Malware Analysis Report

2025-01-02 03:03

Sample ID 240812-2zn9aazfne
Target ImageLogger.exe
SHA256 5f0e4772e7b804ea1fc60ebff11d9539c60398f968114c73d47de0b14b075f50
Tags
remcos remotehost discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f0e4772e7b804ea1fc60ebff11d9539c60398f968114c73d47de0b14b075f50

Threat Level: Known bad

The file ImageLogger.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery evasion persistence rat trojan

Remcos

UAC bypass

Remcos family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 23:01

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 23:01

Reported

2024-08-12 23:04

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2312 set thread context of 3436 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3436 set thread context of 2328 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 4492 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 2312 wrote to memory of 2716 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2716 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2716 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 3436 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2312 wrote to memory of 3436 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2312 wrote to memory of 3436 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2312 wrote to memory of 3436 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 3436 wrote to memory of 3108 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3108 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 3108 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 2328 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3436 wrote to memory of 2328 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3436 wrote to memory of 2328 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 3436 wrote to memory of 2328 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2716 wrote to memory of 4404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3108 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3108 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3108 wrote to memory of 3460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Windows\Windows.exe

"C:\ProgramData\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 software-julia.gl.at.ply.gg udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 udp

Files

C:\ProgramData\Windows\Windows.exe

MD5 f5955b4d18efb1325dcc8ad9778076fe
SHA1 b42b488f84d6d39430655f7bbb67f35b48e7e5b8
SHA256 5f0e4772e7b804ea1fc60ebff11d9539c60398f968114c73d47de0b14b075f50
SHA512 b4886d0e3fde068e47ae02f242423e86c91b70df3896c6d4935992e6dbc4a1034360369c279bec37fb605b25e6fb89d2c06722d48081009722784bef9a1395d5

memory/3436-33-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-35-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-37-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-36-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/2328-44-0x00000000004F0000-0x0000000000572000-memory.dmp

memory/3436-41-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-46-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-34-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/2328-45-0x00000000004F0000-0x0000000000572000-memory.dmp

memory/3436-48-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-50-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-51-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-53-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-55-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-54-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-56-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-61-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-60-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-62-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-63-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-65-0x0000000000550000-0x00000000005D2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 547f39fdac3556e848440c5f04b9a183
SHA1 1e846e2b344bf81269902f7a04565be227ec1890
SHA256 93080afd0d643b4e2f2b07c5f169671c132075c19ad8e43089afd5ab86bf95f3
SHA512 8699c55b16c70368851c7973603a263b3d1738139e488b9cb2019bf40bf84533ead68922e2633166238a3a93d84d65ec8393a7a3a32efe905d7b551b8609111e

memory/3436-68-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-67-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-71-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-72-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-73-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-74-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-77-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-78-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-81-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-82-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-85-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-86-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-89-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-90-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-94-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-93-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-97-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-98-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-101-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-102-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-105-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-106-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-110-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-109-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-114-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-113-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-116-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-115-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-119-0x0000000000550000-0x00000000005D2000-memory.dmp

memory/3436-120-0x0000000000550000-0x00000000005D2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 23:01

Reported

2024-08-12 23:03

Platform

win7-20240705-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\ProgramData\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-E22CTC = "\"C:\\ProgramData\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2296 set thread context of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2964 set thread context of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1996 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1440 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1440 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 1440 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe C:\ProgramData\Windows\Windows.exe
PID 2296 wrote to memory of 2656 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2656 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2656 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2656 N/A C:\ProgramData\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2296 wrote to memory of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2296 wrote to memory of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2296 wrote to memory of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2296 wrote to memory of 2964 N/A C:\ProgramData\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2656 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2656 wrote to memory of 2240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 1852 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1852 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1852 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 1852 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2964 wrote to memory of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2964 wrote to memory of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2964 wrote to memory of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1852 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2964 wrote to memory of 2724 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe

"C:\Users\Admin\AppData\Local\Temp\ImageLogger.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Windows\Windows.exe

"C:\ProgramData\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 software-julia.gl.at.ply.gg udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 software-julia.gl.at.ply.gg udp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp
US 147.185.221.21:17106 software-julia.gl.at.ply.gg tcp

Files

C:\ProgramData\Windows\Windows.exe

MD5 f5955b4d18efb1325dcc8ad9778076fe
SHA1 b42b488f84d6d39430655f7bbb67f35b48e7e5b8
SHA256 5f0e4772e7b804ea1fc60ebff11d9539c60398f968114c73d47de0b14b075f50
SHA512 b4886d0e3fde068e47ae02f242423e86c91b70df3896c6d4935992e6dbc4a1034360369c279bec37fb605b25e6fb89d2c06722d48081009722784bef9a1395d5

memory/2964-14-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-25-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2724-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2964-19-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-13-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-12-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2964-26-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-28-0x0000000000080000-0x0000000000102000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 6e67fdb9bacad9cb616cb99a020986da
SHA1 7baa8bb66e163dc657d1bca9943ffc808dd599bb
SHA256 732976738008edaf6996a6d9f87d22f03e98df3dd0683b50dfb30a316880429a
SHA512 32213a8837dd08197463847a6dbe329058d29244de2a4f3daa2102f226bebf1d0546d44ce3b1d33ca5051038418c919457f55bb84d756830986344ec2dab161e

memory/2964-33-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-34-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-35-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-36-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-37-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-40-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-44-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-45-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-52-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-53-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-56-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-57-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-60-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-61-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-64-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-65-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-68-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-69-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-72-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-73-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-76-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-77-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-81-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-80-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-85-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-84-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-88-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-87-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-89-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-90-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-92-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-95-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-96-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2964-97-0x0000000000080000-0x0000000000102000-memory.dmp