remcos | 9ec972333e8ee5a045f432e0d9829a85b10361f717c57482c322d7077e237b3d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orderXinquiry.rtf
Size

13KB
MD5

814c549027ffa7b070b8dcbdf94c3124
SHA1

3bc00c380c958fb225da0224ad8a90df6af8d265
SHA256

9ec972333e8ee5a045f432e0d9829a85b10361f717c57482c322d7077e237b3d
SHA512

5a6fca5913c814862b0c40f16ebdedb44fe3b5839b0a631168015878c5cdfa761f6f1f76ec2afd193ea93224f94466ca8020c5cf8ef295a31afcf112d143386c
SSDEEP

384:NoO098d/Ejd0fyJXPTzkiQZ4/NpPFNkYsoY+qfdMV1l:tBd/ER0fytPTQi3//FPD/mWb

Score

10^/10

remcos success1 collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

success1

103.212.81.154:1940

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M38C46
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1524-129-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1524-135-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1524-146-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1928-130-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1928-134-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1928-140-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-129-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/800-131-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1928-130-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/800-132-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1928-134-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1524-135-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1928-140-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1524-146-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1524 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

regasms.exeregasms.exeregasms.exeregasms.exeregasms.exe

pid process

964 regasms.exe
528 regasms.exe
1928 regasms.exe
1524 regasms.exe
800 regasms.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEregasms.exe

pid process

1524 EQNEDT32.EXE
1524 EQNEDT32.EXE
1524 EQNEDT32.EXE
1524 EQNEDT32.EXE
964 regasms.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	1524	EQNEDT32.EXE

pid	process
964	regasms.exe
528	regasms.exe
1928	regasms.exe
1524	regasms.exe
800	regasms.exe

pid	process
1524	EQNEDT32.EXE
1524	EQNEDT32.EXE
1524	EQNEDT32.EXE
1524	EQNEDT32.EXE
964	regasms.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

regasms.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	regasms.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

regasms.exeregasms.exe

description	pid	process	target process
PID 964 set thread context of 528	964	regasms.exe	regasms.exe
PID 528 set thread context of 1928	528	regasms.exe	regasms.exe
PID 528 set thread context of 1524	528	regasms.exe	regasms.exe
PID 528 set thread context of 800	528	regasms.exe	regasms.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1524 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1524	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1720 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regasms.exe

pid process

1928 regasms.exe
1928 regasms.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

regasms.exeregasms.exe

pid process

964 regasms.exe
528 regasms.exe
528 regasms.exe
528 regasms.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regasms.exe

description pid process

Token: SeDebugPrivilege 800 regasms.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEregasms.exe

pid process

1720 WINWORD.EXE
1720 WINWORD.EXE
528 regasms.exe

pid	process
1720	WINWORD.EXE

pid	process
1928	regasms.exe
1928	regasms.exe

pid	process
964	regasms.exe
528	regasms.exe
528	regasms.exe
528	regasms.exe

description	pid	process
Token: SeDebugPrivilege	800	regasms.exe

pid	process
1720	WINWORD.EXE
1720	WINWORD.EXE
528	regasms.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEregasms.exeregasms.exeWINWORD.EXE

description	pid	process	target process
PID 1524 wrote to memory of 964	1524	EQNEDT32.EXE	regasms.exe
PID 1524 wrote to memory of 964	1524	EQNEDT32.EXE	regasms.exe
PID 1524 wrote to memory of 964	1524	EQNEDT32.EXE	regasms.exe
PID 1524 wrote to memory of 964	1524	EQNEDT32.EXE	regasms.exe
PID 964 wrote to memory of 528	964	regasms.exe	regasms.exe
PID 964 wrote to memory of 528	964	regasms.exe	regasms.exe
PID 964 wrote to memory of 528	964	regasms.exe	regasms.exe
PID 964 wrote to memory of 528	964	regasms.exe	regasms.exe
PID 964 wrote to memory of 528	964	regasms.exe	regasms.exe
PID 528 wrote to memory of 1928	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1928	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1928	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1928	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1524	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1524	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1524	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 1524	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 800	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 800	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 800	528	regasms.exe	regasms.exe
PID 528 wrote to memory of 800	528	regasms.exe	regasms.exe
PID 1720 wrote to memory of 524	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 524	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 524	1720	WINWORD.EXE	splwow64.exe
PID 1720 wrote to memory of 524	1720	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\orderXinquiry.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:524

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1524

C:\ProgramData\regasms.exe
"C:\ProgramData\regasms.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:964

C:\ProgramData\regasms.exe
"C:\ProgramData\regasms.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528

C:\ProgramData\regasms.exe
C:\ProgramData\regasms.exe /stext "C:\Users\Admin\AppData\Local\Temp\oxrxsvxhnhcxmuytbjjhuifvfqxigvelok"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\ProgramData\regasms.exe
C:\ProgramData\regasms.exe /stext "C:\Users\Admin\AppData\Local\Temp\zseptn"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1524

C:\ProgramData\regasms.exe
C:\ProgramData\regasms.exe /stext "C:\Users\Admin\AppData\Local\Temp\bujiufsco"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
224B

MD5
581558158cf90a18caece7aa22109105

SHA1
e8acb9c8d3b0cb006e8fed37c7a7a2362874d3a0

SHA256
7a77721ad1df343692aaf4808a72e57ea9f2626163b15ea15efd7472c49d6e1e

SHA512
81e0c46f84b3c77709264126353183dcc47f050f62df5729e636b2a4d01f3651f36bd1600a61e1700f732162075f242786c6915e30d6fafd7abfea1eaca4df37

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxrxsvxhnhcxmuytbjjhuifvfqxigvelok
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxrxsvxhnhcxmuytbjjhuifvfqxigvelok
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
8741993c8ce46b036fc8b39c38377e75

SHA1
49e7721ade3063cd8585523b1ce93ce365fa2c77

SHA256
25e3627817d66c07cdf98121274869dc8a2e7b7593fd8c29961a3b23a36822cb

SHA512
a780f7b14d43afc2bcc00af79367dcaa0f03479f93ce0a90bf6fac9a6030355d9b1d81df34277e9907e4df539f058f2fe538412207b629cfe89b13aea9fe2612

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\ProgramData\regasms.exe
Filesize
494KB

MD5
55b0547fef91211074f3aca6d1ee1df3

SHA1
ca194ab28f9ef2310ae3b64926b78fbb02dc9861

SHA256
892a6001d3636501cea7f2b22704e7438daa0630d64e92c7e5f5292635bbdc8b

SHA512
4ddce2903ead58efac4774d85f045b752359a95460aa3f51bf1ffc5a594141471e75df324327089fc885e9cdcf4e0aa0e8bd5597a895d4f78b6a8a0efb5e4483

Download Submit
\Users\Admin\AppData\Local\Temp\nst20BD.tmp\loxnhifw.dll
Filesize
22KB

MD5
af830ef9780bf226e52d44c5a67d9a3a

SHA1
4374b9ee1dee834743bdfea7b82cf64d2dd96e3c

SHA256
3658c5abc96df55d0786a02fa9ac1f2fb8e6b109be64c1c5bd5ec895783ce4ca

SHA512
5f718824570a3f7fb31c4597cb732c6ed1c84206575b7cbec0696cc593c55b7fc5d6d60cfebe566f0ae2ab0d748aa990eb0d47e18789420f77363c5d210da8bd

Download Submit
memory/528-153-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-157-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-99-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-100-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-104-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-105-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-109-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-110-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-111-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-112-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-113-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-114-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-115-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-205-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-202-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-95-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-197-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-195-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-174-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-171-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-170-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-169-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-166-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-164-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-162-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/528-161-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-92-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-160-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-91-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-144-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/528-148-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/528-151-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/528-152-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/528-156-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/800-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/800-127-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/800-123-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/800-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/964-83-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/1524-146-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1524-119-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1524-135-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1524-126-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1524-129-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1720-193-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1720-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1928-134-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1928-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1928-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1928-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1928-117-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download