Malware Analysis Report

2025-06-16 01:18

Sample ID 231205-z3tl3aga64
Target $R6B2ZGV.exe
SHA256 996fec4254ba09feade637d40971b6472912961128f6ad353ec4fe0405f0cc70
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

996fec4254ba09feade637d40971b6472912961128f6ad353ec4fe0405f0cc70

Threat Level: Known bad

The file $R6B2ZGV.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 21:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 21:14

Reported

2023-12-05 21:17

Platform

win7-20231129-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2376 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XpBeYEmkGU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XpBeYEmkGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB693.tmp"

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Network

Country Destination Domain Proto
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp

Files

memory/2376-0-0x0000000001340000-0x0000000001424000-memory.dmp

memory/2376-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2376-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/2376-3-0x0000000000410000-0x0000000000420000-memory.dmp

memory/2376-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2376-5-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/2376-6-0x0000000000A10000-0x0000000000A1E000-memory.dmp

memory/2376-7-0x0000000005860000-0x0000000005918000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YPGIG0916FW8QWL4SKSC.temp

MD5 cea32a2624f703a64f9fc1417618fe21
SHA1 3b9fd3a070d079a5882f7f9151ff539924dcb741
SHA256 5ca0cfcc26bc81ee3a40190ea2844921a5d43376d2cd26573c54cca4c2658012
SHA512 40cab363acfbfb0b9493204c8a53a6aaf94bb5c413bc8941509866ff17e4f02ce667841b2c96f875119740931200dbf449ac49faf58388d842cb3815afcb1426

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 cea32a2624f703a64f9fc1417618fe21
SHA1 3b9fd3a070d079a5882f7f9151ff539924dcb741
SHA256 5ca0cfcc26bc81ee3a40190ea2844921a5d43376d2cd26573c54cca4c2658012
SHA512 40cab363acfbfb0b9493204c8a53a6aaf94bb5c413bc8941509866ff17e4f02ce667841b2c96f875119740931200dbf449ac49faf58388d842cb3815afcb1426

C:\Users\Admin\AppData\Local\Temp\tmpB693.tmp

MD5 98a515d0dfa44ec3c7336e63de787876
SHA1 1452d2c7a5485ae3eeba5ec9bad40449e9772cd9
SHA256 9df81ff9dd0665ab763c0db923d50457eb4c55685c9db79409e5caf562776749
SHA512 873ea7032697a40f446e7b925e13f37818c641aa472c206161ecdc9119197895604d77c4be1655b79d68aaaf626316fb654441a3e86f8543c61ea130373cdfbe

memory/2604-20-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/852-21-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/2804-23-0x0000000000400000-0x0000000000481000-memory.dmp

memory/852-25-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/2604-27-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/852-29-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

memory/2804-31-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2604-32-0x0000000002E40000-0x0000000002E80000-memory.dmp

memory/2804-35-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2604-34-0x0000000002E40000-0x0000000002E80000-memory.dmp

memory/852-30-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

memory/2804-37-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-26-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-39-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-24-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-41-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2604-22-0x0000000002E40000-0x0000000002E80000-memory.dmp

memory/2804-45-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2376-48-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2804-47-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-49-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-51-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-52-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-53-0x0000000000400000-0x0000000000481000-memory.dmp

memory/852-54-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/2604-55-0x000000006D4F0000-0x000000006DA9B000-memory.dmp

memory/2804-60-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-61-0x0000000000400000-0x0000000000481000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 918d483bc33cb04d6caffac8c248854f
SHA1 32bfacfc5cfcd4017d79b6d7a8ef00b6ec03fb17
SHA256 41116ed7cf53acff05cb8b49e0488ea389a67fdcf221ba43373ec882e20e662c
SHA512 f827dfe8f1d667fce0dc395dcf7427ea43d47dab345bf4daefde6ff726c972fa84b50d2bf4e27416db3c5ccd5038e6d1ffc4aef7f095a821c980795549986d97

memory/2804-66-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-67-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-73-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-74-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-79-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2804-80-0x0000000000400000-0x0000000000481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 21:14

Reported

2023-12-05 21:17

Platform

win10-20231129-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 3068 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XpBeYEmkGU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XpBeYEmkGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp724D.tmp"

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Network

Country Destination Domain Proto
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp

Files

memory/3068-1-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/3068-0-0x00000000006A0000-0x0000000000784000-memory.dmp

memory/3068-2-0x0000000005560000-0x0000000005A5E000-memory.dmp

memory/3068-3-0x0000000005060000-0x00000000050F2000-memory.dmp

memory/3068-4-0x0000000005010000-0x0000000005020000-memory.dmp

memory/3068-5-0x0000000005140000-0x000000000514A000-memory.dmp

memory/3068-6-0x0000000005500000-0x0000000005510000-memory.dmp

memory/3068-7-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/3068-8-0x0000000005010000-0x0000000005020000-memory.dmp

memory/3068-9-0x0000000005510000-0x000000000551E000-memory.dmp

memory/3068-10-0x0000000006B40000-0x0000000006BF8000-memory.dmp

memory/3068-11-0x0000000009250000-0x00000000092EC000-memory.dmp

memory/1132-18-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1132-19-0x0000000006670000-0x0000000006680000-memory.dmp

memory/1132-20-0x0000000000C00000-0x0000000000C36000-memory.dmp

memory/1132-22-0x0000000006670000-0x0000000006680000-memory.dmp

memory/1132-24-0x0000000006CB0000-0x00000000072D8000-memory.dmp

memory/3612-25-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/3612-27-0x00000000073D0000-0x00000000073E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp724D.tmp

MD5 14e1b188f75d56f6f7afe294121429cf
SHA1 f6cba689bc0b68ba8c16e43d936d756c4cb7bcf3
SHA256 c5e63f3413904372f44b57859dd6c4ecbbb314851d2274b23874601dfc18c872
SHA512 a72214dbb6f454c83a01e89ccb8672950bb9656a19dce2a8b4dcf8e3473a84ffed03f53050125e2321bd11eb2d3633c8141e1bd6ee19642ff37954eb58fbf6f7

memory/3612-28-0x00000000073D0000-0x00000000073E0000-memory.dmp

memory/3612-30-0x0000000007880000-0x00000000078A2000-memory.dmp

memory/2900-31-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1132-34-0x0000000006B80000-0x0000000006BE6000-memory.dmp

memory/2900-32-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3068-36-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/2900-39-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-42-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-41-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-43-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1132-38-0x00000000074C0000-0x0000000007810000-memory.dmp

memory/3612-35-0x0000000008340000-0x00000000083A6000-memory.dmp

memory/2900-29-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3612-44-0x0000000008240000-0x000000000825C000-memory.dmp

memory/1132-45-0x00000000078B0000-0x00000000078FB000-memory.dmp

memory/1132-46-0x0000000007BA0000-0x0000000007C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tid12mxa.5yl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1132-80-0x0000000008A70000-0x0000000008AA3000-memory.dmp

memory/3612-83-0x000000007E410000-0x000000007E420000-memory.dmp

memory/3612-82-0x0000000073AA0000-0x0000000073AEB000-memory.dmp

memory/1132-81-0x0000000073AA0000-0x0000000073AEB000-memory.dmp

memory/1132-79-0x000000007EF70000-0x000000007EF80000-memory.dmp

memory/3612-84-0x00000000098F0000-0x000000000990E000-memory.dmp

memory/1132-93-0x0000000008BC0000-0x0000000008C65000-memory.dmp

memory/3612-94-0x00000000073D0000-0x00000000073E0000-memory.dmp

memory/1132-95-0x0000000006670000-0x0000000006680000-memory.dmp

memory/3612-96-0x0000000009E20000-0x0000000009EB4000-memory.dmp

memory/1132-482-0x0000000006750000-0x000000000676A000-memory.dmp

memory/1132-491-0x0000000006740000-0x0000000006748000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 09e7a8aea3636188c3ca562e2c3353a5
SHA1 70eb0e4be5842d8c0d820147178b22e2e1981978
SHA256 9a42d3b38ebfd9afdf3fcbe6c316f89e91b2253964ce66aafe6957fcb7edd654
SHA512 7215554c95c546cda8f03e4d8090da6c7353f8f4f78fb0f64e453d778e78b63aca923c5541d89a180fc18ad3d318770fdbdeef5488532ba5a22d2c27b9d7ee5b

memory/1132-520-0x0000000073320000-0x0000000073A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/1132-526-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/3612-525-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/2900-527-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-528-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-531-0x0000000000400000-0x0000000000481000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 918d483bc33cb04d6caffac8c248854f
SHA1 32bfacfc5cfcd4017d79b6d7a8ef00b6ec03fb17
SHA256 41116ed7cf53acff05cb8b49e0488ea389a67fdcf221ba43373ec882e20e662c
SHA512 f827dfe8f1d667fce0dc395dcf7427ea43d47dab345bf4daefde6ff726c972fa84b50d2bf4e27416db3c5ccd5038e6d1ffc4aef7f095a821c980795549986d97

memory/2900-535-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-536-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-541-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-542-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-547-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2900-549-0x0000000000400000-0x0000000000481000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-05 21:14

Reported

2023-12-05 21:17

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2652 set thread context of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Windows\SysWOW64\schtasks.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe
PID 2652 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XpBeYEmkGU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XpBeYEmkGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B5E.tmp"

C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe

"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 185.77.117.104.in-addr.arpa udp
CA 167.114.189.33:2404 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
CA 167.114.189.33:2404 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
CA 167.114.189.33:2404 tcp
CA 167.114.189.33:2404 tcp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
CA 167.114.189.33:2404 tcp

Files

memory/2652-0-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2652-1-0x0000000000140000-0x0000000000224000-memory.dmp

memory/2652-2-0x0000000005200000-0x00000000057A4000-memory.dmp

memory/2652-3-0x0000000004C50000-0x0000000004CE2000-memory.dmp

memory/2652-4-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2652-5-0x0000000004C10000-0x0000000004C1A000-memory.dmp

memory/2652-6-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/2652-7-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/2652-8-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2652-9-0x0000000004D90000-0x0000000004D9E000-memory.dmp

memory/2652-10-0x00000000065D0000-0x0000000006688000-memory.dmp

memory/2652-11-0x0000000008C80000-0x0000000008D1C000-memory.dmp

memory/3100-17-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3100-16-0x0000000002460000-0x0000000002496000-memory.dmp

memory/3100-18-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/3100-19-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/3100-20-0x0000000005080000-0x00000000056A8000-memory.dmp

memory/1128-22-0x0000000074F30000-0x00000000756E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1B5E.tmp

MD5 979fbf3816c9686f80f5f3fbd7b3d8e5
SHA1 f69712c461b3be2723e10f518d6b39c292af3f5b
SHA256 8a03493de085beca894193e5d1a842b3e19f83b437d91e9cca06741d91ef6004
SHA512 46cabb0e99389d1edd53416132cc4860cb4e20d51566accea985a9503a5bbbbe46d26e5047a2a8b6b6f8bd9cf7bc21f4e0faade35e4658916e25236f4e2524e5

memory/1128-24-0x0000000004970000-0x0000000004980000-memory.dmp

memory/924-25-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1128-23-0x0000000004970000-0x0000000004980000-memory.dmp

memory/924-26-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1128-28-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

memory/924-30-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-32-0x0000000000400000-0x0000000000481000-memory.dmp

memory/2652-35-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/924-33-0x0000000000400000-0x0000000000481000-memory.dmp

memory/3100-31-0x0000000005720000-0x0000000005786000-memory.dmp

memory/3100-29-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/924-36-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-42-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-52-0x0000000000400000-0x0000000000481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zde0vsp1.dh1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1128-57-0x00000000057C0000-0x0000000005B14000-memory.dmp

memory/1128-58-0x0000000005C90000-0x0000000005CAE000-memory.dmp

memory/1128-59-0x0000000005CD0000-0x0000000005D1C000-memory.dmp

memory/1128-60-0x0000000004970000-0x0000000004980000-memory.dmp

memory/3100-61-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/3100-62-0x0000000006D30000-0x0000000006D62000-memory.dmp

memory/3100-66-0x0000000073A00000-0x0000000073A4C000-memory.dmp

memory/1128-77-0x0000000006240000-0x000000000625E000-memory.dmp

memory/1128-76-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

memory/3100-65-0x000000007F900000-0x000000007F910000-memory.dmp

memory/1128-63-0x0000000073A00000-0x0000000073A4C000-memory.dmp

memory/1128-87-0x0000000006C70000-0x0000000006D13000-memory.dmp

memory/1128-88-0x00000000075E0000-0x0000000007C5A000-memory.dmp

memory/3100-89-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/1128-90-0x0000000007010000-0x000000000701A000-memory.dmp

memory/1128-91-0x0000000007220000-0x00000000072B6000-memory.dmp

memory/3100-92-0x00000000072A0000-0x00000000072B1000-memory.dmp

memory/1128-93-0x00000000071D0000-0x00000000071DE000-memory.dmp

memory/3100-94-0x00000000072E0000-0x00000000072F4000-memory.dmp

memory/1128-95-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/1128-96-0x00000000072C0000-0x00000000072C8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 03fe1d12014fd5501d41b6875073ee2a
SHA1 63d84c2501b86daf02732007b818c1b43c304fb7
SHA256 fe9d0178e218c23a42380315a35d48ed61da77d09da990bae3a7803ba1ec7d52
SHA512 048c5b425df64c0e161ee3c6356e3e8dcd23df9b83b4570488a630064e3396ed47038f93abce33aeca1dbc548eab998b1a1b59100b69a3da375663f5963c5916

memory/3100-102-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/1128-103-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/924-107-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-108-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-109-0x0000000000400000-0x0000000000481000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 b442f149c3f66d6ecbe4702da1f482d2
SHA1 689d0f1a0408525a02721133ec3bc318b35fbadf
SHA256 002660185acfbab7ef08f34443bea9ca0475b5605658a3444fcb6ca595069e0e
SHA512 e68d08ac2537c99d0b744e47832da65a013c50cedf80eac323c499570541830609114fc7b0d1352bb9e41ca3dab72038652a6a5ec24e0564c3eb5b2cc9a844b1

memory/924-115-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-116-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-121-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-122-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-127-0x0000000000400000-0x0000000000481000-memory.dmp

memory/924-129-0x0000000000400000-0x0000000000481000-memory.dmp