remcos | 3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
Size

1.0MB
MD5

e5d2981fd9c531b3cfb780cf781bac91
SHA1

aaf7084c369138eb5588051eda8aec9aa3c4ac26
SHA256

3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b
SHA512

ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539
SSDEEP

24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo

Score

10^/10

remcos p2-bin collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

P2-bin

84.38.132.126:61445

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ANE1CN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 26 IoCs

resource	yara_rule
behavioral2/memory/3524-45-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-47-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-48-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-50-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-54-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-55-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-53-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-58-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-59-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-60-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-61-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-62-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-63-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-65-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-68-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-129-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-146-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-145-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-147-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-154-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-162-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-163-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-170-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-171-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-178-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral2/memory/3524-179-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 16 IoCs

resource	yara_rule
behavioral2/memory/4652-96-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3076-100-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4652-99-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4652-103-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3200-105-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3076-104-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3200-113-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3200-116-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3200-112-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4652-120-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3524-122-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3524-125-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3524-130-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3524-126-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4652-103-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/4652-120-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

resource	yara_rule
behavioral2/memory/4652-103-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/3200-113-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3200-116-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/4652-120-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 3524 set thread context of 4652	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	99
PID 3524 set thread context of 3076	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	100
PID 3524 set thread context of 3200	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3692	powershell.exe
3888	powershell.exe
1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3888	powershell.exe
3692	powershell.exe
4652	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
4652	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3200	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3200	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
4652	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
4652	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3200	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3888	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	91
PID 1632 wrote to memory of 3888	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	91
PID 1632 wrote to memory of 3888	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	91
PID 1632 wrote to memory of 3692	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	93
PID 1632 wrote to memory of 3692	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	93
PID 1632 wrote to memory of 3692	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	93
PID 1632 wrote to memory of 2044	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	95
PID 1632 wrote to memory of 2044	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	95
PID 1632 wrote to memory of 2044	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	95
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 1632 wrote to memory of 3524	1632	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	97
PID 3524 wrote to memory of 3112	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	98
PID 3524 wrote to memory of 3112	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	98
PID 3524 wrote to memory of 3112	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	98
PID 3524 wrote to memory of 4652	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	99
PID 3524 wrote to memory of 4652	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	99
PID 3524 wrote to memory of 4652	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	99
PID 3524 wrote to memory of 4652	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	99
PID 3524 wrote to memory of 3076	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	100
PID 3524 wrote to memory of 3076	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	100
PID 3524 wrote to memory of 3076	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	100
PID 3524 wrote to memory of 3076	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	100
PID 3524 wrote to memory of 3200	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	101
PID 3524 wrote to memory of 3200	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	101
PID 3524 wrote to memory of 3200	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	101
PID 3524 wrote to memory of 3200	3524	3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe	101

C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
"C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
  "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybcwyooena"
    3⤵
    PID:3112
- - C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybcwyooena"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4652
- - C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\bvhhzyzybizuo"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\lxvzarjzpqrzrakw"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
16e709c02499825a3ac02831c2ca5002

SHA1
6a5472c946c9af0224f4bf5c10af826a9b57a3df

SHA256
20ebb342556fd65808c40fbb6e84ece09b15635cd7820684db41e529676cd1ff

SHA512
bc0244ecbd1b9019c34be3b651aba1577a077b3e13f582c43b0651fe0424871722c9595466daad46a4b2fe3ba305152e4e1ee36fdf20415b27a82c0b71b6eebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7f0c8309fc59107b92bef1f40caf2a89

SHA1
8c3af4986aaf807d8029929b80d6e6c0644fcae6

SHA256
129479c781c7199949f114557332f754b377a171ac40e8fd8f074151cb09ba05

SHA512
2c56c1df483e6d4272c4e3ad37d4e993b90375c52eead22cc658c0fc6fc5680f7b57349ed8a7688e555411ba519f1ec72987ab2c68123021f35073e4f4b41614

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC98A.tmp

Filesize
1KB

MD5
1cb84544cf53d901f985e9f6205a7c58

SHA1
bda0b92e19283f1f8bec9125f23b6f37b6e3ac4c

SHA256
78ce5d59f628a9cd3f230eb3a52fcce04eaf943a4bf2427a3338f8def096c1e4

SHA512
c3b27ea8fb9883b372741a52e76fafd6e99b88be427249b9731b72737f1ce9c2e25056e33516fbe8f3283ec37ceaa118539a3d978d7c3cfd72a82c709e1f8d4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybcwyooena

Filesize
4KB

MD5
0cb17253d14f1f732dfbc3ef9b580d1e

SHA1
85d726cf68f14dd34090de9f4d160c0387249b68

SHA256
e09a0aed9bbc43da3b7a85d30a9a10b54d11c096aa6cef81c23364bc9c4dfcc9

SHA512
f651e62d58e83f9d5e21f3ac8cc516290bfff66c1981dc14cc3a7a900db70d6e7e15c99bb717a18c036b96a6c2f794c2351df7aa39b69531f2112860a51a86ee

Download Submit
memory/1632-6-0x0000000009D60000-0x0000000009DFC000-memory.dmp

Filesize
624KB

Download
memory/1632-0-0x0000000000230000-0x000000000033A000-memory.dmp

Filesize
1.0MB

Download
memory/1632-8-0x0000000004650000-0x000000000465A000-memory.dmp

Filesize
40KB

Download
memory/1632-9-0x0000000004660000-0x000000000466E000-memory.dmp

Filesize
56KB

Download
memory/1632-10-0x000000000A460000-0x000000000A526000-memory.dmp

Filesize
792KB

Download
memory/1632-52-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1632-5-0x00000000073A0000-0x00000000073AA000-memory.dmp

Filesize
40KB

Download
memory/1632-4-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/1632-3-0x00000000070A0000-0x0000000007132000-memory.dmp

Filesize
584KB

Download
memory/1632-7-0x0000000004610000-0x0000000004624000-memory.dmp

Filesize
80KB

Download
memory/1632-1-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1632-2-0x0000000007560000-0x0000000007B04000-memory.dmp

Filesize
5.6MB

Download
memory/3076-114-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3076-104-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3076-108-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3076-100-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3200-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3200-112-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3200-113-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3200-105-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3524-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-50-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-53-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-179-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-178-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-60-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-62-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-171-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-170-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-163-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3524-126-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3524-130-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3524-125-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3524-122-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3524-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3692-25-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/3692-19-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3692-66-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3692-70-0x0000000007600000-0x0000000007632000-memory.dmp

Filesize
200KB

Download
memory/3692-23-0x0000000005B90000-0x0000000005BB2000-memory.dmp

Filesize
136KB

Download
memory/3692-46-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/3692-115-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/3692-84-0x000000007F940000-0x000000007F950000-memory.dmp

Filesize
64KB

Download
memory/3692-22-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3692-20-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3692-117-0x00000000079F0000-0x0000000007A86000-memory.dmp

Filesize
600KB

Download
memory/3692-118-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/3692-73-0x00000000753E0000-0x000000007542C000-memory.dmp

Filesize
304KB

Download
memory/3692-95-0x0000000007D90000-0x000000000840A000-memory.dmp

Filesize
6.5MB

Download
memory/3692-144-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3692-135-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

Filesize
104KB

Download
memory/3692-133-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/3692-18-0x0000000005530000-0x0000000005B58000-memory.dmp

Filesize
6.2MB

Download
memory/3692-132-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3692-131-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3888-17-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3888-127-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3888-94-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/3888-57-0x00000000063E0000-0x000000000642C000-memory.dmp

Filesize
304KB

Download
memory/3888-134-0x00000000078E0000-0x00000000078F4000-memory.dmp

Filesize
80KB

Download
memory/3888-128-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3888-136-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/3888-97-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/3888-21-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3888-16-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3888-56-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/3888-64-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3888-143-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3888-72-0x000000007FC20000-0x000000007FC30000-memory.dmp

Filesize
64KB

Download
memory/3888-15-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/3888-83-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/3888-71-0x00000000753E0000-0x000000007542C000-memory.dmp

Filesize
304KB

Download
memory/3888-26-0x0000000005D60000-0x0000000005DC6000-memory.dmp

Filesize
408KB

Download
memory/4652-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4652-99-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4652-96-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4652-120-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download