Malware Analysis Report

2024-09-22 11:19

Sample ID 231130-v9xvvafc8s
Target Remcos v4.9.3 Pro.exe
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
Tags
hawkeye remcos nulled evasion keylogger persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

Threat Level: Known bad

The file Remcos v4.9.3 Pro.exe was found to be: Known bad.

Malicious Activity Summary

hawkeye remcos nulled evasion keylogger persistence rat spyware stealer trojan

Remcos

HawkEye

UAC bypass

Remcos family

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies registry key

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-11-30 17:41

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-30 17:41

Reported

2023-11-30 17:45

Platform

win10v2004-20231127-en

Max time kernel

113s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF C:\Windows\SysWOW64\dxdiag.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2552 set thread context of 4364 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4364 set thread context of 4344 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
File opened for modification C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
File opened for modification C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\SysWOW64\dxdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\SysWOW64\dxdiag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3455265224-196869244-2056873367-1000\{AB83ABEF-B09B-47EC-B0E6-A8A0B8242F81} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3455265224-196869244-2056873367-1000\{74146F13-2E97-4866-A18D-6DD36E5D0F2E} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000_Classes\Local Settings \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 4724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 2160 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 2160 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 2552 wrote to memory of 4944 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 4944 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 4944 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 4364 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2552 wrote to memory of 4364 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2552 wrote to memory of 4364 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2552 wrote to memory of 4364 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4364 wrote to memory of 3560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 3560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3560 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3560 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3560 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 4344 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4364 wrote to memory of 4344 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4364 wrote to memory of 4344 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4364 wrote to memory of 4344 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4364 wrote to memory of 4436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4364 wrote to memory of 4436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4364 wrote to memory of 4436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 4364 wrote to memory of 2744 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe
PID 4364 wrote to memory of 2744 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe
PID 4364 wrote to memory of 2744 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xnhrhirejwhaukcpqxomxlhohemjwotzz.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 35.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 essagbs.ddns.net udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 101.238.49.80.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp

Files

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

memory/4364-8-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-9-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-10-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-11-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-13-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-14-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-16-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4344-17-0x0000000000A30000-0x0000000000AAE000-memory.dmp

memory/4344-18-0x0000000000A30000-0x0000000000AAE000-memory.dmp

memory/4364-19-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4344-20-0x0000000000A30000-0x0000000000AAE000-memory.dmp

memory/4344-21-0x0000000000A30000-0x0000000000AAE000-memory.dmp

memory/4364-22-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-23-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-24-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-27-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-28-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-29-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-30-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-31-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-33-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-34-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-37-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-38-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-40-0x0000000000F60000-0x0000000000FDE000-memory.dmp

C:\ProgramData\logs\logs.dat

MD5 b5ca88c62504ff698932e49a72a17688
SHA1 466404d4d999d91f6ddf5e7fbe2c578024350dba
SHA256 9265eb06d69b94967489c440217a44056e939a92934d6c017c003bf928a3f415
SHA512 a351113ff3bb1c53f26f3fc669bd5c48a935d57e95e63ced0fae6206c3c288bd75a8f3608658b5db4a9bbddae83d346f7c7ee31cefa64cf48f7b46e1901ce187

memory/4364-43-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-44-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4436-46-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-47-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-48-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-52-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-54-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-53-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-55-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-56-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-57-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/4436-58-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 baa86d0d3993cb98e75513ecebdb661a
SHA1 38fdbbb092d3971e0cc6734e4bac94e6f4dbfea8
SHA256 3576796d932549bcfcb3e4409ab6d79b81cd7d8a4ec468b84dfb9278ae36e756
SHA512 10c7c5fc8083a1dd0fbb255d4e7e31ee33491e552dffe8323e6c36ab8cc61a7710cc7f7ca05e677b7de4a394e771ae03e29d0f3e3645b9802a27aaf97b0f7888

memory/4364-75-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-77-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-78-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-84-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-85-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-86-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-88-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-89-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-93-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-95-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-94-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-96-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-98-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-101-0x0000000000F60000-0x0000000000FDE000-memory.dmp

memory/4364-104-0x0000000000F60000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xnhrhirejwhaukcpqxomxlhohemjwotzz.vbs

MD5 add5c07ccccb47a55d146baefa26ae14
SHA1 f4f673a17ff2d1ccf91ba8fab00c07869c07f1e7
SHA256 3c57ff2c305b8048ce2569a62fe40c600c891a81cece9ee42f2f8310c0a83518
SHA512 9786c6f0d60de49a417a194e77859427517a6819f450676a303226f793f108ae4f8345cfd2cb94ecd5a204d6592a81325c7d80a7a08b318a922621495ffa9261

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-30 17:41

Reported

2023-11-30 17:44

Platform

win7-20231023-en

Max time kernel

132s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2740 set thread context of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
File opened for modification C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\dxdiag.exe N/A
File opened for modification C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID C:\Windows\SysWOW64\dxdiag.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} C:\Windows\SysWOW64\dxdiag.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" C:\Windows\SysWOW64\dxdiag.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A C:\Windows\SysWOW64\dxdiag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 1060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 1060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 1060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe C:\Windows\svhost.exe
PID 2800 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2800 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2720 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2652 wrote to memory of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2652 wrote to memory of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2652 wrote to memory of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2720 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2740 N/A C:\Windows\svhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2740 wrote to memory of 2668 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2668 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2668 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2740 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2740 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2740 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2740 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2740 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2740 wrote to memory of 332 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 2740 wrote to memory of 332 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 2740 wrote to memory of 332 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 2740 wrote to memory of 332 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\dxdiag.exe
PID 2740 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe
PID 2740 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\dxdiag.exe

"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wfphnbumtkurc.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 essagbs.ddns.net udp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.121.147:80 crl.microsoft.com tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp
PL 80.49.238.101:2404 essagbs.ddns.net tcp

Files

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

C:\Windows\svhost.exe

MD5 ccb5f97be3daefc9cdeaff2aec1ad323
SHA1 3b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256 f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512 c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

memory/2740-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2740-12-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-13-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-10-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-14-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-18-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-17-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-19-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2728-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-22-0x00000000000D0000-0x000000000014E000-memory.dmp

memory/2740-24-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2728-25-0x00000000000D0000-0x000000000014E000-memory.dmp

memory/2728-26-0x00000000000D0000-0x000000000014E000-memory.dmp

memory/2740-27-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-28-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-29-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-31-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-32-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-33-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-35-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-36-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-37-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-39-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-40-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-41-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-42-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-45-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-46-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-47-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-52-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-53-0x0000000000080000-0x00000000000FE000-memory.dmp

C:\ProgramData\logs\logs.dat

MD5 c894c86f1264d487437ca652291a6c7e
SHA1 7c1a00da8d1afb5afdef6fe6c04701738958db95
SHA256 ecd3217430b344d77f078c08a8207bd9ab2738bf3844a80050641f6c26d51059
SHA512 3a86736dee83c8279786beecfa29e09dee1c2f7c6d2319d1349fa5cb6b024a3bcba73b2d9b32fd2dec42b875fd7f9ddd54c022e35e290dd5b8189dcb34d27361

memory/2740-60-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-61-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-68-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-69-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-70-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-71-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-72-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-73-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-74-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-75-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/332-77-0x0000000000820000-0x000000000082A000-memory.dmp

memory/332-76-0x0000000000820000-0x000000000082A000-memory.dmp

memory/332-92-0x0000000000850000-0x000000000085A000-memory.dmp

memory/332-91-0x0000000000850000-0x000000000085A000-memory.dmp

memory/332-93-0x0000000000E20000-0x0000000000E7C000-memory.dmp

memory/332-94-0x0000000000E20000-0x0000000000E7C000-memory.dmp

memory/332-95-0x0000000000E20000-0x0000000000E7C000-memory.dmp

memory/332-96-0x0000000000C70000-0x0000000000C9A000-memory.dmp

memory/332-98-0x0000000000C70000-0x0000000000C9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 a29b9352798d0f783cce266c7847017c
SHA1 c3bf0df87754c6275773326711059a1058c92851
SHA256 82a06462de98e42d3b111f780d9a3d2067edfead18152f1f54b08dda39c68fef
SHA512 5616749d739a7b31cfdebbf2b000f24db1946a0245d4a2df560c93ce4dcd9108fbbc570b76b617f9c3c48335854a469a4bd5033fa28534bc9091cb9f4ecf1ca9

memory/332-100-0x0000000000820000-0x000000000082A000-memory.dmp

memory/2740-101-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-104-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-106-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-107-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-109-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-111-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-112-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-113-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2740-119-0x0000000000080000-0x00000000000FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wfphnbumtkurc.vbs

MD5 add5c07ccccb47a55d146baefa26ae14
SHA1 f4f673a17ff2d1ccf91ba8fab00c07869c07f1e7
SHA256 3c57ff2c305b8048ce2569a62fe40c600c891a81cece9ee42f2f8310c0a83518
SHA512 9786c6f0d60de49a417a194e77859427517a6819f450676a303226f793f108ae4f8345cfd2cb94ecd5a204d6592a81325c7d80a7a08b318a922621495ffa9261