remcos | c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a

General

Target

Lecture 10.exe
Size

1.2MB
MD5

df59dea5d8a77ae66f24cc7d25924cec
SHA1

f5a25cdae133bf6851e85c934d90508033d7b579
SHA256

c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
SHA512

c5a35e079dd7113eaa8ea55fba702572ef3d4f7fa32f7542055583783bc967888c981bb3690fad9ae1cf833ed2baefcd3e964ff7f44c2b9555f9421012347b3b
SSDEEP

24576:al06MFYr0PLhaX7nXdrj1IJNf+QQCwQZI5RHsHgZfW4l0:alL8YnzU+QtC5RHsA

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ennenbach.duckdns.org:5800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QWQZF3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of SetThreadContext 13 IoCs

Processes:

Lecture 10.exeLecture 10.exe

description	pid	process	target process
PID 1720 set thread context of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1488 set thread context of 1736	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 320	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 396	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 1772	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 1608	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2056	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2288	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2444	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2784	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2904	1488	Lecture 10.exe	svchost.exe
PID 1488 set thread context of 2300	1488	Lecture 10.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

284 schtasks.exe

pid	process
284	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00d0fde935fd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386566619"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0DFFC9A1-CB87-11ED-AB51-5E76FDCFC840} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a000000000200000000001066000000010000200000006b9054441a03634bb0649b73ccc0340c901fa6de3662d38bd61ca5d24f8bded9000000000e80000000020000200000001ee901a1c7adc174918ae3205d290dfde234fe8dd821c2327e3209fbe0423da120000000260b8e70d56c32919c7d075c8146a1f487673660f1e50f823a7c0feee989c9ad400000000af54d01777c6190ad8bfc45c23d4a9b972e988a0a5d0fc1b571832c9a0f707157cbc12d25acbefb7ced44fe749bf15219a9618a68deb015e25965afd7a85e00	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a000000000200000000001066000000010000200000008d7ffb86680865eea4bb400be5480b3a80164a6c22cf97e01032686c4bbf450e000000000e8000000002000020000000e765496142a8030df12cebb5bb1ba8a83d3f081bb8c3c00117f66d5967c7625b9000000082949cfbeb57117730858456ef8f0003c49c1846809a2fd5144103d38d2acb25c7e0b71a4e8e0040e209598301b33a0821f35ea59f3d6e4badc677ea2c610cb831cdf10c5857561774aea858919c6504618cbd1208bf281c64e05ebdd05099cf3213f1e7837c940b4abc914968fd012c2553b9f353a579c8bf5f5234ea1343201ef2dda4800a7b4947ec5b12893b63c340000000820828282f4343144331bfcdb62b56f2f1b6ec8a1187369bb65282b377427e2fee6132e5ebf3a37ab630f1ad3e7525d00416262cb2e571ce884fb76db40230d9	iexplore.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

Lecture 10.exepowershell.exeiexplore.exe

pid	process
1720	Lecture 10.exe
1720	Lecture 10.exe
1000	powershell.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe
836	iexplore.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

Lecture 10.exe

pid	process
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe
1488	Lecture 10.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Lecture 10.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1720 Lecture 10.exe
Token: SeDebugPrivilege 1000 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

836 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1720	Lecture 10.exe
Token: SeDebugPrivilege	1000	powershell.exe

pid	process
836	iexplore.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

Lecture 10.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1488	Lecture 10.exe
836	iexplore.exe
836	iexplore.exe
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
1460	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
1352	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Lecture 10.exeLecture 10.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1720 wrote to memory of 1000	1720	Lecture 10.exe	powershell.exe
PID 1720 wrote to memory of 1000	1720	Lecture 10.exe	powershell.exe
PID 1720 wrote to memory of 1000	1720	Lecture 10.exe	powershell.exe
PID 1720 wrote to memory of 1000	1720	Lecture 10.exe	powershell.exe
PID 1720 wrote to memory of 284	1720	Lecture 10.exe	schtasks.exe
PID 1720 wrote to memory of 284	1720	Lecture 10.exe	schtasks.exe
PID 1720 wrote to memory of 284	1720	Lecture 10.exe	schtasks.exe
PID 1720 wrote to memory of 284	1720	Lecture 10.exe	schtasks.exe
PID 1720 wrote to memory of 1956	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1956	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1956	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1956	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1340	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1340	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1340	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1340	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1720 wrote to memory of 1488	1720	Lecture 10.exe	Lecture 10.exe
PID 1488 wrote to memory of 1736	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 1736	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 1736	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 1736	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 1736	1488	Lecture 10.exe	svchost.exe
PID 1736 wrote to memory of 836	1736	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 836	1736	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 836	1736	svchost.exe	iexplore.exe
PID 1736 wrote to memory of 836	1736	svchost.exe	iexplore.exe
PID 836 wrote to memory of 1880	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1880	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1880	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1880	836	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 2008	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 320	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 320	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 320	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 320	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 320	1488	Lecture 10.exe	svchost.exe
PID 836 wrote to memory of 328	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 328	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 328	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 328	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1352	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1352	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1352	836	iexplore.exe	IEXPLORE.EXE
PID 836 wrote to memory of 1352	836	iexplore.exe	IEXPLORE.EXE
PID 1488 wrote to memory of 396	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 396	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 396	1488	Lecture 10.exe	svchost.exe
PID 1488 wrote to memory of 396	1488	Lecture 10.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe
"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgiXnjSvRpTK.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgiXnjSvRpTK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA23.tmp"
2⤵
- Creates scheduled task(s)
PID:284

C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe
"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"
2⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe
"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"
2⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe
"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:4207618 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:328

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275470 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275491 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:537637 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:1192993 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:1324074 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2008

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:320

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:396

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1772

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2056

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2288

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2444

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2784

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2904

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
218B

MD5
edfee5460a4200d9d316bd287e28f652

SHA1
63736abc6c22a5a6a97f9bcf24017fbef501c600

SHA256
a429c29d6f9df7bc75516c9b056e68096e1f72ef22b3c5117b4aca792980cd59

SHA512
afdfefb04e4310368e02411b1da20a16a9de0e6aec9369c19415fdb4383fd8c15be2fda60c4cfb0e76e5b914217f70004e19ed1b23c6f47b7513bd37162c73d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\httpErrorPagesScripts[2]
Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACT9UUKV\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\dnserror[1]
Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIMPJA9E\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NMXH1C0L\NewErrorPageTemplate[1]
Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA23.tmp
Filesize
1KB

MD5
95579be30373af6f46ab1f0a5562281f

SHA1
43866e3ea677941830ac1669de6a1f0b9f69ba20

SHA256
99015a912069e555caa9641984f6d3fe36637c7028479a38360664e9cad3e488

SHA512
1253493d6242bea87fdbf110fecabcd4cc8b1438d8822ccd3161ae375a832c90e42272de538c6cff4692ce14be59c2ac30fdabf1866acc261e709029b446f992

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZW70BXKN.txt
Filesize
600B

MD5
4a8201578b2b8ae9fe60969363b9bfb7

SHA1
e96d09dca44282afe122e8b8a0066ba56d008192

SHA256
acbc1cf357c76fc3ec7cf7e3d01ea3469d8ec20c6a363064ae6ddbebc52e7d49

SHA512
6602c633a4310ce6caf2286058ed99658204a06f283ec1a56676bfc4508df81306270bf43d6cb52bd427dc4189bc9036a7898fefc20228be8f740df9526f85e0

Download Submit
memory/320-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/320-113-0x0000000000080000-0x00000000001B8000-memory.dmp

Filesize
1.2MB

Download
memory/320-111-0x0000000000080000-0x00000000001B8000-memory.dmp

Filesize
1.2MB

Download
memory/320-109-0x0000000000080000-0x00000000001B8000-memory.dmp

Filesize
1.2MB

Download
memory/396-123-0x00000000001C0000-0x00000000002F8000-memory.dmp

Filesize
1.2MB

Download
memory/396-121-0x00000000001C0000-0x00000000002F8000-memory.dmp

Filesize
1.2MB

Download
memory/396-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1000-94-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1000-97-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1000-96-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/1488-129-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-82-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-135-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1488-134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-133-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-132-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-130-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-104-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-105-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-107-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-72-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-80-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-114-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-115-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-117-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1488-128-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1720-55-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1720-56-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1720-57-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/1720-58-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1720-59-0x0000000008100000-0x00000000081F4000-memory.dmp

Filesize
976KB

Download
memory/1720-65-0x00000000083A0000-0x0000000008420000-memory.dmp

Filesize
512KB

Download
memory/1720-54-0x0000000001000000-0x0000000001138000-memory.dmp

Filesize
1.2MB

Download
memory/1736-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1736-92-0x00000000002F0000-0x0000000000428000-memory.dmp

Filesize
1.2MB

Download
memory/1736-87-0x00000000002F0000-0x0000000000428000-memory.dmp

Filesize
1.2MB

Download
memory/1736-89-0x00000000002F0000-0x0000000000428000-memory.dmp

Filesize
1.2MB

Download
memory/1772-142-0x00000000001F0000-0x0000000000328000-memory.dmp

Filesize
1.2MB

Download
memory/1772-140-0x00000000001F0000-0x0000000000328000-memory.dmp

Filesize
1.2MB

Download
memory/1772-138-0x00000000001F0000-0x0000000000328000-memory.dmp

Filesize
1.2MB

Download
memory/1772-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-99-0x00000000001C0000-0x00000000002F8000-memory.dmp

Filesize
1.2MB

Download
memory/2008-103-0x00000000001C0000-0x00000000002F8000-memory.dmp

Filesize
1.2MB

Download
memory/2008-101-0x00000000001C0000-0x00000000002F8000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads