Malware Analysis Report

2024-08-06 11:23

Sample ID 240615-xpgdgavhpj
Target Remcosv4.9.3LightMOD.exe
SHA256 4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a
Tags
quasar remcos spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ff6da365ddd8c3f3e4c186022ab9447b2f6123adf991a81cd58bc71ecb2522a

Threat Level: Known bad

The file Remcosv4.9.3LightMOD.exe was found to be: Known bad.

Malicious Activity Summary

quasar remcos spyware trojan

Quasar RAT

Quasar payload

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:01

Reported

2024-06-15 19:04

Platform

win7-20231129-en

Max time kernel

131s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 2392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2392 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 820 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 820 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 820 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 820 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\schtasks.exe
PID 2612 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp
US 147.185.221.20:25349 team-circles.gl.at.ply.gg tcp

Files

memory/2392-0-0x000007FEF5533000-0x000007FEF5534000-memory.dmp

memory/2392-1-0x0000000000940000-0x0000000003194000-memory.dmp

memory/2392-2-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

MD5 6eacce4a82cf898472ad2aa8b0267cca
SHA1 954def54ec22b1ade594e7f501384fe19d2bbfef
SHA256 522a915d9a78b68fee628014e4559e82bcbf137d9abc521e57b6e7aca695cec7
SHA512 3004e9f64ba6258b3780d534bd59b3c8ae611e29d846e0aaa197af892f56708379b4996295de5c777ef845a031c44915bf3faa17b137f892a81373423bd47ad1

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 0296021acfb4f37e63df4de7461ebfd9
SHA1 14117dba6ce87cbb6561ebdfffec60cb21860800
SHA256 4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a
SHA512 ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

memory/820-14-0x0000000000FC0000-0x00000000012E4000-memory.dmp

memory/2392-15-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

memory/2612-21-0x0000000000DE0000-0x0000000001104000-memory.dmp

memory/3048-61-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

memory/3048-59-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

memory/3048-56-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

memory/3048-63-0x0000000000400000-0x000000000668E000-memory.dmp

memory/3048-54-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

memory/3048-51-0x00000000066A0000-0x00000000066A1000-memory.dmp

memory/3048-49-0x00000000066A0000-0x00000000066A1000-memory.dmp

memory/3048-46-0x0000000006690000-0x0000000006691000-memory.dmp

memory/3048-44-0x0000000006690000-0x0000000006691000-memory.dmp

memory/3048-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3048-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3048-37-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/3048-36-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3048-34-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3048-32-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3048-31-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3048-29-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3048-27-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3048-26-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3048-24-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/3048-22-0x00000000001C0000-0x00000000001C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 19:01

Reported

2024-06-15 19:04

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4820 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4820 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe
PID 4820 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 4820 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
PID 2548 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2548 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2548 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2548 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 3288 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3288 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3288 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3288 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2012 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2012 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2012 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2012 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2012 wrote to memory of 2072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2072 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2072 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2072 wrote to memory of 740 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 740 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 740 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 740 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 740 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 740 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 740 wrote to memory of 4832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 4832 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4832 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4832 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4832 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 216 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 4396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 216 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 216 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2176 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2176 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2176 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1220 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1220 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1220 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1220 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1220 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 1220 wrote to memory of 3488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 3488 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3488 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 3488 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 1636 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1636 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1636 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1636 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1636 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 1636 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
PID 2792 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2792 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2792 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe C:\Windows\system32\cmd.exe
PID 4036 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcosv4.9.3LightMOD.exe"

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe"

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4JRyx7MclZe.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\II61zF3datav.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKW8AKrQyRrH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZttjw4P4z1P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iw0IkepjtkE4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CxCIzacfbgAD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y6PRFWzDgVPd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe

"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp
US 8.8.8.8:53 team-circles.gl.at.ply.gg udp

Files

memory/4820-0-0x00007FFDE6193000-0x00007FFDE6195000-memory.dmp

memory/4820-1-0x00000000003A0000-0x0000000002BF4000-memory.dmp

memory/4820-2-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Light MOD.exe

MD5 6eacce4a82cf898472ad2aa8b0267cca
SHA1 954def54ec22b1ade594e7f501384fe19d2bbfef
SHA256 522a915d9a78b68fee628014e4559e82bcbf137d9abc521e57b6e7aca695cec7
SHA512 3004e9f64ba6258b3780d534bd59b3c8ae611e29d846e0aaa197af892f56708379b4996295de5c777ef845a031c44915bf3faa17b137f892a81373423bd47ad1

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

MD5 0296021acfb4f37e63df4de7461ebfd9
SHA1 14117dba6ce87cbb6561ebdfffec60cb21860800
SHA256 4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a
SHA512 ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

memory/4820-25-0x00007FFDE6190000-0x00007FFDE6C51000-memory.dmp

memory/2548-26-0x0000000000F10000-0x0000000001234000-memory.dmp

memory/3288-34-0x000000001BD20000-0x000000001BD70000-memory.dmp

memory/3288-35-0x000000001BE30000-0x000000001BEE2000-memory.dmp

memory/1524-36-0x0000000006900000-0x0000000006901000-memory.dmp

memory/1524-37-0x0000000006920000-0x0000000006921000-memory.dmp

memory/1524-38-0x0000000006930000-0x0000000006931000-memory.dmp

memory/1524-39-0x0000000006940000-0x0000000006941000-memory.dmp

memory/1524-40-0x0000000006B70000-0x0000000006B71000-memory.dmp

memory/1524-41-0x0000000006B80000-0x0000000006B81000-memory.dmp

memory/1524-42-0x0000000006B90000-0x0000000006B91000-memory.dmp

memory/1524-43-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

memory/1524-44-0x0000000000400000-0x000000000668E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\d4JRyx7MclZe.bat

MD5 c6dbeeb59302789c2fd17ee467280be0
SHA1 8ff7a2f2a21d6f113ff01e1855b5943d30194f25
SHA256 1ba4aa48878d66d12c014c2c3267e60eb42a547eadd261f81270c0c15076b8c2
SHA512 7dd82db3fc9be769c87226bab87c21ae2d10ae9055e2f042dbc65ca341a839ba3eb8f789d6d5ed1ae804f91244c9dbde336075c404094c9ddb71a00656e21c73

C:\Users\Admin\AppData\Local\Temp\II61zF3datav.bat

MD5 dfaac48c02e84a1fff0413c1247ea532
SHA1 b3aa72d178b0c18fe19922d8efa0e14da6803eef
SHA256 7c0f620498cd3af929c830bc09ed8a8b69173eb4e448351967d02b362cb4f5a4
SHA512 1a6cb45770b37e17dddd0d6d14d9e4e82c2f7b868a59bd095c69e1722765a889f15a2fb4820c700573a09d40379d06f34f86f1b9f4847c9de3e7453894b9b0eb

C:\Users\Admin\AppData\Local\Temp\uKW8AKrQyRrH.bat

MD5 a86cbae20775287a30e3176469f547a3
SHA1 83dbf7dbb89e9982d51e7983647460510277fe0c
SHA256 7cf5080526ec6049d03aae088126cb8f604cc33a49f453e96e9d2a8e56e21f44
SHA512 134895067a762ccdf511e52d0ce7b70ed54f79749c5a4b57cc4e616873673b855924e02e1dc2c39cce857a6f06ab967695da4c725443098ccb524ee331925ac8

C:\Users\Admin\AppData\Local\Temp\UZttjw4P4z1P.bat

MD5 57f65dd6450e8f46d070c4303f249f70
SHA1 b46f3ef3d1ccc788ed040a4eaf869dff23f9202a
SHA256 51b403ea03fe3f50a1de1df2cf6e330b406d777daf50a1528f249fc8be6e7ec5
SHA512 1fbe571f323d42603d282798407c5a04ad2ac3967796f2a8e71693f3bb7ba566d738be0a408088ad32bca25912fbe0807c5c339a2e0fa6dee7e025cbc098cb06

C:\Users\Admin\AppData\Local\Temp\Iw0IkepjtkE4.bat

MD5 e471c73881f70d90f33d4258f16c6009
SHA1 2f7e51d7ca6b131975b8299ccd49388e41e13c59
SHA256 3dd9b20814b3a8564dc441d8f44d838acd9539884bf19c7ae237fa0fbad55ce5
SHA512 2e13a16aecaab21948af86cb090fbfb1557c3f12016e5e9d635260bbfcb161e3d157f174734791e23b157ca44a4a895ea66c565b468432802585b6ae5658949e

C:\Users\Admin\AppData\Local\Temp\CxCIzacfbgAD.bat

MD5 bc7d5be260cce4823e4895938b6ce44b
SHA1 87a5c1cbd785b4c7f792093d637e4678ff57911d
SHA256 35245389170d2fa56a66ad41981171e8dc83df15e769604193c68f245f4119ac
SHA512 3a35697391e62c70a5bbd10594dfc17c11288763a36fdc3baed8812a4e8157379d647a037ee4fbbe464bef3ed007ba6d98d9094ca29f62238aa7ff0139b5a5db

C:\Users\Admin\AppData\Local\Temp\y6PRFWzDgVPd.bat

MD5 1c46c31511380c92d8bbda2ddd871844
SHA1 132d2e7b29e27f739ac8e5f8f0e47fcf60c5f9b4
SHA256 2983aa8fe86bb2a321ba9b75996cbe18f34c3ca112ed920f9bc8520b2d3bbe50
SHA512 bc3027c1deee4ab3bb2221df0c5b6f3e1a535c998850bf46db5c72cedef48acd6f483b10a6d7f53b7c00d9c467b8742fe53324afb5e44778ccfb8bd1062856b7