Malware Analysis Report

2025-01-02 03:13

Sample ID 240406-bneycsgc9x
Target 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe
SHA256 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e

Threat Level: Known bad

The file 669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Executes dropped EXE

Drops startup file

Loads dropped DLL

AutoIT Executable

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-06 01:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 01:17

Reported

2024-04-06 01:19

Platform

win7-20240221-en

Max time kernel

146s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\directory\name.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1504 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2508 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2508 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2508 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2508 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2724 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2360 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2360 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2360 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2360 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1044 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2824 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2824 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2824 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2824 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2464 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2464 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2464 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2464 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 328 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 328 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 328 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 328 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 344 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1636 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2244 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2244 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2244 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2244 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3044 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3044 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3044 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 3044 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 432 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 432 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 432 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 432 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2884 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2884 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2884 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 2884 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe
PID 1520 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\directory\name.exe C:\Users\Admin\AppData\Local\directory\name.exe

Processes

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

Network

N/A

Files

memory/1504-10-0x0000000000260000-0x0000000000264000-memory.dmp

\Users\Admin\AppData\Local\directory\name.exe

MD5 0056f9f571a6d4505e4656120e52bb91
SHA1 535ec115c8cb2c6d4df4fd559aea28d5db2c3786
SHA256 9cde38faf842c3c313144020889056f582c4236bcd0de2fbc1fec6d406a78abd
SHA512 0a9d0112fa779ce00b2b66812c982f2afc6718486db94b4aa5698193b6e8a8616d0b34a471a449121eddb88f98c425b7636392bb6c24acdf5570d8edac2d03dd

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 d0d973e17f4f9faff0bd11e10be35a45
SHA1 8f6f95ff9d4d5ec970e1ce58902122bd682d8828
SHA256 bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52
SHA512 2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

C:\Users\Admin\AppData\Local\Temp\ageless

MD5 ffa2e5ab3b36f5f9ae74cff2a038c1d4
SHA1 8ed7f9cf5089d8361dac06205f5d4567dd8006f9
SHA256 afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7
SHA512 4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

C:\Users\Admin\AppData\Local\Temp\autC9E5.tmp

MD5 c800930f609777b6a62bdfb4e0f6d13c
SHA1 25a5607ea6e7a54390ed56f9132c875f8f03a072
SHA256 7c548d6f2a8da0f0f6f446e3e50b2ee13b797a52322a5f2c603d5e1868655d02
SHA512 038b8820b95566a9e141f80e6cacfad70926b4e325c68ad0fef65f5fcd8d315421fb04465a4066dfc4f529a350c0cdb4f6a91c9fff6e28531ca2036875b4eaa2

C:\Users\Admin\AppData\Local\Temp\autC9A5.tmp

MD5 949169beca0db71049f399b967f83788
SHA1 44521a34b25e346477e11b9a3e9263fc155d26d1
SHA256 91242813006c5d4b13829eb58c0fafbd8db223f4e08c2b776a7913e81430d7de
SHA512 1439b96ba9a3641d9bc7c468d696c4ad3b216966bfba099a47ab67f78f0587b55628040afb62fb73b2c2fdccb443c4fb429d02f35c945069a2e348e4500170ac

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 812b509162fd0cfa8639c0ec616c89cb
SHA1 47402066529ec1ba780f0d35c87bfa06349f04d7
SHA256 aad19d6fd19dffbf4eb34191ee1583d335e1ae2b870f45d81c2c2699234c2bf9
SHA512 15736c7bc6cf91c816fc4e06ad7392ca9e9fd16c45014b7911eb3f39bac2b3871420967041b77cf92a21230c7605fdef606eb5deccd0a740288d4bddc8593d16

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 c402cad57929e243c3e28c1ade94a387
SHA1 7a1f9436c6dbd1c796faf22b0a69656331f95310
SHA256 5c4e73229b88de07402afe5912a917d9210f5430c685385e07e3f96f3897c367
SHA512 629ceb31a120701360b1c036663accd366b5f06f1152694465dd954dde7f09ab5adf3243d1ee28e02d8684447153a17350bf284669c73df04daf24595b73ccef

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 01:17

Reported

2024-04-06 01:20

Platform

win10v2004-20240226-en

Max time kernel

155s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

Signatures

Remcos

rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs C:\Users\Admin\AppData\Local\directory\name.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\Temp\669813c7b004be6e4fbb29350c526cefa094da76e72bd9914ddd0e84ef03111e.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Users\Admin\AppData\Local\directory\name.exe

"C:\Users\Admin\AppData\Local\directory\name.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2392 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp
NL 193.222.96.75:8823 tcp

Files

memory/3036-10-0x00000000024F0000-0x00000000024F4000-memory.dmp

C:\Users\Admin\AppData\Local\directory\name.exe

MD5 639921a0bfdab9e038d5afb1bbb2152a
SHA1 a0545cc178a48dc3f15cc6bcfe0ffd05579c2133
SHA256 6d95701047fa613eb555545c1241b726bbc06b342a8c37723991cf1196882baf
SHA512 98cc010701f1b8aa2db1d18164302deca1e2d353046510f4d5127b2092986ea05771ee213c57723c3470900cd81d16cfae03f2f2da073cc9a66ab19fa3e3fe5e

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\scroll

MD5 d0d973e17f4f9faff0bd11e10be35a45
SHA1 8f6f95ff9d4d5ec970e1ce58902122bd682d8828
SHA256 bc16cad3c5fcd0da9deb63a3ac44b660c6a979b1be970d526feff7cdae679f52
SHA512 2e34d179a064b44043350b80a44601a5732d5ee79b201ab517af64bd806a535550288f2d13c2e961e4ca58ef63a0009a5073233619f3e912e3643434e0520367

C:\Users\Admin\AppData\Local\Temp\ageless

MD5 ffa2e5ab3b36f5f9ae74cff2a038c1d4
SHA1 8ed7f9cf5089d8361dac06205f5d4567dd8006f9
SHA256 afb5de202275b56fd3f692015b0ce44536db0db7659d392f9dc94d58da87c8f7
SHA512 4775cfe9550daa79fae22c204b118bffc293059110250456b69b6539594d0d3dbe7dedec6cc53aea1890d88340489a993312f0d887453d3702f8a12c7cbb2492

C:\Users\Admin\AppData\Local\Temp\autAB06.tmp

MD5 c800930f609777b6a62bdfb4e0f6d13c
SHA1 25a5607ea6e7a54390ed56f9132c875f8f03a072
SHA256 7c548d6f2a8da0f0f6f446e3e50b2ee13b797a52322a5f2c603d5e1868655d02
SHA512 038b8820b95566a9e141f80e6cacfad70926b4e325c68ad0fef65f5fcd8d315421fb04465a4066dfc4f529a350c0cdb4f6a91c9fff6e28531ca2036875b4eaa2

C:\Users\Admin\AppData\Local\Temp\autAAD6.tmp

MD5 949169beca0db71049f399b967f83788
SHA1 44521a34b25e346477e11b9a3e9263fc155d26d1
SHA256 91242813006c5d4b13829eb58c0fafbd8db223f4e08c2b776a7913e81430d7de
SHA512 1439b96ba9a3641d9bc7c468d696c4ad3b216966bfba099a47ab67f78f0587b55628040afb62fb73b2c2fdccb443c4fb429d02f35c945069a2e348e4500170ac

memory/4964-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-65-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 1ecc8147a5b81d2c55c732d874f48a9d
SHA1 05e48685739e8a473a77e9d6f76df21710ae00da
SHA256 a67574b7030509a544dde3d8d592792f2a28283afff3d617c6ae280a790798ac
SHA512 ca883c65e3d57051c5a380d5fe13197b41e0f23862c946047cac2a374a399d0814ad3ba5fd3392462cfdf03eb5461c59d4a787948251bdc0de37990625e0447e

memory/4964-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4964-92-0x0000000000400000-0x0000000000482000-memory.dmp