remcos | 75b45c924b0796b2dd96b96e9602c6039b18e5be28c1d6f5dd9ebcfd0668fd64

General

Target

hesaphareketi-01.PDF.exe
Size

493KB
MD5

365ad7177f0c8705b517a28b2f6ccc4b
SHA1

f63a902f11d290a2c911cd8cee578d3473988f86
SHA256

75b45c924b0796b2dd96b96e9602c6039b18e5be28c1d6f5dd9ebcfd0668fd64
SHA512

adb77fdb2943be44d1048d61b1b8d07bf47c30c67d87c9984673d1ae41c645231691f5c420b58ff2ca26094ae37e472d6642385c3539959d406182618d7c9c4a
SSDEEP

12288:BYUlcPxUKnIHsYN7w7hs0mM1z48ry7EOQ:BYUgx6MYx1wdu7jQ

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ennenbach.duckdns.org:5800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LDLQM0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tkozpd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation tkozpd.exe
Executes dropped EXE 2 IoCs

Processes:

tkozpd.exetkozpd.exe

pid process

3840 tkozpd.exe
3492 tkozpd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	tkozpd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tkozpd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uqavfktdyienw = "C:\\Users\\Admin\\AppData\\Roaming\\qmvfbkgpyue\\jsnwgcl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tkozpd.exe\" C:\\Users\\Admin\\AppData\\Local"	tkozpd.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

tkozpd.exetkozpd.exe

description	pid	process	target process
PID 3840 set thread context of 3492	3840	tkozpd.exe	tkozpd.exe
PID 3492 set thread context of 1836	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4824	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4476	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4792	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4900	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 1696	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 3172	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4668	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 2616	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 736	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 1444	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4800	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 4600	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 716	3492	tkozpd.exe	svchost.exe
PID 3492 set thread context of 2488	3492	tkozpd.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 30 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1564	1836	WerFault.exe	svchost.exe
4468	1836	WerFault.exe	svchost.exe
628	4824	WerFault.exe	svchost.exe
1048	4824	WerFault.exe	svchost.exe
4028	4476	WerFault.exe	svchost.exe
3856	4476	WerFault.exe	svchost.exe
2536	4792	WerFault.exe	svchost.exe
1412	4792	WerFault.exe	svchost.exe
4848	4900	WerFault.exe	svchost.exe
2652	4900	WerFault.exe	svchost.exe
2052	1696	WerFault.exe	svchost.exe
3976	1696	WerFault.exe	svchost.exe
1824	3172	WerFault.exe	svchost.exe
3372	3172	WerFault.exe	svchost.exe
3600	4668	WerFault.exe	svchost.exe
1816	4668	WerFault.exe	svchost.exe
1536	2616	WerFault.exe	svchost.exe
5016	2616	WerFault.exe	svchost.exe
4400	736	WerFault.exe	svchost.exe
2280	736	WerFault.exe	svchost.exe
2188	1444	WerFault.exe	svchost.exe
3216	1444	WerFault.exe	svchost.exe
4004	4800	WerFault.exe	svchost.exe
3836	4800	WerFault.exe	svchost.exe
4220	4600	WerFault.exe	svchost.exe
4544	4600	WerFault.exe	svchost.exe
1956	716	WerFault.exe	svchost.exe
3336	716	WerFault.exe	svchost.exe
2220	2488	WerFault.exe	svchost.exe
4036	2488	WerFault.exe	svchost.exe

Modifies registry class 1 IoCs

Processes:

tkozpd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings tkozpd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	tkozpd.exe

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

tkozpd.exetkozpd.exe

pid	process
3840	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe
3492	tkozpd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tkozpd.exe

pid process

3492 tkozpd.exe

pid	process
3492	tkozpd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hesaphareketi-01.PDF.exetkozpd.exetkozpd.exe

description	pid	process	target process
PID 1020 wrote to memory of 3840	1020	hesaphareketi-01.PDF.exe	tkozpd.exe
PID 1020 wrote to memory of 3840	1020	hesaphareketi-01.PDF.exe	tkozpd.exe
PID 1020 wrote to memory of 3840	1020	hesaphareketi-01.PDF.exe	tkozpd.exe
PID 3840 wrote to memory of 3492	3840	tkozpd.exe	tkozpd.exe
PID 3840 wrote to memory of 3492	3840	tkozpd.exe	tkozpd.exe
PID 3840 wrote to memory of 3492	3840	tkozpd.exe	tkozpd.exe
PID 3840 wrote to memory of 3492	3840	tkozpd.exe	tkozpd.exe
PID 3492 wrote to memory of 1836	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1836	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1836	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1836	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4824	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4824	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4824	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4824	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3188	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3188	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3188	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4476	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4476	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4476	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4476	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4792	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4792	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4792	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4792	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4064	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4064	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4064	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4900	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4900	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4900	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4900	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1696	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1696	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1696	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1696	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3172	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3172	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3172	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3172	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4668	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4668	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4668	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4668	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2616	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2616	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2616	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2616	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 736	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 736	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 736	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 736	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2160	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2160	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 2160	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1444	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1444	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1444	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 1444	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3772	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3772	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 3772	3492	tkozpd.exe	svchost.exe
PID 3492 wrote to memory of 4800	3492	tkozpd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\tkozpd.exe
"C:\Users\Admin\AppData\Local\Temp\tkozpd.exe" C:\Users\Admin\AppData\Local\Temp\zajwgfajajo.i
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\tkozpd.exe
"C:\Users\Admin\AppData\Local\Temp\tkozpd.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 520
5⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 528
5⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 520
5⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 540
5⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:3188

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 520
5⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 528
5⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 536
5⤵
- Program crash
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 544
5⤵
- Program crash
PID:1412

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4064

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 520
5⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 540
5⤵
- Program crash
PID:2652

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 528
5⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 228
5⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 520
5⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 540
5⤵
- Program crash
PID:3372

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 520
5⤵
- Program crash
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 528
5⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 520
5⤵
- Program crash
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 540
5⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 520
5⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 540
5⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:2160

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 520
5⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 540
5⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:3772

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 588
5⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 596
5⤵
- Program crash
PID:3836

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 520
5⤵
- Program crash
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 540
5⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:916

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 544
5⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 552
5⤵
- Program crash
PID:3336

C:\Windows\SysWOW64\svchost.exe
svchost.exe
4⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 520
5⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 540
5⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cukwdswojn.vbs"
4⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1836 -ip 1836
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1836 -ip 1836
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4824 -ip 4824
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4824 -ip 4824
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 4476
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4476 -ip 4476
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 4792
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4792 -ip 4792
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4900 -ip 4900
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4900 -ip 4900
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1696 -ip 1696
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1696 -ip 1696
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3172 -ip 3172
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3172 -ip 3172
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4668 -ip 4668
1⤵
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4668 -ip 4668
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2616 -ip 2616
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2616 -ip 2616
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 736 -ip 736
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 736 -ip 736
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1444 -ip 1444
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1444 -ip 1444
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4800 -ip 4800
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4800 -ip 4800
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4600 -ip 4600
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4600 -ip 4600
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 716 -ip 716
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 716 -ip 716
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2488 -ip 2488
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2488 -ip 2488
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
c42106797b25e4f0a902723c32043838

SHA1
59fada3785a5be25059b068e13056e22e6571149

SHA256
7a4b9e3077f897e1ecfa924882266cfd7ba403d5d4b094e068c9f69ace88d508

SHA512
0b2c48208aad89cf379a8190c634a760eecf76e3d2c4a7b9301a3f3c87fb05cc9d2ecf23504adc46fb36a734f6a131b9b9a3c8d2ff5114458c22a684f6a2423e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cukwdswojn.vbs
Filesize
496B

MD5
03098e47005c16a20c4db90c25cfbfa4

SHA1
b6e4eb2c850e94765bc7627487360c6db4469a21

SHA256
aa7873b0a34ca9888de836624cc2a7dcd95a2bfb3cdf0f43d4e54e69df0927fc

SHA512
28559988cccae1b21df46aa2931b75af35ebc1cb6a3f334b466a4b078ac8a03b36175d3409db4e456f4821bc1366a40b75c04d28920d97d93f9adb27b0bc0d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkozpd.exe
Filesize
34KB

MD5
1d0ae4911c6cf7f974e6c5a98a48bba1

SHA1
acb0a0f99549fb95c44fc36db4ce6a599bdcd0f4

SHA256
4663d0ea4c74d2b970c6fc86f0ba4bb8d947c3edafb225bf112d50d949aed244

SHA512
587f1f2af0c09b3620ab888f2d7b8dcde5bd8e9735421178f1ab68c30339fc9a5bf34d333ffdf57f4e3b9811adde587f22f61a17d10ec3b508f9fe8aa4dc6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkozpd.exe
Filesize
34KB

MD5
1d0ae4911c6cf7f974e6c5a98a48bba1

SHA1
acb0a0f99549fb95c44fc36db4ce6a599bdcd0f4

SHA256
4663d0ea4c74d2b970c6fc86f0ba4bb8d947c3edafb225bf112d50d949aed244

SHA512
587f1f2af0c09b3620ab888f2d7b8dcde5bd8e9735421178f1ab68c30339fc9a5bf34d333ffdf57f4e3b9811adde587f22f61a17d10ec3b508f9fe8aa4dc6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tkozpd.exe
Filesize
34KB

MD5
1d0ae4911c6cf7f974e6c5a98a48bba1

SHA1
acb0a0f99549fb95c44fc36db4ce6a599bdcd0f4

SHA256
4663d0ea4c74d2b970c6fc86f0ba4bb8d947c3edafb225bf112d50d949aed244

SHA512
587f1f2af0c09b3620ab888f2d7b8dcde5bd8e9735421178f1ab68c30339fc9a5bf34d333ffdf57f4e3b9811adde587f22f61a17d10ec3b508f9fe8aa4dc6fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yanzjmz.dod
Filesize
496KB

MD5
28144d1a29c5b8de4caa91dc2ae537b8

SHA1
513bdc59ecbc7a351fa0340d063971b8f3d21a85

SHA256
25dda46fec58d9b6e641ed0a7a8bf7adcfa3b22c839d4cd276667c21ed5bd977

SHA512
d83dbcb254c84da92e0c9516e5c38fc13ad3a8a9bf917c3e092f780db414dc9240d767c238657198ecab6a1d63da5077c821424ee7623b5a2264fb84578ef6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zajwgfajajo.i
Filesize
7KB

MD5
07b305cbfd9f46168b26fa235b136591

SHA1
0f3284fc60f8595c2759c0f3e36cce9ece0058f2

SHA256
41b5809e74d97d6a64e6801caf5b738e3e7d07e49b24ff868d79601c3d931f4e

SHA512
b9ad7d2c6fd965b80af58122757a4ca999d2541099baf003846ef9ef77b455a5bd62ec5f740d68736c4b8a7829ff405c093fb3efccaf41b90705ef34c05ee020

Download Submit
memory/716-221-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/716-220-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-154-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-157-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3492-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-243-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-147-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-186-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-209-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-216-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3492-214-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3840-140-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/4476-172-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4476-171-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4600-215-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4600-213-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4824-168-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4824-167-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads