Malware Analysis Report

2024-08-06 17:38

Sample ID 231031-pxcfgsga9t
Target PO 1100620230526.pdf(39kb).exe
SHA256 089fe1a7004a07e2fa5a8e706359b2d8d0b141bbc4719db9bc378e33b0771764
Tags
remcos xpertrat flex hard collection evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

089fe1a7004a07e2fa5a8e706359b2d8d0b141bbc4719db9bc378e33b0771764

Threat Level: Known bad

The file PO 1100620230526.pdf(39kb).exe was found to be: Known bad.

Malicious Activity Summary

remcos xpertrat flex hard collection evasion persistence rat trojan

XpertRAT Core payload

XpertRAT

UAC bypass

Windows security bypass

Remcos

NirSoft MailPassView

Nirsoft

NirSoft WebBrowserPassView

Adds policy Run key to start application

Windows security modification

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-31 12:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 12:42

Reported

2023-10-31 12:44

Platform

win10v2004-20231020-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3632 set thread context of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 set thread context of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 set thread context of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 set thread context of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 1556 set thread context of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 3632 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 2756 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 1256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 4336 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2040 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2040 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2040 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1556 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe

"C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rxifqalfbhtwymixwvykzcfqibpttgac"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rxifqalfbhtwymixwvykzcfqibpttgac"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\crwx"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtbislo"

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 cloudhost.myfirewall.org udp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 151.48.110.79.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/3632-0-0x0000000074980000-0x0000000075130000-memory.dmp

memory/3632-1-0x00000000051B0000-0x0000000005358000-memory.dmp

memory/3632-2-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3632-3-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3632-4-0x0000000005360000-0x0000000005904000-memory.dmp

memory/3632-5-0x0000000005000000-0x00000000051A8000-memory.dmp

memory/3632-6-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

memory/3632-7-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/2040-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-9-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-11-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3632-13-0x0000000074980000-0x0000000075130000-memory.dmp

memory/2040-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2756-30-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1256-31-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1256-35-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4336-37-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2756-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2756-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1256-40-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1256-42-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4336-43-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4336-45-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4336-49-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2040-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4016-63-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2756-65-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rxifqalfbhtwymixwvykzcfqibpttgac

MD5 4b7a1143d282cad8f95bacd8c4625ee2
SHA1 e70e2be5f0cd1caf14f68b79746cdd17753a64bd
SHA256 7cf5f82980af1b209fec6680ee49623f7e3488676fff8d1a1a5b8c655cb9f6b2
SHA512 edc01a4814a33fd61f7f2b8d8ec9e08b827a0ecd432785816cc3554b8b57eb3bda45203d12d9a8fcf751f9919c279fcd0866603d00502d22a412a15524814063

memory/2040-72-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2040-77-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2040-78-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2040-79-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2040-76-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2040-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-84-0x0000000010000000-0x0000000010019000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 6f8f68d64fcdf74eed8bfb492620966f
SHA1 a5a2adaf1139cec53d9dc1843dfc7d859be7d4bd
SHA256 41fedf2d8af5f44dbc79d0f701d1be7914912c150412b277becf085bbc35fbc4
SHA512 fd6d6c01a802ed91ca26a207810ebee04192810a72f28df94faf513e751c0cd87e2e0dfddc2b44720be5f70d6c54bb3e3d8c9eda2a1754639c77d58b31aa6a55

memory/2040-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2040-114-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 12:42

Reported

2023-10-31 12:44

Platform

win7-20231020-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

XpertRAT

rat xpertrat

XpertRAT Core payload

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 set thread context of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 set thread context of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 set thread context of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2680 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2176 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2068 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe C:\Users\Admin\AppData\Local\Temp\Iserver.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Iserver.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Iserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe

"C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\dqnlnzxqqaewtxvtubagtxofsfiyrl"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nksdnrijlixbddjxdmvawkioatrzkwuwrs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ymywok"

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloudhost.myfirewall.org udp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 79.110.48.151:9302 cloudhost.myfirewall.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp
US 8.8.8.8:53 sandshoe.myfirewall.org udp
US 79.110.48.151:5344 sandshoe.myfirewall.org tcp

Files

memory/2176-0-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2176-1-0x0000000004FA0000-0x0000000005148000-memory.dmp

memory/2176-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2176-3-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2176-4-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2176-5-0x0000000004DF0000-0x0000000004F98000-memory.dmp

memory/2176-6-0x00000000009A0000-0x00000000009AA000-memory.dmp

memory/2176-7-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

memory/2068-8-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-10-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-12-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-14-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-16-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2068-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2176-27-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2068-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2584-51-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2068-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2584-57-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2652-59-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2584-60-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2636-63-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2652-65-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2584-64-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2068-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2636-55-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2636-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2652-67-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2652-68-0x0000000000400000-0x0000000000424000-memory.dmp

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

C:\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2068-75-0x0000000000400000-0x0000000000482000-memory.dmp

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

\Users\Admin\AppData\Local\Temp\Iserver.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/3036-81-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe

MD5 98dba4873d2b9b467158400540b5eebe
SHA1 4769f5a15191e8ac78ae46544f52414e47fedd30
SHA256 7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA512 37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

memory/2636-92-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dqnlnzxqqaewtxvtubagtxofsfiyrl

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2068-95-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2068-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-98-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2068-101-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2068-102-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2068-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2584-104-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2068-107-0x0000000010000000-0x0000000010019000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 cb9e42a922603f8477395c363d08b0bb
SHA1 2dc764dc2dc62f2b1e417c9c4e689040d0cc0e15
SHA256 408fb2d53de04603450704678dedb42362bb63056816997110bef0e6e2de78d7
SHA512 4c076a4fe27b4857f9bff1d69f71c2a9cb17c3a55bde50d3fac143ac025a61160f81df412e68e6718f096d61dddbb854b38965af2a89b900ecb4b3a9775f387b

memory/2068-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2068-119-0x0000000000400000-0x0000000000482000-memory.dmp