Malware Analysis Report

2024-12-07 22:28

Sample ID 240406-b766yshd68
Target f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
SHA256 f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af

Threat Level: Known bad

The file f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects executables packed with SmartAssembly

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:48

Reported

2024-04-06 01:50

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 2396 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 2396 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FCsxaE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCsxaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CCC.tmp"

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp

Files

memory/2396-0-0x00000000000F0000-0x00000000001D6000-memory.dmp

memory/2396-1-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2396-2-0x0000000001DE0000-0x0000000001E20000-memory.dmp

memory/2396-3-0x0000000000970000-0x0000000000980000-memory.dmp

memory/2396-4-0x0000000001DA0000-0x0000000001DAC000-memory.dmp

memory/2396-5-0x0000000005320000-0x00000000053E0000-memory.dmp

memory/2396-6-0x0000000073F20000-0x000000007460E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9CCC.tmp

MD5 85cdac26c8a7b8c249b6778ce4a1403b
SHA1 76749f50f2fbbf73cfddc9adbb968291f39b90b2
SHA256 5fbdbdbdcfedc069c32c5ed0c2192e1877a797715fc5e67e7d29c728892561c1
SHA512 56b0512ff1531b955cbbe8ede233104243638c1610d79d3bc7de713fcacedda7a9ee93a42be74c17bcb5bb55e87c491c06122a5ca103b67345a9e3e8f229d178

memory/2396-14-0x0000000001DE0000-0x0000000001E20000-memory.dmp

memory/2436-15-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-17-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2436-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2396-35-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2436-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-36-0x000000006E2F0000-0x000000006E89B000-memory.dmp

memory/2696-38-0x000000006E2F0000-0x000000006E89B000-memory.dmp

memory/2436-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-40-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2436-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-44-0x00000000021C0000-0x0000000002200000-memory.dmp

memory/2436-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2696-47-0x000000006E2F0000-0x000000006E89B000-memory.dmp

memory/2436-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-54-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 ae2d4f8a327884eba5f4b2455946aeaa
SHA1 d709a2b6eacc686d535cc62c65998a603302318c
SHA256 30fdfb085ca342f5ea1b7584b6c8e7a960e1d885dd13951d419eef67c96906c8
SHA512 b7ac558f6acc6d4766b839cf7b3719a10ab6398e2e98a64bbc60641174211bfc6068e07c3bff770f55dfbbc251d46ffc80d996a330f1b606d119283ae8d3abcc

memory/2436-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2436-81-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:48

Reported

2024-04-06 01:50

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3088 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3088 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Windows\SysWOW64\schtasks.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe
PID 3088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FCsxaE.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCsxaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC0F.tmp"

C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe

"C:\Users\Admin\AppData\Local\Temp\f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 paygateme.net udp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 146.70.57.34:2286 paygateme.net tcp
US 146.70.57.34:2286 paygateme.net tcp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

memory/3088-1-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3088-0-0x00000000003E0000-0x00000000004C6000-memory.dmp

memory/3088-2-0x0000000005520000-0x0000000005AC4000-memory.dmp

memory/3088-3-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/3088-4-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/3088-5-0x0000000005080000-0x000000000508A000-memory.dmp

memory/3088-6-0x00000000064D0000-0x00000000064E0000-memory.dmp

memory/3088-7-0x00000000060D0000-0x00000000060DC000-memory.dmp

memory/3088-8-0x0000000006650000-0x0000000006710000-memory.dmp

memory/3088-9-0x0000000008CF0000-0x0000000008D8C000-memory.dmp

memory/3088-13-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3684-16-0x0000000005130000-0x0000000005166000-memory.dmp

memory/3088-15-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/3684-17-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/3684-18-0x00000000052C0000-0x00000000052D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAC0F.tmp

MD5 4ff4f99b781f61f35ff61979ce5791a4
SHA1 e3683ed647655da62ceca20501c2280a4502a9c2
SHA256 17722c7963e322fe9b6fd52dc2986353df6567b41d1a5a58738e3c6800a5cc07
SHA512 8aebd686016a037f57532d18301b29c9630e89d477d8435f24d07ee7b7a0e456afc6e5bec42ffa184a3acfe79de61fdabd8d6658da1fa6eb56177707da8d3eec

memory/3684-21-0x0000000005900000-0x0000000005F28000-memory.dmp

memory/2548-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3088-25-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2548-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3684-27-0x0000000005630000-0x0000000005652000-memory.dmp

memory/2548-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-33-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypzzghar.smn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2548-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3684-32-0x0000000006110000-0x0000000006176000-memory.dmp

memory/3684-30-0x0000000006030000-0x0000000006096000-memory.dmp

memory/3684-44-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/2548-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3684-47-0x0000000006700000-0x000000000671E000-memory.dmp

memory/3684-48-0x0000000006750000-0x000000000679C000-memory.dmp

memory/3684-49-0x000000007F410000-0x000000007F420000-memory.dmp

memory/3684-50-0x0000000006CF0000-0x0000000006D22000-memory.dmp

memory/3684-51-0x0000000070F00000-0x0000000070F4C000-memory.dmp

memory/3684-61-0x0000000006D30000-0x0000000006D4E000-memory.dmp

memory/3684-63-0x00000000079A0000-0x0000000007A43000-memory.dmp

memory/3684-62-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3684-64-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3684-65-0x00000000080D0000-0x000000000874A000-memory.dmp

memory/3684-66-0x0000000007A50000-0x0000000007A6A000-memory.dmp

memory/3684-67-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

memory/3684-68-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/3684-69-0x0000000007C40000-0x0000000007C51000-memory.dmp

memory/3684-70-0x0000000007C70000-0x0000000007C7E000-memory.dmp

memory/3684-71-0x0000000007C80000-0x0000000007C94000-memory.dmp

memory/3684-72-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/3684-73-0x0000000007D60000-0x0000000007D68000-memory.dmp

memory/3684-76-0x0000000074D20000-0x00000000754D0000-memory.dmp

memory/2548-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-83-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 57bd8aebfc0e41d00b813523c8297516
SHA1 bb35e339e1eec437bbd91730ae3317cfb20f3e19
SHA256 eceec4ae24aa059347a5a86196230ab2da29a8a57be0e3f8bb577edcccfa4819
SHA512 9db36870feb7de5e89bd1526c4f6db33f5f64459ff0e12566d514a7364ad846adde6f3a0801c58313c29acfe1d8c896247cc574212adf59275c7fbea9e3b8da6

memory/2548-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2548-110-0x0000000000400000-0x0000000000482000-memory.dmp