remcos | 9ec972333e8ee5a045f432e0d9829a85b10361f717c57482c322d7077e237b3d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07399099.rtf
Size

13KB
MD5

814c549027ffa7b070b8dcbdf94c3124
SHA1

3bc00c380c958fb225da0224ad8a90df6af8d265
SHA256

9ec972333e8ee5a045f432e0d9829a85b10361f717c57482c322d7077e237b3d
SHA512

5a6fca5913c814862b0c40f16ebdedb44fe3b5839b0a631168015878c5cdfa761f6f1f76ec2afd193ea93224f94466ca8020c5cf8ef295a31afcf112d143386c
SSDEEP

384:NoO098d/Ejd0fyJXPTzkiQZ4/NpPFNkYsoY+qfdMV1l:tBd/ER0fytPTQi3//FPD/mWb

Score

10^/10

remcos success1 rat

Malware Config

Extracted

Family

remcos

Botnet

success1

103.212.81.154:1940

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M38C46
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1628 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

regasms.exeregasms.exe

pid process

1912 regasms.exe
1728 regasms.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEregasms.exe

pid process

1628 EQNEDT32.EXE
1628 EQNEDT32.EXE
1628 EQNEDT32.EXE
1628 EQNEDT32.EXE
1912 regasms.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regasms.exe

description pid process target process

PID 1912 set thread context of 1728 1912 regasms.exe regasms.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1628 EQNEDT32.EXE

flow	pid	process
4	1628	EQNEDT32.EXE

pid	process
1912	regasms.exe
1728	regasms.exe

pid	process
1628	EQNEDT32.EXE
1628	EQNEDT32.EXE
1628	EQNEDT32.EXE
1628	EQNEDT32.EXE
1912	regasms.exe

description	pid	process	target process
PID 1912 set thread context of 1728	1912	regasms.exe	regasms.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1628	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1820 WINWORD.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regasms.exe

pid process

1912 regasms.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEregasms.exe

pid process

1820 WINWORD.EXE
1820 WINWORD.EXE
1728 regasms.exe

pid	process
1820	WINWORD.EXE

pid	process
1912	regasms.exe

pid	process
1820	WINWORD.EXE
1820	WINWORD.EXE
1728	regasms.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

EQNEDT32.EXEregasms.exeWINWORD.EXE

description	pid	process	target process
PID 1628 wrote to memory of 1912	1628	EQNEDT32.EXE	regasms.exe
PID 1628 wrote to memory of 1912	1628	EQNEDT32.EXE	regasms.exe
PID 1628 wrote to memory of 1912	1628	EQNEDT32.EXE	regasms.exe
PID 1628 wrote to memory of 1912	1628	EQNEDT32.EXE	regasms.exe
PID 1912 wrote to memory of 1728	1912	regasms.exe	regasms.exe
PID 1912 wrote to memory of 1728	1912	regasms.exe	regasms.exe
PID 1912 wrote to memory of 1728	1912	regasms.exe	regasms.exe
PID 1912 wrote to memory of 1728	1912	regasms.exe	regasms.exe
PID 1912 wrote to memory of 1728	1912	regasms.exe	regasms.exe
PID 1820 wrote to memory of 320	1820	WINWORD.EXE	splwow64.exe
PID 1820 wrote to memory of 320	1820	WINWORD.EXE	splwow64.exe
PID 1820 wrote to memory of 320	1820	WINWORD.EXE	splwow64.exe
PID 1820 wrote to memory of 320	1820	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\07399099.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:320

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1628

C:\ProgramData\regasms.exe
"C:\ProgramData\regasms.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912

C:\ProgramData\regasms.exe
"C:\ProgramData\regasms.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
214B

MD5
182f6cca1039cffa5f287695986f0545

SHA1
31069811b6cd9bd51537b24b96d76af1c02481ca

SHA256
442b3e0d9cff1dde143f3e03feade1da0aa7844abe462fe3ae97506b5261bb3e

SHA512
96ef39827d84e0043eba0c4e4b78bb85aac55c7eb458b0e2dab6f98cc70205472bc8e4574b46ede1391b30480f08a4f094a08f9b2b9b486005c864c7ab938c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
e78c97226c5086e7900e7203d1e2d051

SHA1
6c0ee54c2faf473ffaeb41a3ee51e0e19bf6effe

SHA256
a2645f42c232956a9ad5f82358e87afc0e3c2a4c59ec1a05839dbef98dad42ac

SHA512
b106c4d320fa5828bf9ae6a88968be0a04f3bdf82584669cfdb828702e46dc0f0ed14b1b33f1231c046d21ea117502c2dc9654dc08d083cc5c0937ba866bf339

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2D2B.tmp\loxnhifw.dll
Filesize
22KB

MD5
af830ef9780bf226e52d44c5a67d9a3a

SHA1
4374b9ee1dee834743bdfea7b82cf64d2dd96e3c

SHA256
3658c5abc96df55d0786a02fa9ac1f2fb8e6b109be64c1c5bd5ec895783ce4ca

SHA512
5f718824570a3f7fb31c4597cb732c6ed1c84206575b7cbec0696cc593c55b7fc5d6d60cfebe566f0ae2ab0d748aa990eb0d47e18789420f77363c5d210da8bd

Download Submit
memory/1728-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-116-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-95-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-99-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-103-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-167-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-106-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-108-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-86-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-91-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-118-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-119-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-122-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-125-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-127-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-128-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-130-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-151-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-154-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-155-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1728-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1820-149-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1820-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download