remcos | c834570ccd6b2682beabbfc8d40e992d52f386aa4542edb5f171250d6f1cb549

General

Target

e5de959183fcaaae232f085620f0d5f1.exe
Size

3.3MB
MD5

e5de959183fcaaae232f085620f0d5f1
SHA1

c15f44fea00604dee5b4d08c7ca4b8503e136645
SHA256

c834570ccd6b2682beabbfc8d40e992d52f386aa4542edb5f171250d6f1cb549
SHA512

1d0855acf81fd3c26c49938311f6b5e7f06d9f6660a576c23fff30a746fa64d80ae4b26095c81501258515f17165f64918f8d55ff97c7c6b73f098e85027e551
SSDEEP

49152:KAhI+dJiV7xK1zhUkVosXUj2jP2zQLWWtKnC:KAhf3g

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

rem.unionbindinqcompany.it:3361

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F4O94O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 1 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exe

pid process

1592 e5de959183fcaaae232f085620f0d5f1.exe
Loads dropped DLL 1 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exe

pid process

1652 e5de959183fcaaae232f085620f0d5f1.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exee5de959183fcaaae232f085620f0d5f1.exe

description	pid	process	target process
PID 1652 set thread context of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1592 set thread context of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 944	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2140	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2192	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2396	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2460	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2596	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2628	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2836	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 set thread context of 2892	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

892 schtasks.exe

pid	process
892	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000090d98cfdc50f114fa5c0eec8885303df00000000020000000000106600000001000020000000a16a6c4280aeb95a5071ec9e82af5eab2b0aae821c0b3f243de96fa37064aaa6000000000e80000000020000200000000df94aa01a148e5dfe838ae6e0469973e5083c398d1e4560364fbebb8468706490000000bb0ccadaabe3bc99fd1b35f05950a86fcc1d2f4bfbe0206a6e31ac043d1290e4b8a3950d6ee7478ed859069d89bc94982a61dafd626447fac8b8f2319b7996df52430d9effe838a91a267d14a6ddd6520656c733346150859866d3e83f06f194d0861073f2dac7d51aa90f281d200a1c48ea6f4e324f446c059dc3e6c9bd39450d76d277d0b6aabbab9cbb7ae55380ca40000000070f1a1910b85b98f6667f434d6792dce10904da015e74f40616197e6fe04b0af34fe9aaec7cc756843badeee530c357633e1c26e1d614e9670934afa59c024a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "381851205"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60eb82e9b034d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000090d98cfdc50f114fa5c0eec8885303df00000000020000000000106600000001000020000000b24f717d6cb48e6abe2ef103505f238f248cbca797aadda280c4347329f531fd000000000e8000000002000020000000bd9a5044f1dcedbe6d07d64b80ac5050ebee6c54eb3159bf0ad142e0080ff50820000000a177a23dd7fb00eb544c4a8381ee2d44a0d1c84c1963303a185b39ae09dafa53400000005ba835b6222a4bdf97915025cc684b9b939c7a828b6e9ab3c3a43f58bd4836decadfe6987616dc2bdc53abb88fdd07572bab09a6c11c61e8e2d24dbe944b5376	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1FEECD91-A0A4-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exeiexplore.exe

pid	process
1652	e5de959183fcaaae232f085620f0d5f1.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe
1536	iexplore.exe

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exe

pid	process
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe
1592	e5de959183fcaaae232f085620f0d5f1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exe

description pid process

Token: SeDebugPrivilege 1652 e5de959183fcaaae232f085620f0d5f1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1536 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1652	e5de959183fcaaae232f085620f0d5f1.exe

pid	process
1536	iexplore.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1592	e5de959183fcaaae232f085620f0d5f1.exe
1536	iexplore.exe
1536	iexplore.exe
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
804	IEXPLORE.EXE
804	IEXPLORE.EXE
804	IEXPLORE.EXE
804	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
1032	IEXPLORE.EXE
1032	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
2636	IEXPLORE.EXE
1192	IEXPLORE.EXE
1192	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5de959183fcaaae232f085620f0d5f1.execmd.exee5de959183fcaaae232f085620f0d5f1.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1652 wrote to memory of 2004	1652	e5de959183fcaaae232f085620f0d5f1.exe	cmd.exe
PID 1652 wrote to memory of 2004	1652	e5de959183fcaaae232f085620f0d5f1.exe	cmd.exe
PID 1652 wrote to memory of 2004	1652	e5de959183fcaaae232f085620f0d5f1.exe	cmd.exe
PID 1652 wrote to memory of 2004	1652	e5de959183fcaaae232f085620f0d5f1.exe	cmd.exe
PID 2004 wrote to memory of 892	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 892	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 892	2004	cmd.exe	schtasks.exe
PID 2004 wrote to memory of 892	2004	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1652 wrote to memory of 1592	1652	e5de959183fcaaae232f085620f0d5f1.exe	e5de959183fcaaae232f085620f0d5f1.exe
PID 1592 wrote to memory of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1692	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1692 wrote to memory of 1536	1692	svchost.exe	iexplore.exe
PID 1692 wrote to memory of 1536	1692	svchost.exe	iexplore.exe
PID 1692 wrote to memory of 1536	1692	svchost.exe	iexplore.exe
PID 1692 wrote to memory of 1536	1692	svchost.exe	iexplore.exe
PID 1592 wrote to memory of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1260	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1536 wrote to memory of 1032	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1032	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1032	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1032	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 804	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 804	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 804	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 804	1536	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 740	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1536 wrote to memory of 1720	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1720	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1720	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1720	1536	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 1076	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1536 wrote to memory of 1192	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1192	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1192	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 1192	1536	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 944	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 944	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe
PID 1592 wrote to memory of 944	1592	e5de959183fcaaae232f085620f0d5f1.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe
"C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \iATCd /tr "C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \iATCd /tr "C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /f
3⤵
- Creates scheduled task(s)
PID:892

C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe
"C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:865285 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:804

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:537619 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:865316 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:865343 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:1455131 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:799810 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:1258557 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1260

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:740

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1076

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:944

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2140

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2192

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2396

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2460

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2596

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2628

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2836

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe
Filesize
3.3MB

MD5
e5de959183fcaaae232f085620f0d5f1

SHA1
c15f44fea00604dee5b4d08c7ca4b8503e136645

SHA256
c834570ccd6b2682beabbfc8d40e992d52f386aa4542edb5f171250d6f1cb549

SHA512
1d0855acf81fd3c26c49938311f6b5e7f06d9f6660a576c23fff30a746fa64d80ae4b26095c81501258515f17165f64918f8d55ff97c7c6b73f098e85027e551

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TLJEHC2B.txt
Filesize
601B

MD5
ce151a8381cd0ce2e6509d2e3008d0ce

SHA1
05557a00963bd95fbe4fcd7ee80a2a3f8aa4e06f

SHA256
bf534e0b0ac7b2cd6237441daf696f381a62f616ee4c5ff06d9f0aedf185394b

SHA512
c94e140a74ee597f95379ea5e7154c1f9f83960d7b560451169d7d7c8ea8514fb2114943a09e74e0e9b663f4ebd317567b50dcccf2523c159f8b806910a0034b

Download Submit
\Users\Admin\AppData\Local\Temp\e5de959183fcaaae232f085620f0d5f1.exe
Filesize
3.3MB

MD5
e5de959183fcaaae232f085620f0d5f1

SHA1
c15f44fea00604dee5b4d08c7ca4b8503e136645

SHA256
c834570ccd6b2682beabbfc8d40e992d52f386aa4542edb5f171250d6f1cb549

SHA512
1d0855acf81fd3c26c49938311f6b5e7f06d9f6660a576c23fff30a746fa64d80ae4b26095c81501258515f17165f64918f8d55ff97c7c6b73f098e85027e551

Download Submit
memory/740-83-0x00000000004C1812-mapping.dmp

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/944-88-0x0000000000771812-mapping.dmp

Download
memory/1076-86-0x00000000005D1812-mapping.dmp

Download
memory/1260-81-0x0000000000541812-mapping.dmp

Download
memory/1592-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-73-0x0000000000432C26-mapping.dmp

Download
memory/1592-76-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1592-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-84-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1652-54-0x0000000000E40000-0x0000000001196000-memory.dmp

Filesize
3.3MB

Download
memory/1652-58-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1652-57-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1692-78-0x0000000000561812-mapping.dmp

Download
memory/2004-55-0x0000000000000000-mapping.dmp

Download
memory/2140-90-0x0000000000551812-mapping.dmp

Download
memory/2192-92-0x0000000000641812-mapping.dmp

Download
memory/2396-94-0x0000000000491812-mapping.dmp

Download
memory/2460-97-0x0000000000591812-mapping.dmp

Download
memory/2596-99-0x0000000000651812-mapping.dmp

Download
memory/2628-101-0x00000000005C1812-mapping.dmp

Download
memory/2836-103-0x0000000000771812-mapping.dmp

Download
memory/2892-105-0x00000000004F1812-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads