Malware Analysis Report

2024-11-13 18:48

Sample ID 240726-lgxvpszajk
Target 737b1925f1d948ace5796ba229057715_JaffaCakes118
SHA256 aa966e13129d97d07b3b2b8e08e3a85a4369a9e4e871b6b79f5debabca33308f
Tags
remcos remotehost discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa966e13129d97d07b3b2b8e08e3a85a4369a9e4e871b6b79f5debabca33308f

Threat Level: Known bad

The file 737b1925f1d948ace5796ba229057715_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery persistence rat

Remcos

Deletes itself

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 09:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 09:30

Reported

2024-07-26 09:35

Platform

win7-20240705-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

Signatures

Remcos

rat remcos

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 2440 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 2440 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 2440 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 2440 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 1556 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 1556 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 2300 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2860 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2860 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2860 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2860 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 2864 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 capriteam.ddns.net udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 tcp

Files

memory/2440-2-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2440-3-0x0000000000240000-0x0000000000246000-memory.dmp

memory/1556-4-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2440-6-0x0000000000240000-0x0000000000246000-memory.dmp

memory/1556-7-0x0000000000400000-0x000000000047C000-memory.dmp

memory/1556-13-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1556-12-0x0000000000400000-0x000000000047C000-memory.dmp

memory/1556-20-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1556-19-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 f0d01340e5c004f05ecd705538a911a6
SHA1 0f06aa4c4ac3c72fb8572f61a6dfeef86cb4a483
SHA256 0a71a6582d07e6832f82d6b4b3f4e4307bceebd5d82cee232570bee0c04c8a32
SHA512 a22f49628786978e3b1a6ac94cb87303c110669544c34ebb9521e8611cb98989a3949b2c892a25707c7471f7c9843bb06f850c404a429886723f6d05ab0c2862

\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 8c359e6a1e069354f3c7ceb5457157e6
SHA1 b1d305325bdf240f374de2f10932db83290199ff
SHA256 598fbc003f3775d3441846dec51317b6e81422a78c9a0d1b53353025d6953175
SHA512 98292df3fdc144f80b0e5c0f767323c65b1284a2adc282c528428f80b0b4045d50fa8f168c7bec9541e62b11548c177a552bd5d49f62ebf0a6a2174df234a613

memory/2836-30-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2836-32-0x0000000000400000-0x000000000047C000-memory.dmp

memory/2836-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-37-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-38-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-39-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-40-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-42-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-43-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-44-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-45-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2836-46-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 09:30

Reported

2024-07-26 09:35

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 4980 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 4980 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 4980 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe
PID 4332 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 4332 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 4332 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe C:\Windows\SysWOW64\WScript.exe
PID 1708 wrote to memory of 708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 708 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 708 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 708 wrote to memory of 4148 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 4148 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 4148 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 4148 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
PID 4148 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

"C:\Users\Admin\AppData\Local\Temp\HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 capriteam.ddns.net udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 118.135.218.216.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp
US 216.218.135.118:1010 capriteam.ddns.net tcp

Files

memory/4980-2-0x00000000779C2000-0x00000000779C3000-memory.dmp

memory/4980-3-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/4980-4-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

memory/4332-5-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4332-6-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4332-7-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4332-14-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4332-13-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4980-12-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

memory/4332-17-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4332-20-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 f0d01340e5c004f05ecd705538a911a6
SHA1 0f06aa4c4ac3c72fb8572f61a6dfeef86cb4a483
SHA256 0a71a6582d07e6832f82d6b4b3f4e4307bceebd5d82cee232570bee0c04c8a32
SHA512 a22f49628786978e3b1a6ac94cb87303c110669544c34ebb9521e8611cb98989a3949b2c892a25707c7471f7c9843bb06f850c404a429886723f6d05ab0c2862

C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe

MD5 8c359e6a1e069354f3c7ceb5457157e6
SHA1 b1d305325bdf240f374de2f10932db83290199ff
SHA256 598fbc003f3775d3441846dec51317b6e81422a78c9a0d1b53353025d6953175
SHA512 98292df3fdc144f80b0e5c0f767323c65b1284a2adc282c528428f80b0b4045d50fa8f168c7bec9541e62b11548c177a552bd5d49f62ebf0a6a2174df234a613

memory/4072-29-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4072-31-0x0000000000400000-0x000000000047C000-memory.dmp

memory/4072-32-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-33-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-34-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-35-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-36-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-37-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-38-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-39-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-40-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-41-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-42-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-43-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-44-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4072-45-0x0000000000400000-0x0000000000478000-memory.dmp