remcos | 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b

General

Target

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Size

774KB
MD5

2479c3d14c7d3127b996787da9222db4
SHA1

46a343df094095b8edfcf85f7f5604c9b5619feb
SHA256

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b
SHA512

f118b9e83452722f8c0ae14b6c6622b3eaf4605a0fd927f26c744ed8c30c52aae210c246f3ab3ca3574e49767e65c55485d300916faeaed5aef88d0f17bc0642
SSDEEP

24576:WloNG3Dp09hOX3Mq3jaXhMsFjCshXMQJvTEzNksiD1:WV3DW9hWcqT8Xh8EbG

Score

10^/10

remcos sunshine persistence rat

Malware Config

Extracted

Family

remcos

Botnet

sunshine

C2

sunshine08.ddns.net:5687

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BQS99W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\E84B069075A54125AA11CD0ED16723FD = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe\""	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exe

description	pid	process	target process
PID 1128 set thread context of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 848 set thread context of 668	848	CasPol.exe	svchost.exe
PID 848 set thread context of 784	848	CasPol.exe	svchost.exe
PID 848 set thread context of 916	848	CasPol.exe	svchost.exe
PID 848 set thread context of 1732	848	CasPol.exe	svchost.exe
PID 848 set thread context of 652	848	CasPol.exe	svchost.exe
PID 848 set thread context of 552	848	CasPol.exe	svchost.exe
PID 848 set thread context of 1388	848	CasPol.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8B45E353-7564-11ED-B4FE-5A5CFA1077B6}.dat = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000bb1bc063dc4d87fa13db20bf0d6ddecd6815723384f9963078bf96f690a2cb30000000000e80000000020000200000004f41cc3c7f4b711ce665bd904fa4231808634e6bf7b59c0da0066dcae142e2e190000000d054b776540646e2baaeb8d7baa19d06c47341dabc8e9cc2c1eddb81598fdd54749f26e4cc5d20226e0624c40b21d4486c292f588174d4f63d70cc8267b78bb0583768cf3530d4126f6fd89378984670e6c7265398ae3c4841305b2929d3c98596b53838d20c02b766c201ae37139d0ec35f902b6779be88793a99c64dc9710a942c06a9330524632f78234cc5dcb41a40000000c269c0b05f99892a25f16a4f89fb0c2d7b94dab0797f94babbcd09818c09c204bc8e3050229be16029585b98b41a3481d2011d7b557a520894ff98b5e9d1fd69	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ecad747109d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ad23e21f8c5535f69a94b4dee2f1ec1701a1941f14c2b89100adf75e8b209ceb000000000e8000000002000020000000be78a82fa513677b715140cc7ff4a28d6c6a520f744c3c702e11b33d4f74817420000000eb41e33982c60bbe9b4efb65cb25b13db5faed7c943b3a79fd3f3ec6138aa2e8400000003325baf5d1e1d592f2787b4d6b04150682278e271208956a30d10d43b688bc5cccfe30318c7970ec00447ac01e7c37830c0b5bef72149e28968a30188544c277	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{988127F1-7564-11ED-B4FE-5A5CFA1077B6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D43E7F1-7564-11ED-B4FE-5A5CFA1077B6} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

pid process

1128 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CasPol.exe

pid process

848 CasPol.exe
848 CasPol.exe
848 CasPol.exe
848 CasPol.exe
848 CasPol.exe
848 CasPol.exe
848 CasPol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description pid process

Token: SeDebugPrivilege 1128 21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1412 iexplore.exe
884 iexplore.exe
1640 iexplore.exe

pid	process
1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

description	pid	process
Token: SeDebugPrivilege	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe

pid	process
1412	iexplore.exe
884	iexplore.exe
1640	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

CasPol.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
848	CasPol.exe
1412	iexplore.exe
1412	iexplore.exe
528	IEXPLORE.EXE
528	IEXPLORE.EXE
884	iexplore.exe
884	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE
1640	iexplore.exe
1640	iexplore.exe
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exeCasPol.exesvchost.exeiexplore.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1128 wrote to memory of 556	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 556	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 556	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 556	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 1128 wrote to memory of 848	1128	21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe	CasPol.exe
PID 848 wrote to memory of 668	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 668	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 668	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 668	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 668	848	CasPol.exe	svchost.exe
PID 668 wrote to memory of 1412	668	svchost.exe	iexplore.exe
PID 668 wrote to memory of 1412	668	svchost.exe	iexplore.exe
PID 668 wrote to memory of 1412	668	svchost.exe	iexplore.exe
PID 668 wrote to memory of 1412	668	svchost.exe	iexplore.exe
PID 848 wrote to memory of 784	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 784	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 784	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 784	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 784	848	CasPol.exe	svchost.exe
PID 1412 wrote to memory of 528	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 528	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 528	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 528	1412	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 916	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 916	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 916	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 916	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 916	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 1732	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 1732	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 1732	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 1732	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 1732	848	CasPol.exe	svchost.exe
PID 1732 wrote to memory of 884	1732	svchost.exe	iexplore.exe
PID 1732 wrote to memory of 884	1732	svchost.exe	iexplore.exe
PID 1732 wrote to memory of 884	1732	svchost.exe	iexplore.exe
PID 1732 wrote to memory of 884	1732	svchost.exe	iexplore.exe
PID 884 wrote to memory of 1600	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1600	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1600	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1600	884	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 652	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 652	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 652	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 652	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 652	848	CasPol.exe	svchost.exe
PID 884 wrote to memory of 1624	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1624	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1624	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 1624	884	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 552	848	CasPol.exe	svchost.exe
PID 848 wrote to memory of 552	848	CasPol.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe
"C:\Users\Admin\AppData\Local\Temp\21f6a18eab7f51f18819cbf97f353e32e2a2f11de7c0b8c8523eb7c90ea36b8b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:784

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:916

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:209926 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:652

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
5⤵
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{988127F1-7564-11ED-B4FE-5A5CFA1077B6}.dat
Filesize
5KB

MD5
909bbea22cda6ba2e0453a1722dbaed3

SHA1
45f8c83a671656035c1b6d38ad281d8e039f9349

SHA256
c19035ccb23b0557cf1382e529db08b1971705b22a62013f796a0d294e432016

SHA512
9d8bd093db5bd1022df616f50bc0d6addbc7e2a97b6918c0592d27cf2fdf330baff2d51bb503868e8b08644c3b8ce530699711b244b910523a43119e3a4350e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8B45E353-7564-11ED-B4FE-5A5CFA1077B6}.dat
Filesize
4KB

MD5
6a56ed5d0929c4d388d5de0170e29499

SHA1
5006fe127465f34f483c4aa6cb8d4261880a701e

SHA256
86467a09cb4edcf404aa2980b707a5dd19751fd5cdd6058fc8b58a79f3887ae6

SHA512
d8a29752b9fd3e9508c7e012b2d4897a467740215790ce1d602bdf44ff32275085f2d963080d3cc939af9321c7562e4f0e65c9fbea4ff666157f825fb9cfa2fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7EC0EB60-61D8-11ED-A25D-5E34C4AB0FA3}.dat
Filesize
3KB

MD5
8cc6c1f31201ecf31f6561642fdf5b5a

SHA1
a867c36ed0d185e6f9e099fb8a911a79f90b69ef

SHA256
ce9744b1358ef91aec8b0081d485fd71a992bde819eec60f04e2974f079e2bfe

SHA512
6103df74efe7c70624d7b63e667f1d7d1ec677a1b523521f736f94f9d41cdfadf4bb1cadb488f2b2cb1c8d58d657bd34fc3c6c6575e6b1df5d729461a372e1e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7EC0EB60-61D8-11ED-A25D-5E34C4AB0FA3}.dat
Filesize
5KB

MD5
0315b4e4c3f41f55299ef31a2bf8f975

SHA1
3ffdf503820f1026de06309e86ff1e5224f369d0

SHA256
ba43fe7faf5ee0c7f868fa966fa604d4058f0e1c9ecb66f696674699b22e628b

SHA512
2928c3bf09d2767bc09287dd419b934862ca24b650952294dc3c04ae2d9605dc6cab76aba839195d40dba0ef0b700c5dc963c49354b8d6aff9f4f1b92543219c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{988127F5-7564-11ED-B4FE-5A5CFA1077B6}.dat
Filesize
5KB

MD5
a4dcdf78fc36ffd447d2b4bd041d9b4a

SHA1
ceb7079accd27fc9a6762e9e05410fa119cfa6e9

SHA256
c51c1d6d1112124d87ca4b4dc976532d9fc9493634b210b850be90f2f14a8e35

SHA512
bf0ef2d52c1e931f4239bf89f66e04e396cd2384f7affae5e22da716c68f2b977110f71a800bb77c04fa93d8edeec3b79b71aaa02694f4cfd1835e797a4d1df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{988127F6-7564-11ED-B4FE-5A5CFA1077B6}.dat
Filesize
5KB

MD5
c1dfc7cc5961a938a12dd44d75f9501c

SHA1
a5fd16784dc66833ae5c7fecedfaa482339157fd

SHA256
3b9d2a46a1af9a09dbe4ff7d1741e68f8aaffcf4927163c33f7a2d5608fd84b6

SHA512
abf759922791a30096974e13f22fe30884e1ee2721e15d057dfb61eb33d70a72d88c25b6f2c610225e6e619a73b987225734a15fc64bd09bfe8c9609ae753d04

Download Submit
memory/552-73-0x00000000000E768E-mapping.dmp

Download
memory/652-71-0x000000000009768E-mapping.dmp

Download
memory/668-63-0x000000000009768E-mapping.dmp

Download
memory/784-66-0x00000000000E768E-mapping.dmp

Download
memory/848-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/848-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/848-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/848-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/848-61-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/848-59-0x000000000043292E-mapping.dmp

Download
memory/916-68-0x000000000009768E-mapping.dmp

Download
memory/1128-54-0x0000000001240000-0x0000000001304000-memory.dmp

Filesize
784KB

Download
memory/1128-57-0x000000001ACF0000-0x000000001ADA8000-memory.dmp

Filesize
736KB

Download
memory/1128-56-0x0000000001140000-0x00000000011FA000-memory.dmp

Filesize
744KB

Download
memory/1128-55-0x0000000001080000-0x000000000113C000-memory.dmp

Filesize
752KB

Download
memory/1388-77-0x000000000009768E-mapping.dmp

Download
memory/1732-69-0x00000000000D768E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads