remcos | 247629d8098e23046e3cf340b224420b00e760f10fac40fc75af9ae4de995259

Analysis

max time kernel
299s
max time network
300s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
29-10-2023 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RQF_Athens_plant_SV317653.rtf
Size

189KB
MD5

5441dcbe6b5d05ddb25e88ab953063d6
SHA1

c1fa90f8178de83f232b6520e43b9dbd43241a07
SHA256

247629d8098e23046e3cf340b224420b00e760f10fac40fc75af9ae4de995259
SHA512

3b2e94f6cdeed8ae55ef7feed575c653c03e15ba4054998c861487f6316541b7b406e978454dfb1ad27604764eaaf3c1ad7e4beaad808f445dcc9ff99e652cfd
SSDEEP

768:1wAbZSibMX9gRWj3pkScGvt9nncglN/oBxNmphK:1wAlR2kSF3n9oUphK

Score

10^/10

remcos 29122021 collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

29122021

29122021.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3HZY53
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1636-88-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1636-109-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1628-77-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1628-97-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1628-77-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1636-88-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2024-91-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1628-97-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1636-109-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2648	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2740	plugmdino47854334.exe
268	plugmdino47854334.exe
1628	plugmdino47854334.exe
1636	plugmdino47854334.exe
2024	plugmdino47854334.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	EQNEDT32.EXE
2648	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	plugmdino47854334.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 268	2740	plugmdino47854334.exe	32
PID 268 set thread context of 1628	268	plugmdino47854334.exe	33
PID 268 set thread context of 1636	268	plugmdino47854334.exe	34
PID 268 set thread context of 2024	268	plugmdino47854334.exe	35

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2648	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2028	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1628	plugmdino47854334.exe
1628	plugmdino47854334.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
268	plugmdino47854334.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
268	plugmdino47854334.exe
268	plugmdino47854334.exe
268	plugmdino47854334.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	plugmdino47854334.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	WINWORD.EXE
2028	WINWORD.EXE
268	plugmdino47854334.exe
2028	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2740	2648	EQNEDT32.EXE	29
PID 2648 wrote to memory of 2740	2648	EQNEDT32.EXE	29
PID 2648 wrote to memory of 2740	2648	EQNEDT32.EXE	29
PID 2648 wrote to memory of 2740	2648	EQNEDT32.EXE	29
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 2740 wrote to memory of 268	2740	plugmdino47854334.exe	32
PID 268 wrote to memory of 1628	268	plugmdino47854334.exe	33
PID 268 wrote to memory of 1628	268	plugmdino47854334.exe	33
PID 268 wrote to memory of 1628	268	plugmdino47854334.exe	33
PID 268 wrote to memory of 1628	268	plugmdino47854334.exe	33
PID 268 wrote to memory of 1628	268	plugmdino47854334.exe	33
PID 268 wrote to memory of 1636	268	plugmdino47854334.exe	34
PID 268 wrote to memory of 1636	268	plugmdino47854334.exe	34
PID 268 wrote to memory of 1636	268	plugmdino47854334.exe	34
PID 268 wrote to memory of 1636	268	plugmdino47854334.exe	34
PID 268 wrote to memory of 1636	268	plugmdino47854334.exe	34
PID 268 wrote to memory of 2024	268	plugmdino47854334.exe	35
PID 268 wrote to memory of 2024	268	plugmdino47854334.exe	35
PID 268 wrote to memory of 2024	268	plugmdino47854334.exe	35
PID 268 wrote to memory of 2024	268	plugmdino47854334.exe	35
PID 268 wrote to memory of 2024	268	plugmdino47854334.exe	35
PID 2028 wrote to memory of 2536	2028	WINWORD.EXE	37
PID 2028 wrote to memory of 2536	2028	WINWORD.EXE	37
PID 2028 wrote to memory of 2536	2028	WINWORD.EXE	37
PID 2028 wrote to memory of 2536	2028	WINWORD.EXE	37

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RQF_Athens_plant_SV317653.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2536

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe
  "C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe
    "C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe
      C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe /stext "C:\Users\Admin\AppData\Local\Temp\quklnjdokhihdeqafayer"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1628
  - - C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe
      C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe /stext "C:\Users\Admin\AppData\Local\Temp\boxenboiypamnsneollychfwk"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      PID:1636
  - - C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe
      C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe /stext "C:\Users\Admin\AppData\Local\Temp\drdpotzjmgsrpybixwyzfurflsqm"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
248B

MD5
d6e7d909a767fc207cbe701571af81af

SHA1
f497337bb933f3df2947827a2332df4971cf4ed4

SHA256
e530220a77b46d3ce6616b3eb5868451add50fe04ae65492293ef1509daa0396

SHA512
e16b2da54462768c37ec86bcec42d9038ae0807ab3629f5482149a46144d86bbfcd20e8dff3dc0f6c7f69f99c6b54fadd3156f40202305f24a396bd82a634bf3

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
328B

MD5
caa31ec3e28d013d0d0ce155667a3c06

SHA1
1ba0bb9a3ff51a55a1c3b42086b8a609c17779ec

SHA256
f7a680cfd6b8f8582f6698f9dc843b40d33b09844de47a8dcfcee303e24bdcbe

SHA512
dac4e1a4719a620970717577a0c63f6c6794b74dfc241420d9729a7f6fd4b0879db2e48ca8e18190861e7ef0ce743a19ae3a816dd0e43f581f7ece58a8366a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\quklnjdokhihdeqafayer

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\quklnjdokhihdeqafayer

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
C:\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
\Users\Admin\AppData\Roaming\plugmdino47854334.exe

Filesize
1.0MB

MD5
21db0d3419a6cb820291a1790596e36e

SHA1
cfe483b31887449c71f4673c1b579dc00b53955a

SHA256
36e1db714b618d3111c93520e0acb2e96750892b90bb7a6fd3ca84e247fd380a

SHA512
47e720fbff536f0a4e2bf35d32c102b725462cb201c0bdf41ba96a27e3811962b89875f1dbd62dbfac3e3307c71d8797694ac895445f619e1ea3c4e50c144671

Download Submit
memory/268-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/268-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-107-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/268-106-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/268-105-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/268-100-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/268-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/268-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1628-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1628-69-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1628-77-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1628-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1628-97-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1636-75-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-88-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-86-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-109-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-82-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2024-91-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2024-83-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2024-87-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-0-0x000000002FA91000-0x000000002FA92000-memory.dmp

Filesize
4KB

Download
memory/2028-26-0x000000007179D000-0x00000000717A8000-memory.dmp

Filesize
44KB

Download
memory/2028-2-0x000000007179D000-0x00000000717A8000-memory.dmp

Filesize
44KB

Download
memory/2740-19-0x000000006B8E0000-0x000000006BFCE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-20-0x0000000000AE0000-0x0000000000B20000-memory.dmp

Filesize
256KB

Download
memory/2740-25-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2740-17-0x0000000000C30000-0x0000000000D3C000-memory.dmp

Filesize
1.0MB

Download
memory/2740-56-0x000000006B8E0000-0x000000006BFCE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-27-0x000000006B8E0000-0x000000006BFCE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-31-0x0000000005440000-0x00000000054F8000-memory.dmp

Filesize
736KB

Download
memory/2740-30-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2740-29-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2740-28-0x0000000000AE0000-0x0000000000B20000-memory.dmp

Filesize
256KB

Download