remcos | 9b5ef79976dbfedbc2c85f57a905bdc408956be8e51cb04a76a4e5d353b575a2

Analysis

max time kernel
168s
max time network
168s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.00023eb2bebba3dfe0bf9497a742b890.exe
Size

1.7MB
MD5

00023eb2bebba3dfe0bf9497a742b890
SHA1

061d3982bc63dad1e391dd4861987d9de96dabf1
SHA256

9b5ef79976dbfedbc2c85f57a905bdc408956be8e51cb04a76a4e5d353b575a2
SHA512

1eca12962921a981cd5fd2564bc57ec22f94eb34f8eaf2f110deadada9ba2e4778992585779c51d42b2a3254cb481aa7f0fbca0016e9a2ac159b950765b043b5
SSDEEP

49152:LkQTA25XkXJqDxHtrZPfnV2gAUCkSbVRb0ilg7/mHHHF:La29kElHrIjU/CzG7eHnF

Score

10^/10

remcos xpertrat hard collection evasion persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

HARD

cloudhost.myfirewall.org:9302

sandshoe.myfirewall.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
WindowUpdate.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
RmcqSxe-3TCTRL
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Iserver.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Iserver.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Iserver.exe
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Iserver.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Iserver.exe

NirSoft MailPassView 6 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2384-59-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2384-65-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2204-98-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2384-104-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2204-106-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/2384-107-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2732-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2732-100-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2980-122-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2732-127-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2980-129-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1296-141-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2384-59-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2384-65-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2628-63-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2628-68-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2732-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2204-98-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2732-100-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2836-105-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2384-104-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2204-106-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2384-107-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/2980-122-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2732-127-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2980-129-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1296-141-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe"	iexplore.exe

Executes dropped EXE 1 IoCs

Processes:

Iserver.exe

pid process

1160 Iserver.exe
Loads dropped DLL 4 IoCs

Processes:

Caspol.exeIserver.exe

pid process

2800 Caspol.exe
1160 Iserver.exe
1160 Iserver.exe
1160 Iserver.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Iserver.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Iserver.exe

pid	process
1160	Iserver.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Iserver.exe

Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Caspol.exeiexplore.exeCaspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	iexplore.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Caspol.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Iserver.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Iserver.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

NEAS.00023eb2bebba3dfe0bf9497a742b890.exeCaspol.exeIserver.exeiexplore.exe

description	pid	process	target process
PID 2580 set thread context of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2800 set thread context of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 set thread context of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 set thread context of 2628	2800	Caspol.exe	Caspol.exe
PID 1160 set thread context of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 set thread context of 2936	1160	Iserver.exe	iexplore.exe
PID 2800 set thread context of 1296	2800	Caspol.exe	Caspol.exe
PID 2800 set thread context of 2204	2800	Caspol.exe	Caspol.exe
PID 2800 set thread context of 2836	2800	Caspol.exe	Caspol.exe
PID 1160 set thread context of 2192	1160	Iserver.exe	iexplore.exe
PID 1160 set thread context of 3004	1160	Iserver.exe	iexplore.exe
PID 2800 set thread context of 2980	2800	Caspol.exe	Caspol.exe
PID 2800 set thread context of 896	2800	Caspol.exe	Caspol.exe
PID 3004 set thread context of 2084	3004	iexplore.exe	iexplore.exe
PID 3004 set thread context of 1084	3004	iexplore.exe	iexplore.exe
PID 3004 set thread context of 2064	3004	iexplore.exe	iexplore.exe
PID 3004 set thread context of 1964	3004	iexplore.exe	iexplore.exe
PID 3004 set thread context of 704	3004	iexplore.exe	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Caspol.exeIserver.exeCaspol.exeCaspol.exeiexplore.exe

pid	process
2732	Caspol.exe
1160	Iserver.exe
1160	Iserver.exe
1160	Iserver.exe
1160	Iserver.exe
1160	Iserver.exe
1160	Iserver.exe
1296	Caspol.exe
1160	Iserver.exe
1160	Iserver.exe
2980	Caspol.exe
2732	Caspol.exe
2980	Caspol.exe
1160	Iserver.exe
1160	Iserver.exe
1296	Caspol.exe
2064	iexplore.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

Caspol.exe

pid	process
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe
2800	Caspol.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Caspol.exeCaspol.exeiexplore.exeiexplore.exe

description	pid	process
Token: SeDebugPrivilege	2628	Caspol.exe
Token: SeDebugPrivilege	2836	Caspol.exe
Token: SeDebugPrivilege	3004	iexplore.exe
Token: SeDebugPrivilege	2084	iexplore.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Caspol.exeIserver.exeiexplore.exe

pid process

2800 Caspol.exe
1160 Iserver.exe
3004 iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.00023eb2bebba3dfe0bf9497a742b890.exeCaspol.exeIserver.exe

description	pid	process	target process
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2580 wrote to memory of 2800	2580	NEAS.00023eb2bebba3dfe0bf9497a742b890.exe	Caspol.exe
PID 2800 wrote to memory of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2732	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2384	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2628	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2628	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2628	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2628	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 2628	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 2800 wrote to memory of 1160	2800	Caspol.exe	Iserver.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 3068	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 1160 wrote to memory of 2936	1160	Iserver.exe	iexplore.exe
PID 2800 wrote to memory of 1296	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 1296	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 1296	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 1296	2800	Caspol.exe	Caspol.exe
PID 2800 wrote to memory of 1296	2800	Caspol.exe	Caspol.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Iserver.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Iserver.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.00023eb2bebba3dfe0bf9497a742b890.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxyhaxemsvxagfoejah"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\pzeabqxogdpfjtkitltopc"
3⤵
- Accesses Microsoft Outlook accounts
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\surkuiihclhktzymkwgishxfyt"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Users\Admin\AppData\Local\Temp\Iserver.exe
"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"
3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1160

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
4⤵
PID:3068

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
4⤵
PID:2936

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
4⤵
PID:2192

C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
4⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp0.txt"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp1.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:1084

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp2.txt"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp3.txt"
5⤵
PID:1964

C:\Program Files (x86)\Internet Explorer\iexplore.exe
/stext "C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt"
5⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xdkuzzfudqeihhrwu"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\hfynssporywvsnnievbwe"
3⤵
- Accesses Microsoft Outlook accounts
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzdfskapfgoaubbmvgoyhnlv"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jzdfskapfgoaubbmvgoyhnlv"
3⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eozxxrvbtcstg"
3⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\eozxxrvbtcstg"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\oieixjfvplkyqicv"
3⤵
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
02293db605124308de7b7a60590147ac

SHA1
18480cab4bc362b9d2e35149823249e10e16894e

SHA256
cc19e12e6436f6a85416b0e576923cc1453a09fd6edb92b0a58c605dba4956f4

SHA512
1c096993ae7acfe3ad31aa448b5d4cd50356835f1a3994d9d2092dc460048891cefa6962f3997759ce0258cb023af38340479666a446ee7d47bdc943406422dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhvCABE.tmp
Filesize
32.1MB

MD5
1f0135e15f39fe41d67cd58b8ec67478

SHA1
f28cce6ede6d44778eb8893a10decd9363917c90

SHA256
30b9aa5f69674a6be9911fb95ca6a222cb9bdcc15f033523db77f815e3474334

SHA512
e7ee9502350901590b702ce9b51c82a257f48a2938c43eb2b8e09d9f4d4c48293a5cdf05fbeac45e92248b13a82218cc524e49dce304270aac1b8b7bd8b57bd7

Download Submit
C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp2.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\qtbohfghp4.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
\Users\Admin\AppData\Local\Temp\Iserver.exe
Filesize
172KB

MD5
98dba4873d2b9b467158400540b5eebe

SHA1
4769f5a15191e8ac78ae46544f52414e47fedd30

SHA256
7532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4

SHA512
37f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666

Download Submit
memory/1296-141-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2204-106-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2204-98-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-107-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-65-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-59-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-104-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2580-0-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-1-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2580-5-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/2580-4-0x0000000004DB0000-0x0000000004F58000-memory.dmp

Filesize
1.7MB

Download
memory/2580-6-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2580-2-0x0000000004F60000-0x0000000005108000-memory.dmp

Filesize
1.7MB

Download
memory/2580-29-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2580-3-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2628-63-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2628-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2628-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2628-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2732-45-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2732-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2732-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2732-127-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2800-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-24-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-9-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-7-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2800-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2836-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2980-129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2980-122-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download