 iexplore.exe
276 iexplore.exe
276 iexplore.exe
276 iexplore.exe

pid	process
276	iexplore.exe
276	iexplore.exe
276	iexplore.exe
276	iexplore.exe
276	iexplore.exe
276	iexplore.exe

Suspicious behavior: MapViewOfSection 14 IoCs

Processes:

CasPol.exe

pid	process
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe
1736	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description pid process

Token: SeDebugPrivilege 816 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

276 iexplore.exe
636 iexplore.exe
1820 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

pid	process
276	iexplore.exe
636	iexplore.exe
1820	iexplore.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

CasPol.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1736	CasPol.exe
276	iexplore.exe
276	iexplore.exe
636	iexplore.exe
636	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1820	iexplore.exe
1820	iexplore.exe
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1996	IEXPLORE.EXE
1996	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exesvchost.exesvchost.exesvchost.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 816 wrote to memory of 1736	816	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1736 wrote to memory of 1656	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1656	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1656	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1656	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1656	1736	CasPol.exe	svchost.exe
PID 1656 wrote to memory of 636	1656	svchost.exe	iexplore.exe
PID 1656 wrote to memory of 636	1656	svchost.exe	iexplore.exe
PID 1656 wrote to memory of 636	1656	svchost.exe	iexplore.exe
PID 1656 wrote to memory of 636	1656	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 1068	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1068	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1068	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1068	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1068	1736	CasPol.exe	svchost.exe
PID 1068 wrote to memory of 276	1068	svchost.exe	iexplore.exe
PID 1068 wrote to memory of 276	1068	svchost.exe	iexplore.exe
PID 1068 wrote to memory of 276	1068	svchost.exe	iexplore.exe
PID 1068 wrote to memory of 276	1068	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 868	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 868	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 868	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 868	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 868	1736	CasPol.exe	svchost.exe
PID 868 wrote to memory of 1820	868	svchost.exe	iexplore.exe
PID 868 wrote to memory of 1820	868	svchost.exe	iexplore.exe
PID 868 wrote to memory of 1820	868	svchost.exe	iexplore.exe
PID 868 wrote to memory of 1820	868	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 1484	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1484	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1484	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1484	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1484	1736	CasPol.exe	svchost.exe
PID 276 wrote to memory of 1644	276	iexplore.exe	IEXPLORE.EXE
PID 276 wrote to memory of 1644	276	iexplore.exe	IEXPLORE.EXE
PID 276 wrote to memory of 1644	276	iexplore.exe	IEXPLORE.EXE
PID 276 wrote to memory of 1644	276	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1532	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1532	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1532	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1532	636	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 1688	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 1688	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 1688	1820	iexplore.exe	IEXPLORE.EXE
PID 1820 wrote to memory of 1688	1820	iexplore.exe	IEXPLORE.EXE
PID 1736 wrote to memory of 272	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 272	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 272	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 272	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 272	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1988	1736	CasPol.exe	svchost.exe
PID 1736 wrote to memory of 1988	1736	CasPol.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
"C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:340993 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:276

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:275457 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:603147 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:406554 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:668713 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:472099 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:4207618 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1484

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:272

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1988

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2228

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2408

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2604

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2652

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2928

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2972

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3060

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BDC21B1-7564-11ED-85E0-FE41811C61F5}.dat
Filesize
3KB

MD5
9f3cc3cf6afa506c1c6b05ca855d48e2

SHA1
0d11f9bfe79b06eb872a4cc06b3c01da7b31226f

SHA256
2db925d96048aeecb44a459dc6feefcd2198f9a3adcc2ceeb33b03a8c0844971

SHA512
7542438ccdc17637df7b460baf86b30479cb7951e6cb08719862214d95a58b07734db521e34a945e75d672eaaba418a73f6aea992cb2ba82ce5823a6aa9ef936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BDC21B1-7564-11ED-85E0-FE41811C61F5}.dat
Filesize
5KB

MD5
c453edcec4d618b02340007a8ebae911

SHA1
2ac241259da66753270b2e7e80f03a8fc19768e2

SHA256
3cdfbd5211389b9f090d0135bb9dad43e216706fc46cf038553dfca00cc1d594

SHA512
566ce4aa5eade82fa4881aaa1133bc9d1fc3ee4477a06105432dcd0ed8dc013f57fea821d94e6d3c236238888db6584e241ecd91302db1b0ea100b171fa90d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5DF3B711-7564-11ED-85E0-FE41811C61F5}.dat
Filesize
5KB

MD5
cfd0b0c16551ae93afb47243dc938512

SHA1
92db775726a6c9a849529e3421d543369c228aa1

SHA256
f18a13833145ae2f4d6261b97346a1ef862cb8560e927630f36fc244a0ceac70

SHA512
9df0b5304271c95bebca7338c5f5e3ce88942e46e890999d0cb741e0392dbd919500a4350d7c1caabc0ffe3f157146514159e438da569c62de9a70c8583bdcd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OG7KIV03.txt
Filesize
608B

MD5
d0a5b3b6b430752986cedbc99be272c4

SHA1
7363cfda714370b697d9eecd093bd7154ac11332

SHA256
410a724fbdba735e3b95927395d1918628cd3262ad747905e8664e608d7f8dc5

SHA512
795ff6c4b26f39809f25bdf3fbc044a070181581d2f4c98c5ca6262baea8a00a91ed7605de3274dd01c405b7e0136c2d36e4f360f6a0b391406d3242c54bb3ec

Download Submit
memory/272-76-0x000000000009768E-mapping.dmp

Download
memory/816-57-0x000000001B110000-0x000000001B1C8000-memory.dmp

Filesize
736KB

Download
memory/816-56-0x000000001A6D0000-0x000000001A78A000-memory.dmp

Filesize
744KB

Download
memory/816-54-0x0000000000B90000-0x0000000000C54000-memory.dmp

Filesize
784KB

Download
memory/816-55-0x0000000000AD0000-0x0000000000B8C000-memory.dmp

Filesize
752KB

Download
memory/868-69-0x000000000011768E-mapping.dmp

Download
memory/1068-67-0x000000000009768E-mapping.dmp

Download
memory/1484-71-0x000000000009768E-mapping.dmp

Download
memory/1656-63-0x000000000009768E-mapping.dmp

Download
memory/1736-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1736-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1736-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1736-61-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1736-59-0x000000000043292E-mapping.dmp

Download
memory/1736-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1988-78-0x000000000009768E-mapping.dmp

Download
memory/2228-80-0x00000000000D768E-mapping.dmp

Download
memory/2360-95-0x000000000009768E-mapping.dmp

Download
memory/2408-82-0x000000000009768E-mapping.dmp

Download
memory/2604-84-0x000000000009768E-mapping.dmp

Download
memory/2652-86-0x000000000009768E-mapping.dmp

Download
memory/2928-89-0x000000000009768E-mapping.dmp

Download
memory/2972-91-0x000000000012768E-mapping.dmp

Download
memory/3060-93-0x00000000000E768E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads