Malware Analysis Report

2025-01-02 03:02

Sample ID 240812-2wwh7azejf
Target ImageLogger.exe
SHA256 b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c
Tags
remotehost remcos discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c

Threat Level: Known bad

The file ImageLogger.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery evasion persistence rat trojan

Remcos

Remcos family

UAC bypass

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Modifies registry key

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 22:56

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 22:56

Reported

2024-08-12 22:59

Platform

win7-20240708-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2784 set thread context of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3040 set thread context of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1940 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1940 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1940 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1940 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 2784 wrote to memory of 2736 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2736 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2736 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2736 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 wrote to memory of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 wrote to memory of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 wrote to memory of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 wrote to memory of 3040 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 2348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2348 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2348 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Windows\Windows.exe

"C:\ProgramData\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 software-julia.gl.at.ply.gg udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp

Files

\ProgramData\Windows\Windows.exe

MD5 3bb489034bbe5a50f866a3b4257d8efc
SHA1 ac7b71c48cb0bcd81db38afb5f88eb196fc55c6d
SHA256 b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c
SHA512 827f669d0bee715bf49ef0e50bc7689eb1e78408df60d79ed720bb0e8444daca89bd4f0396202394a5b01e2efa8511838d7aad1af70609c47b859ff8d688f566

memory/3040-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3040-12-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-13-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-14-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/2892-23-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2892-22-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2892-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3040-18-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-25-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-26-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-28-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-29-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-31-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-33-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-34-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-36-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-37-0x0000000000220000-0x00000000002A2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 704ce0b10b342580f9a8cc53eceaab2c
SHA1 1315ded969bdcf8ffe27bef3c784ce07e41b24e0
SHA256 3017ed19ac049aab43e8ea2018d979a30f0f0896f4fd4e83d6ed5d04ae837828
SHA512 dcb4d9f3d995bedc7b5095b6ca6d24b847833b5f9d5b0a90d01b4e19385fa1cf4b77f5913b76483004492f9e339e83105d736e4b762990cedadd8df1aba4c89d

memory/3040-39-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-40-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-42-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-43-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-48-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-49-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-54-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-55-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-57-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-58-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-60-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-61-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-75-0x0000000000220000-0x00000000002A2000-memory.dmp

memory/3040-76-0x0000000000220000-0x00000000002A2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 22:56

Reported

2024-08-12 22:59

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H2REJ9 = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 324 set thread context of 4084 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4084 set thread context of 2472 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1004 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 324 wrote to memory of 1680 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1680 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 1680 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 4084 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 324 wrote to memory of 4084 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 324 wrote to memory of 4084 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 324 wrote to memory of 4084 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4084 wrote to memory of 3208 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3208 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3208 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2472 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4084 wrote to memory of 2472 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4084 wrote to memory of 2472 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4084 wrote to memory of 2472 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1680 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3208 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3208 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3208 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Windows\Windows.exe

"C:\ProgramData\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 software-julia.gl.at.ply.gg udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp

Files

C:\ProgramData\Windows\Windows.exe

MD5 3bb489034bbe5a50f866a3b4257d8efc
SHA1 ac7b71c48cb0bcd81db38afb5f88eb196fc55c6d
SHA256 b722366efcf9c6f32c697164a821dbdbcb7abdab41e2685e16944d659ee5dc4c
SHA512 827f669d0bee715bf49ef0e50bc7689eb1e78408df60d79ed720bb0e8444daca89bd4f0396202394a5b01e2efa8511838d7aad1af70609c47b859ff8d688f566

memory/4084-33-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-35-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-36-0x0000000001300000-0x0000000001382000-memory.dmp

memory/2472-44-0x0000000000B70000-0x0000000000BF2000-memory.dmp

memory/2472-45-0x0000000000B70000-0x0000000000BF2000-memory.dmp

memory/4084-43-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-40-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-34-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-46-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-48-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-50-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-51-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-53-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-55-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-56-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-58-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-59-0x0000000001300000-0x0000000001382000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 e9f0d455bd1e14118d2460df8d437858
SHA1 866d8888e04802dfbfac67243f1172053ae15dce
SHA256 fbd5ad941ab06c9d511b85702cb604c37ca4539af1acbfaa9cb4fc52bfd943a5
SHA512 03fd72ec2602c95d7d754f3df9c7a51d2988981cfe3b299a40289ac99d6f6860a2509558206eeb159bf4d171adb6a9fcf8dbfaf5385bfa670ab7614b09712ac7

memory/4084-61-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-62-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-64-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-65-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-67-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-68-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-73-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-74-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-76-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-78-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-79-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-81-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-82-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-84-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-86-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-87-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-89-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-90-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-92-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-93-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-95-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-96-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-98-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-99-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-101-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-102-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-104-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-105-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-107-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-108-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-110-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-111-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-113-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-114-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-116-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-117-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-119-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-120-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-122-0x0000000001300000-0x0000000001382000-memory.dmp

memory/4084-123-0x0000000001300000-0x0000000001382000-memory.dmp