remcos | a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
Size

576KB
MD5

905966194474a7fa0f010e1ec69a6b7c
SHA1

eab4c675cbe8ea1771e4a1d2a4fcbd7305551ce5
SHA256

a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7
SHA512

08fbb39bff38d34ede9ff8e3ed47daeb34466322ae18161fccb8de870188c972df7c0b761c3f4e01219a9311a0fe33b83b12fee352af9e6755e8bb14a2686944
SSDEEP

12288:DGe0yktVBPgFgZx0T3+5T85IMelbYZsOkbP77uJGHxxdRUpW5O1ad9scFox:DGeojDv0TO5W1elbYZhC7uJSxdaaf7mx

Score

10^/10

remcos hard rat

Malware Config

Extracted

Family

remcos

Botnet

HARD

cloudhost.myfirewall.org:9302

sandshoe.myfirewall.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
WindowUpdate.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
RmcqSxe-3TCTRL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

10 1540 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

audiodgse.exe

pid process

1752 audiodgse.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1540 EQNEDT32.EXE
1540 EQNEDT32.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

audiodgse.exe

description pid process target process

PID 1752 set thread context of 2272 1752 audiodgse.exe Caspol.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1540 EQNEDT32.EXE

flow	pid	process
10	1540	EQNEDT32.EXE

pid	process
1752	audiodgse.exe

pid	process
1540	EQNEDT32.EXE
1540	EQNEDT32.EXE

description	pid	process	target process
PID 1752 set thread context of 2272	1752	audiodgse.exe	Caspol.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1540	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2572 EXCEL.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEWINWORD.EXECaspol.exe

pid process

2572 EXCEL.EXE
2572 EXCEL.EXE
2572 EXCEL.EXE
2652 WINWORD.EXE
2652 WINWORD.EXE
2272 Caspol.exe

pid	process
2572	EXCEL.EXE

pid	process
2572	EXCEL.EXE
2572	EXCEL.EXE
2572	EXCEL.EXE
2652	WINWORD.EXE
2652	WINWORD.EXE
2272	Caspol.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEaudiodgse.exe

description	pid	process	target process
PID 1540 wrote to memory of 1752	1540	EQNEDT32.EXE	audiodgse.exe
PID 1540 wrote to memory of 1752	1540	EQNEDT32.EXE	audiodgse.exe
PID 1540 wrote to memory of 1752	1540	EQNEDT32.EXE	audiodgse.exe
PID 1540 wrote to memory of 1752	1540	EQNEDT32.EXE	audiodgse.exe
PID 2652 wrote to memory of 2832	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 2832	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 2832	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 2832	2652	WINWORD.EXE	splwow64.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe
PID 1752 wrote to memory of 2272	1752	audiodgse.exe	Caspol.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\NEAS.a58305d97b3f1b7ce25c2e4ddac54c44a1fc78736fde5d2417a2f391e476f6c7xls_JC.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Roaming\audiodgse.exe
"C:\Users\Admin\AppData\Roaming\audiodgse.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
352B

MD5
a448b429d8731e4980288cc976f50b93

SHA1
f7db5181a47475f4be3f1afe1ee5671811bd5a63

SHA256
411e59b410fc6800fdb60f1936db31a82e48cfe8143987519e9652296cc8281d

SHA512
0350770772e5dd2102bfb0420c12bd986522709e46f8d7b8915f6c573b7157187c1113c829025c0cab737dbdb29769889d5200f98423f09eff2d3c8117ff2956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{885508C9-EECB-48F7-B175-A5D8F108A8F1}.FSD
Filesize
128KB

MD5
f0181cee091593efd79d1859bab4e862

SHA1
5661fc1accd6a35f6e1661e4fa503f5cfbd97037

SHA256
923847f2a545c501113368462060d9465fcb64d052ec6dc0e7c39b266080944b

SHA512
ab1d70453541cd9b862b0c594f76c1ef6a3a605bbca8726a35a4ab7faf920b35fb53f0609c1f47455ee44ad8414931fc028d9b8f864131e202cf8020334c35df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
166d7f18335231ea223fff817fdc4f54

SHA1
9487582dad2ebc7c11ea88fddd47c1fb57faa093

SHA256
c30c211c2e4e65284868ebed23074794208608f7558d7aadf7ecb7ab4db4bd97

SHA512
af06084911d8a165445561713688653dd5d4510a5eff049aca37a507754c96c6173da724db1ba46da11e505be49d050d071f98091cd4121c7d582988c842e5b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WGHIKMU\HTMLprofile[1].doc
Filesize
28KB

MD5
5342b58b3951c40f8e5eb08f5d9824be

SHA1
49b08cba6efb7fdec9f0042d012efdf4da73b8c7

SHA256
4f799501a3f411314a5a678c5c6e45b8ebcb16aa3b7e7d9a1996e0eda8bc6029

SHA512
0c469b1278deda0cf00b24cdff2822ad22b57e56310e1e8c57111961d6843175ce7c755e77185dc6601be7a8dc46a326aef115d90554c640a8f5b35a556d72a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7472E74C.doc
Filesize
28KB

MD5
5342b58b3951c40f8e5eb08f5d9824be

SHA1
49b08cba6efb7fdec9f0042d012efdf4da73b8c7

SHA256
4f799501a3f411314a5a678c5c6e45b8ebcb16aa3b7e7d9a1996e0eda8bc6029

SHA512
0c469b1278deda0cf00b24cdff2822ad22b57e56310e1e8c57111961d6843175ce7c755e77185dc6601be7a8dc46a326aef115d90554c640a8f5b35a556d72a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{85B8C46E-DF4D-4078-B3AB-B951827FAC6D}
Filesize
128KB

MD5
94e921ecf433708b96ffdb51fb662851

SHA1
759660e7c4db02e9a3947901de95b0674e3958eb

SHA256
98d9c56dfe1fea27f16396133600df527f6499c2670cfb329636515b836dc79a

SHA512
078cbcf3016aa35048409194c6104d2b886e18a2edd8ae4de0899304d4d1d50bbf6b524ff549eb1fd8c94fd6fd2f8a71f2525aaa492e4d8a130887e52b645689

Download Submit
C:\Users\Admin\AppData\Roaming\audiodgse.exe
Filesize
1.8MB

MD5
3da35b7951023c8c3ef4e481e283e708

SHA1
51cd41a7d003d96bad9b856b3f23493995523017

SHA256
2862753674be1a96e5df92dc8c49a9b02f9c8b33ab7ca4584edc5cd99fa193a5

SHA512
93bd225e58f335ad45a4f5421eb6120160b9d4d789ac632e36016ba64bd805bdf755fde1eb45263fb87d0f817d64616f606d042d47ef6f55ad075392cc8aa285

Download Submit
C:\Users\Admin\AppData\Roaming\audiodgse.exe
Filesize
1.8MB

MD5
3da35b7951023c8c3ef4e481e283e708

SHA1
51cd41a7d003d96bad9b856b3f23493995523017

SHA256
2862753674be1a96e5df92dc8c49a9b02f9c8b33ab7ca4584edc5cd99fa193a5

SHA512
93bd225e58f335ad45a4f5421eb6120160b9d4d789ac632e36016ba64bd805bdf755fde1eb45263fb87d0f817d64616f606d042d47ef6f55ad075392cc8aa285

Download Submit
C:\Users\Admin\AppData\Roaming\audiodgse.exe
Filesize
1.8MB

MD5
3da35b7951023c8c3ef4e481e283e708

SHA1
51cd41a7d003d96bad9b856b3f23493995523017

SHA256
2862753674be1a96e5df92dc8c49a9b02f9c8b33ab7ca4584edc5cd99fa193a5

SHA512
93bd225e58f335ad45a4f5421eb6120160b9d4d789ac632e36016ba64bd805bdf755fde1eb45263fb87d0f817d64616f606d042d47ef6f55ad075392cc8aa285

Download Submit
\Users\Admin\AppData\Roaming\audiodgse.exe
Filesize
1.8MB

MD5
3da35b7951023c8c3ef4e481e283e708

SHA1
51cd41a7d003d96bad9b856b3f23493995523017

SHA256
2862753674be1a96e5df92dc8c49a9b02f9c8b33ab7ca4584edc5cd99fa193a5

SHA512
93bd225e58f335ad45a4f5421eb6120160b9d4d789ac632e36016ba64bd805bdf755fde1eb45263fb87d0f817d64616f606d042d47ef6f55ad075392cc8aa285

Download Submit
\Users\Admin\AppData\Roaming\audiodgse.exe
Filesize
1.8MB

MD5
3da35b7951023c8c3ef4e481e283e708

SHA1
51cd41a7d003d96bad9b856b3f23493995523017

SHA256
2862753674be1a96e5df92dc8c49a9b02f9c8b33ab7ca4584edc5cd99fa193a5

SHA512
93bd225e58f335ad45a4f5421eb6120160b9d4d789ac632e36016ba64bd805bdf755fde1eb45263fb87d0f817d64616f606d042d47ef6f55ad075392cc8aa285

Download Submit
memory/1752-103-0x0000000000B10000-0x0000000000CE6000-memory.dmp

Filesize
1.8MB

Download
memory/1752-104-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1752-102-0x000000006A650000-0x000000006AD3E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-106-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/1752-123-0x000000006A650000-0x000000006AD3E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2272-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2272-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2572-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-1-0x000000007224D000-0x0000000072258000-memory.dmp

Filesize
44KB

Download
memory/2572-9-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/2572-78-0x000000007224D000-0x0000000072258000-memory.dmp

Filesize
44KB

Download
memory/2652-4-0x000000002FD51000-0x000000002FD52000-memory.dmp

Filesize
4KB

Download
memory/2652-79-0x000000007224D000-0x0000000072258000-memory.dmp

Filesize
44KB

Download
memory/2652-6-0x000000007224D000-0x0000000072258000-memory.dmp

Filesize
44KB

Download
memory/2652-8-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

Filesize
8KB

Download