Malware Analysis Report

2024-12-07 22:44

Sample ID 240719-m28clsxemm
Target 5ba5df576761e1f838e4460e16f16a56_JaffaCakes118
SHA256 722ce7e293a33d260dfc3199661351ceafb717590164b977fbebda4211ddd642
Tags
remcos ngozi2021 persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

722ce7e293a33d260dfc3199661351ceafb717590164b977fbebda4211ddd642

Threat Level: Known bad

The file 5ba5df576761e1f838e4460e16f16a56_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos ngozi2021 persistence rat

Remcos

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 10:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 10:58

Reported

2024-07-19 11:01

Platform

win7-20240704-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1952 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1724 set thread context of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 1952 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 2680 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2680 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2060 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1268 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1268 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 1724 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rtzecNlXv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp900F.tmp"

C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rtzecNlXv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A84.tmp"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 favour2021.ddns.net udp
US 216.218.135.118:1990 favour2021.ddns.net tcp
US 216.218.135.118:1990 favour2021.ddns.net tcp
US 216.218.135.118:1990 favour2021.ddns.net tcp

Files

memory/1952-0-0x000000007425E000-0x000000007425F000-memory.dmp

memory/1952-1-0x0000000000020000-0x00000000000D6000-memory.dmp

memory/1952-2-0x0000000074250000-0x000000007493E000-memory.dmp

memory/1952-3-0x0000000000570000-0x000000000057A000-memory.dmp

memory/1952-4-0x000000007425E000-0x000000007425F000-memory.dmp

memory/1952-5-0x0000000074250000-0x000000007493E000-memory.dmp

memory/1952-6-0x0000000004E10000-0x0000000004E6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp900F.tmp

MD5 b2896c8bf24e347c1d1f4c11e5c98ce2
SHA1 05da8c74754d886396e2c0b51c7b1bebb76dedab
SHA256 be0c0c4b9b22f04607347cb0abfd70aa3335b28ef722051561c5597aa2b0fffe
SHA512 afe46dd8bf288c17c7e4b934c5ef694011598ff099499974794e3a41d9cff1706eb6e7d34c83df21a803c657ed76ac3a1583a64a3bb5a86d7371de66b8523976

memory/2680-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2680-15-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-16-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-14-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-22-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2680-25-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1952-26-0x0000000074250000-0x000000007493E000-memory.dmp

memory/2680-29-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 b92d64fe5b1d1f59df4b738262aea8df
SHA1 c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256 fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA512 2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 8dbeaa2200e3dd4d09247606d25bec31
SHA1 72265ac4686a37571cdd1f7a6961853de166dc00
SHA256 e45bc4ce4e4f84bedc7ec144517df1d16ea97b1803fa1b3cf21c581390b50bf8
SHA512 c73fbe6c7300ccb33e6b293ab6218d605e52e20651a3bf22f2c51b2326fe63bd7b4b0978dbd190d714c3d889eb2d9256c62722d2180eba1e082db531d30f3ef2

memory/1724-34-0x0000000000DE0000-0x0000000000E96000-memory.dmp

memory/3036-56-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-53-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-52-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3036-57-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-59-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-60-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3036-63-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 10:58

Reported

2024-07-19 11:01

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3140 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3684 set thread context of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 3140 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe
PID 4132 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 4132 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 4132 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe C:\Windows\SysWOW64\WScript.exe
PID 2140 wrote to memory of 3404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 3404 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3404 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3404 wrote to memory of 3684 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 752 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Windows\SysWOW64\schtasks.exe
PID 3684 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 3684 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rtzecNlXv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1B7.tmp"

C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation6547558,pdf.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rtzecNlXv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB83A.tmp"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 favour2021.ddns.net udp
US 216.218.135.118:1990 favour2021.ddns.net tcp
US 8.8.8.8:53 118.135.218.216.in-addr.arpa udp
US 216.218.135.118:1990 favour2021.ddns.net tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/3140-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/3140-1-0x0000000000C30000-0x0000000000CE6000-memory.dmp

memory/3140-2-0x0000000005670000-0x000000000570C000-memory.dmp

memory/3140-3-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/3140-4-0x00000000057B0000-0x0000000005842000-memory.dmp

memory/3140-5-0x0000000005740000-0x000000000574A000-memory.dmp

memory/3140-6-0x00000000059E0000-0x0000000005A36000-memory.dmp

memory/3140-7-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/3140-8-0x0000000005790000-0x000000000579A000-memory.dmp

memory/3140-9-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/3140-10-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/3140-11-0x0000000006620000-0x000000000667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB1B7.tmp

MD5 ff2d636190703bf42b22efde9d65936e
SHA1 6cdbc2abf06387fbb42fdb4ec5d846d2135b7392
SHA256 06b22f247c6104b6272df539eb6d40929eb6ec3778b42ec77a4b88edffe368e6
SHA512 40c71c4f92f7c5ad151fc0e0378ff0ecc086c3e12ce3408802e7df84531e12198217492e70e980e4e60c2b670becdcaa18e228fa3d35b38193319e217a6f175c

memory/4132-17-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4132-20-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4132-23-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3140-24-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/4132-27-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 b92d64fe5b1d1f59df4b738262aea8df
SHA1 c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256 fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA512 2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 8dbeaa2200e3dd4d09247606d25bec31
SHA1 72265ac4686a37571cdd1f7a6961853de166dc00
SHA256 e45bc4ce4e4f84bedc7ec144517df1d16ea97b1803fa1b3cf21c581390b50bf8
SHA512 c73fbe6c7300ccb33e6b293ab6218d605e52e20651a3bf22f2c51b2326fe63bd7b4b0978dbd190d714c3d889eb2d9256c62722d2180eba1e082db531d30f3ef2

memory/3648-38-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3648-39-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3648-42-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3648-43-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3648-45-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3648-46-0x0000000000400000-0x0000000000421000-memory.dmp