Malware Analysis Report

2025-01-02 03:03

Sample ID 240812-zm6xfsteph
Target remcos_a.exe
SHA256 b5d4fa666ad01922b1bca3c725a33ed3a269dcb26ea51f59a4cda26a37ccbd9c
Tags
remotehost remcos discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5d4fa666ad01922b1bca3c725a33ed3a269dcb26ea51f59a4cda26a37ccbd9c

Threat Level: Known bad

The file remcos_a.exe was found to be: Known bad.

Malicious Activity Summary

remotehost remcos discovery evasion persistence rat trojan

UAC bypass

Remcos family

Remcos

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 20:51

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 20:51

Reported

2024-08-12 20:53

Platform

win7-20240704-en

Max time kernel

149s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2840 set thread context of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 set thread context of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2712 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 2840 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2752 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2784 wrote to memory of 2604 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 2604 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2752 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\Windows\Windows.exe

"C:\Windows\SysWOW64\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp

Files

C:\Windows\SysWOW64\Windows\Windows.exe

MD5 3f36f84b4e51cafed0c967c2cc116f8f
SHA1 49df4cd659e4e38d6a841fed8acd6a00d9a98b23
SHA256 b5d4fa666ad01922b1bca3c725a33ed3a269dcb26ea51f59a4cda26a37ccbd9c
SHA512 1b7cc5b652c95664d10084f6bb2727e9f7366c74474b39433a0c14e213d4ff4ce25a2aea1833b987edaa3d2de7a534cda56b21a330ff4aca95a2fa93fcd46877

memory/2784-14-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-19-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-18-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-17-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-12-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1060-23-0x0000000000080000-0x0000000000102000-memory.dmp

memory/1060-22-0x0000000000080000-0x0000000000102000-memory.dmp

memory/2784-25-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/1060-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-13-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-31-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-32-0x0000000000130000-0x00000000001B2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 52e834164e22b4bedc5fc7a392fb0d12
SHA1 cf2e9c227720e029d507db638440108847492c18
SHA256 0548f1987eae108599531abad36782ffd8baa5d57782bcb0f6b1c95c09f2c628
SHA512 cb7e2129f9752e2f2daab38f635d1a55b6316cb17a56eb84e79c922149472c5e8ed1e07bc07098d87228c753632cd1667fdf42b80811dd22025c5cf08c7a1cae

memory/2784-37-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-38-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-44-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-45-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-50-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-51-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-57-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-58-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-63-0x0000000000130000-0x00000000001B2000-memory.dmp

memory/2784-64-0x0000000000130000-0x00000000001B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 20:51

Reported

2024-08-12 20:53

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Remcos

rat remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" C:\Windows\SysWOW64\Windows\Windows.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E62CJ = "\"C:\\Windows\\SysWOW64\\Windows\\Windows.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows\Windows.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4484 set thread context of 4716 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4716 set thread context of 3660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Windows\Windows.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\remcos_a.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Windows\Windows.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1948 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 1948 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 1948 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\remcos_a.exe C:\Windows\SysWOW64\Windows\Windows.exe
PID 4484 wrote to memory of 448 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 448 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 448 N/A C:\Windows\SysWOW64\Windows\Windows.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4484 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4484 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4484 wrote to memory of 4716 N/A C:\Windows\SysWOW64\Windows\Windows.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4716 wrote to memory of 2144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 2144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 3660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4716 wrote to memory of 3660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4716 wrote to memory of 3660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 4716 wrote to memory of 3660 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 448 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 448 wrote to memory of 3404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\Windows\Windows.exe

"C:\Windows\SysWOW64\Windows\Windows.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 k-peterson.gl.at.ply.gg udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp
US 147.185.221.21:64076 k-peterson.gl.at.ply.gg tcp

Files

C:\Windows\SysWOW64\Windows\Windows.exe

MD5 3f36f84b4e51cafed0c967c2cc116f8f
SHA1 49df4cd659e4e38d6a841fed8acd6a00d9a98b23
SHA256 b5d4fa666ad01922b1bca3c725a33ed3a269dcb26ea51f59a4cda26a37ccbd9c
SHA512 1b7cc5b652c95664d10084f6bb2727e9f7366c74474b39433a0c14e213d4ff4ce25a2aea1833b987edaa3d2de7a534cda56b21a330ff4aca95a2fa93fcd46877

memory/4716-33-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-36-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-43-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-40-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/3660-44-0x0000000000F30000-0x0000000000FB2000-memory.dmp

memory/3660-45-0x0000000000F30000-0x0000000000FB2000-memory.dmp

memory/4716-46-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-35-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-34-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-52-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-53-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-54-0x0000000000E20000-0x0000000000EA2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 754a3ad70a2d0aadeff6dba25b56c7e1
SHA1 7882a2c0c35bc47ea940d26664574c140410c0ce
SHA256 2e04a10ab4e5e17f5e5316f8ab156443067060c6179d4bb4094927f0004dda18
SHA512 6f7a7ddfe92353b6b9e48dc8a09da459b6304fd4b27f6a48463e2bf4a093bae191f78019e693f3d9df6fb3e16cabede5b148130cd000a161212c65192010040b

memory/4716-60-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-61-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-66-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-67-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-73-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-74-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-79-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-80-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-85-0x0000000000E20000-0x0000000000EA2000-memory.dmp

memory/4716-87-0x0000000000E20000-0x0000000000EA2000-memory.dmp