remcos | e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa106001a7cf2deb09192898ba82b50f.rtf
Size

25KB
MD5

fa106001a7cf2deb09192898ba82b50f
SHA1

d472611b9c4185f4dad80143c6c46cb3a3047779
SHA256

e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
SHA512

16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
SSDEEP

768:LEohQfFWWeZqbo8PC6uucJIOFMzGcAYl+CxjfbsredELLyxWlN:IoheWnIKIicYC16rLaWf

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

vcv.mastercoa.co:8489

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4IE8MY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	872	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1104	vbc.exe
1680	ryiixl.exe
1572	ryiixl.exe

Loads dropped DLL 4 IoCs

pid	Process
872	EQNEDT32.EXE
1104	vbc.exe
1104	vbc.exe
1680	ryiixl.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 1572	1680	ryiixl.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
872	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1704	WINWORD.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1680	ryiixl.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1704	WINWORD.EXE
1704	WINWORD.EXE
1572	ryiixl.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1104	872	EQNEDT32.EXE	31
PID 872 wrote to memory of 1104	872	EQNEDT32.EXE	31
PID 872 wrote to memory of 1104	872	EQNEDT32.EXE	31
PID 872 wrote to memory of 1104	872	EQNEDT32.EXE	31
PID 1104 wrote to memory of 1680	1104	vbc.exe	32
PID 1104 wrote to memory of 1680	1104	vbc.exe	32
PID 1104 wrote to memory of 1680	1104	vbc.exe	32
PID 1104 wrote to memory of 1680	1104	vbc.exe	32
PID 1680 wrote to memory of 1572	1680	ryiixl.exe	34
PID 1680 wrote to memory of 1572	1680	ryiixl.exe	34
PID 1680 wrote to memory of 1572	1680	ryiixl.exe	34
PID 1680 wrote to memory of 1572	1680	ryiixl.exe	34
PID 1680 wrote to memory of 1572	1680	ryiixl.exe	34
PID 1704 wrote to memory of 852	1704	WINWORD.EXE	37
PID 1704 wrote to memory of 852	1704	WINWORD.EXE	37
PID 1704 wrote to memory of 852	1704	WINWORD.EXE	37
PID 1704 wrote to memory of 852	1704	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fa106001a7cf2deb09192898ba82b50f.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:852

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Public\vbc.exe
  "C:\Users\Public\vbc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
    "C:\Users\Admin\AppData\Local\Temp\ryiixl.exe" C:\Users\Admin\AppData\Local\Temp\jdgwj.al
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\ryiixl.exe
      "C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
262B

MD5
136b2b89a3221f84f3be970881c71950

SHA1
154592913be8e207b291efc7806b1bb88c8cb45c

SHA256
d2a9ec4c2f76e962098440668842eac055a707691fcf5f95e848b2c35f1f27af

SHA512
f02d42cd0969ebc16c61934ceb3894a3856cfc60921c6db5ccf1ea5041f986426e0a72234d6a8fecf57cc19370120d52315cd0aea1a20fbde22f54422d5527f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdgwj.al

Filesize
5KB

MD5
2713735a6a22806ebe05a3616d813b9d

SHA1
aa850ef9a7277de15a3a7dacff134a7f6a9f43d5

SHA256
3230b1927e92ec8b3e76d353a97807718e766cb81fb4dddccc2997e54404883e

SHA512
ba6fd4723a9182a09ecfb24a86b7452df4177987635e9b530c91745bef427b968b8a07becb87c968e8c86e45bb7b18e072a52a10c845bf367d46ceb2629009a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtnuuqmrl.t

Filesize
495KB

MD5
3492b562086daedc2ebab288e514690d

SHA1
630ef4d0016aa312607b8d43c39f0dc7c4db6b6d

SHA256
70ef2a031c2947fff70f9ac97b662fdb9414b661047b66372a41c53cc354ad9a

SHA512
c615ceaac3f366b8c4cf5781a2927a850926d1a77f9a29d05df399bc5b3c2a5775d89f19f315a27fd82945ad377ce6593fa7a672e241d1baffd6ebbd6de85db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c7936eaf34f95bd60178c397a8fe5ee3

SHA1
053495205e305f3dcc811b63dfe69b1c55f0809f

SHA256
f3a5790955adff8a2b129fac04183f14dbed9c5ffff52c602ee2d557584f09a5

SHA512
9d2c3d93fe23d344d6ba830c97bfcdb5ea5785377ac08c4f49bd520d58ea876a22d0dc30f3eac914beec1f9b6a63e0f690621f0c5b9ca94644a7a289e7c39ebd

Download Submit
C:\Users\Public\vbc.exe

Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
C:\Users\Public\vbc.exe

Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
C:\Users\Public\vbc.exe

Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Admin\AppData\Local\Temp\ryiixl.exe

Filesize
60KB

MD5
ec58ad1a92a419f0f5808457b07ad62e

SHA1
90e775790640a5f36397365e23aa574e2eb21b00

SHA256
2ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1

SHA512
7b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5

Download Submit
\Users\Public\vbc.exe

Filesize
516KB

MD5
9eea2c45522c0a0507344fc3b216f35e

SHA1
48e66669c4cb4ac7e3d172f00fb577bcf573f693

SHA256
c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e

SHA512
d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e

Download Submit
memory/1572-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-103-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-109-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-119-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-120-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-86-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1572-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1704-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1704-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download