remcos | 4c8ef08c0d896adae8f7f3012b7d7732e8e8950007ba8117a122440bcefcef8a

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STN-ORD.docx
Size

10KB
MD5

7249a8d317ed6f5bd1e6374f602997ed
SHA1

5e9e5bb7cb643db46fcf86140a6705a7f23749ec
SHA256

4c8ef08c0d896adae8f7f3012b7d7732e8e8950007ba8117a122440bcefcef8a
SHA512

153b5042335f320a864e57ac30d049b2c5720c6c3d9e2e08d48da00234e335205971db711af2ca42e7ce0779ba81038fb2377f30a764de434ef14966cef885c0
SSDEEP

192:ScIMmtPSi2EG/b/wLGbt0AOK1amWBXZVhhz03aHF:SPXST/0RAOeoJVh2al

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

csc.mastercoa.co:55241

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-444WE8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1636 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1636	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\Common\Offline\Files\http://1835648751/gf/##############################################.doc	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1492 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1636 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1492 set thread context of 1836 1492 vbc.exe AddInProcess32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1636 EQNEDT32.EXE

pid	process
1636	EQNEDT32.EXE

description	pid	process	target process
PID 1492 set thread context of 1836	1492	vbc.exe	AddInProcess32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1636	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

308 WINWORD.EXE

pid	process
308	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vbc.exe

pid	process
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe
1492	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1492 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEAddInProcess32.exe

pid process

308 WINWORD.EXE
308 WINWORD.EXE
1836 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1492	vbc.exe

pid	process
308	WINWORD.EXE
308	WINWORD.EXE
1836	AddInProcess32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1636 wrote to memory of 1492	1636	EQNEDT32.EXE	vbc.exe
PID 1636 wrote to memory of 1492	1636	EQNEDT32.EXE	vbc.exe
PID 1636 wrote to memory of 1492	1636	EQNEDT32.EXE	vbc.exe
PID 1636 wrote to memory of 1492	1636	EQNEDT32.EXE	vbc.exe
PID 308 wrote to memory of 1832	308	WINWORD.EXE	splwow64.exe
PID 308 wrote to memory of 1832	308	WINWORD.EXE	splwow64.exe
PID 308 wrote to memory of 1832	308	WINWORD.EXE	splwow64.exe
PID 308 wrote to memory of 1832	308	WINWORD.EXE	splwow64.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe
PID 1492 wrote to memory of 1836	1492	vbc.exe	AddInProcess32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\STN-ORD.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
270B

MD5
5edafd093f65af36eebef7bd65d11cb1

SHA1
f95c185a752b5de6cc9a4be7025a38fa9511f22c

SHA256
85947245d6be13e72028f4ae93c3a7d6c4aeb8a0abf91ba906653864d581e5d2

SHA512
971272dcc7bd104d1b9151d775cd99feef466072db45e67aa7e8d32b9097e90aee23255d4c5ed6a8dd84f078401c1235b6ddcfb472526ec5b259534041eb171d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{8A443C8D-177A-4860-941A-FB1E0BC06767}.FSD
Filesize
128KB

MD5
87e02adb55d61a2b0b7b54d49d0b61f7

SHA1
fdb7e1f26cf3c206d60ef54038d1440fcb4f3688

SHA256
2f0a2cfd7c820fd3d5ba70621da06013b50c147c5f2ac16b7ccf4ecc7baf57ba

SHA512
7fa8a199a4fb6b6dbc5879d87feb19b5be59cd20c166a50547f50da7a347f9ec4e816b2160dfd14ab1fa1e63391fd2a99c1d81895dd7c920b2fe72856b7daed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
ccaaf76b6c5215d48762a37611418391

SHA1
2e76f86b8dbf5171c638749ac227cb7888bcea75

SHA256
971f987d8f844d44a7d9f2792572a3a8fefc0f61d63ac8d501a588261ccd8e13

SHA512
c1a2889f4da635dbae33aeb2e767771ddfc7148393dce4a6ce09584b0c49cc008149d81cd5197058bdfb1515710e9150ee1b46624495ee1caade3d1025b5cadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{3E9E1430-CE2B-4B40-8527-7405C672E160}.FSD
Filesize
128KB

MD5
1a49d0fab5482f11eb947c490d8e0867

SHA1
6f50526f0f07b2736470f38bf96c06ed29614536

SHA256
9232699a4023431329d5fb04e28a5490c73f5bdef7c5db4d8f99e870a2e55df9

SHA512
e0c2a6e5bd3d20d5601dd36107177aefb130a2e745244ae90c643c6f2d43c58c114b7393ae812846f35b58d0f0e3e2230a29136015c77eb264e9ad8409848fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S7FIT0B8\##############################################[1].doc
Filesize
22KB

MD5
54e110633d9eab07a128d77a2983d306

SHA1
ed8ad3d9cf7941cd3d3f5c585ba534dbe050a5af

SHA256
904be1f7a689b97de339c54ded763b7dc26acb941fee56e585aa9e6350f65f17

SHA512
771dd723f00d96910548a0d4a39a89914dc118ae6e4859373993bd6f117e9db191b477660a6898b05a9d9fe8d1d959fe712f53b6869dcfaeced9206950d32c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A21D4B48-C095-4D4B-8213-14A77D8D1EC8}
Filesize
128KB

MD5
a07266b2bd673b153632572119a94d2f

SHA1
32bc971e862574636cb572a324d34fec8d59c643

SHA256
8760ccf9ae37a75abf269593c58784a5263202b9ab3e101467dcebd75ceaa412

SHA512
52942debf48098b81a6b064f5372e2b77fe736f75d4caea70427a8fe2080068eaa8919acfcd38728be20457b72c28545d92a7ea830988126dca3dbc65bc98ca9

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
C:\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
\Users\Public\vbc.exe
Filesize
2.4MB

MD5
2c3948b46ad3f0972c57d86e00fe3ef0

SHA1
81cba7a7dd95391c34453f3dcf46639d273522b7

SHA256
a90db92cdebc3d71dfae9a9dfe1447b629db2724fd093d22e8f53e7aeab26a74

SHA512
10eabc8112c86ee850990ad21eb27e26f98914dfa71bf6ba744a1e1aa5cc74b82054ded9089070d2501f798cb03da25be3b531af3fa3af6b00927c19867f0601

Download Submit
memory/308-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1492-142-0x00000000003C0000-0x0000000000622000-memory.dmp

Filesize
2.4MB

Download
memory/1492-145-0x0000000000810000-0x000000000085A000-memory.dmp

Filesize
296KB

Download
memory/1492-146-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/1492-147-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1492-152-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1492-153-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1492-154-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/1492-155-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/1492-156-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1492-144-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1492-166-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/1836-159-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-161-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1836-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-158-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-175-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-157-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-195-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download