Malware Analysis Report

2025-01-02 03:03

Sample ID 240812-1bd8qs1blr
Target idk.exe
SHA256 dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
Tags
remcos remotehost discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05

Threat Level: Known bad

The file idk.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery evasion persistence rat trojan

UAC bypass

Remcos family

Remcos

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Modifies registry key

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 21:28

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 21:28

Reported

2024-08-12 21:30

Platform

win7-20240708-en

Max time kernel

147s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2684 set thread context of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2744 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2704 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2872 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2684 wrote to memory of 2624 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2624 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2624 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2624 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2872 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2624 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2684 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2684 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2684 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2684 wrote to memory of 1840 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\idk.exe

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\Windows\Windows.exe

"C:\Windows\SysWOW64\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp

Files

\Windows\SysWOW64\Windows\Windows.exe

MD5 783b3ecb43e1e04cac88e273c7ad2753
SHA1 4df53206d490af68c1352091ba7a51fbe6d23139
SHA256 dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
SHA512 cc5b563719391acf3a3c54d4ad527e59a0181f57d51a4fc97e7a3a19372392cfa98710f61962844948565e150b92ebf37b2710e30455506d11cfeb174986309b

memory/2684-12-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-13-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-18-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-14-0x0000000000180000-0x0000000000202000-memory.dmp

memory/1840-22-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/1840-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1840-23-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2684-25-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-30-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-31-0x0000000000180000-0x0000000000202000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 d4625e23675b33a1f87718e1335b50ba
SHA1 4f9739d2f7865201acf14fb8d61f19b602c5b439
SHA256 29320abb65ed92a4ded579741c2507283fff25dc628a14da0a7578019ec1bf86
SHA512 2ba7dbcc36b2ec801b5e81fce44b301e8c89c2df8c7b137f1e9ab3391ac1402836080118e5df90611e7e843fba94b7302508bdd398ba381c59e727b2c4180074

memory/2684-36-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-37-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-43-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-44-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-49-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-50-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-56-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-57-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-62-0x0000000000180000-0x0000000000202000-memory.dmp

memory/2684-63-0x0000000000180000-0x0000000000202000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 21:28

Reported

2024-08-12 21:30

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HIITQK = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 4008 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4008 set thread context of 4568 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2392 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 3012 wrote to memory of 3920 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3920 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3920 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3012 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3012 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3012 wrote to memory of 4008 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4008 wrote to memory of 640 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 640 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 640 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 4568 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4008 wrote to memory of 4568 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4008 wrote to memory of 4568 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4008 wrote to memory of 4568 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3920 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3920 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 640 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 640 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 640 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\idk.exe

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\Windows\Windows.exe

"C:\Windows\SysWOW64\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Windows\Windows.exe

MD5 783b3ecb43e1e04cac88e273c7ad2753
SHA1 4df53206d490af68c1352091ba7a51fbe6d23139
SHA256 dc0e648c50a81a0be80931b39a973d0edf899eb09c778e68a8b6025635696a05
SHA512 cc5b563719391acf3a3c54d4ad527e59a0181f57d51a4fc97e7a3a19372392cfa98710f61962844948565e150b92ebf37b2710e30455506d11cfeb174986309b

memory/4008-33-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-34-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-35-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-37-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-36-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4568-44-0x00000000008B0000-0x0000000000932000-memory.dmp

memory/4568-45-0x00000000008B0000-0x0000000000932000-memory.dmp

memory/4008-46-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-41-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-52-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-53-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-54-0x0000000000500000-0x0000000000582000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 5390d65147fa3153cc8da80db0c06829
SHA1 fb8fa9118d153ea274627981f3feb50026ff8635
SHA256 9d481b39086746a27340848ef47bd1707d777138d73eb9a8e0826d5506a48f5e
SHA512 f30f3a5148abd91cef4e7463d1cb4b5e49fa537187f2e0f74e6edae91858314a01cfd4b3f1eeeb04beb9a979120102180ded80b1519d618dacbfb6ee461689f5

memory/4008-59-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-60-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-66-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-67-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-72-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-73-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-79-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-80-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-85-0x0000000000500000-0x0000000000582000-memory.dmp

memory/4008-86-0x0000000000500000-0x0000000000582000-memory.dmp