Malware Analysis Report

2025-01-02 03:09

Sample ID 240814-k6rvbatgng
Target 322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe
SHA256 322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24

Threat Level: Known bad

The file 322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 09:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 09:13

Reported

2024-08-14 09:15

Platform

win7-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2508 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2508 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe

"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kkUfsLDbd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kkUfsLDbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp

Files

memory/2508-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

memory/2508-1-0x00000000000F0000-0x00000000001DA000-memory.dmp

memory/2508-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2508-3-0x0000000000500000-0x000000000051E000-memory.dmp

memory/2508-4-0x00000000005E0000-0x00000000005F6000-memory.dmp

memory/2508-5-0x0000000005150000-0x0000000005210000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VLJ0MBZFFMNB57OBTTA8.temp

MD5 93320239239726a5f9871142428f2c9c
SHA1 df13c2ec2957399899ab8e48bb476bd3f1386256
SHA256 c080eae6e37cec4058bef15f9c7a11406cb7f642e2a55e3a801dbeaeac54fa08
SHA512 5711764f531c74320052d48d3a638e6a0f8581e4c8c15b9bccbd59200e88a8b1e3542286892bfd542267b09450054dd4449be314091caebeed0310c0b4f14e49

C:\Users\Admin\AppData\Local\Temp\tmpDC1C.tmp

MD5 76ec7683ca617e5ee72a45b6715cfb6e
SHA1 077f4ac8602dc52304533570e3439281255891fd
SHA256 67e56c89ac65c4b4eaa20ad0967f008d359921769be381bb84eae5a4ffd6071d
SHA512 7cab244872c07b0561d81c99a350f92bf31609b8e7a5a091c8b938e546e2371dd948ca96a89e1912f1ae2b43fdc3caa178a860b2bd46aedfd6b280841cf7b546

memory/2596-18-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2596-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2508-42-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/2596-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-30-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-28-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-54-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-58-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-62-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-65-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 98b410e9034a1baab525f3ce4a0e9a2d
SHA1 7b2004e16d9cbc5330d6de462d3e4b78f15bc8d3
SHA256 599ed3f31fd624dbd7edf11ed5df949683529fc44f15879f65a243251c399043
SHA512 e40c03c0a5b0b0da2e5e4198cae958dd7649dbd2319d87c63c6628317972bb215917b6b172325e9187011774bb0d39f04e3c5b8a7c13a1b91df4209cb99fc61a

memory/2596-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-68-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-72-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-77-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-83-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-86-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2596-93-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 09:13

Reported

2024-08-14 09:15

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 916 set thread context of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\SysWOW64\schtasks.exe
PID 916 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 916 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe

"C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kkUfsLDbd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kkUfsLDbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBC7.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp
US 192.3.243.155:7643 tcp

Files

memory/916-0-0x000000007534E000-0x000000007534F000-memory.dmp

memory/916-1-0x0000000000260000-0x000000000034A000-memory.dmp

memory/916-2-0x0000000005200000-0x00000000057A4000-memory.dmp

memory/916-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

memory/916-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

memory/916-5-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/916-6-0x0000000005130000-0x000000000514E000-memory.dmp

memory/916-7-0x0000000005150000-0x0000000005166000-memory.dmp

memory/916-8-0x0000000008640000-0x0000000008700000-memory.dmp

memory/916-9-0x000000000B7A0000-0x000000000B83C000-memory.dmp

memory/2488-15-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2488-14-0x0000000002690000-0x00000000026C6000-memory.dmp

memory/2488-17-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2488-16-0x0000000005260000-0x0000000005888000-memory.dmp

memory/2872-18-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2872-21-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/2872-20-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/2872-19-0x00000000052B0000-0x00000000052D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxtrt1es.nuv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2872-32-0x0000000005C80000-0x0000000005FD4000-memory.dmp

memory/2872-33-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2488-44-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2872-43-0x0000000075340000-0x0000000075AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEBC7.tmp

MD5 c98fa3f1cb4a2790aa2f740fe5020ef4
SHA1 12dce523086b200db697f0aa6e3505d6d3dee290
SHA256 7655a34641a06962638bbdb5b658b8187537954b83ebf1dfe6965abbc0755476
SHA512 38a1dc34717430a7b21bcba36642422d8a3db3d961f71da04cf023422127473baed5e5d33fddd67b0a915e39a8ede50bc437e8194616974cf8588aae623f2c4c

memory/1212-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2872-54-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/2872-53-0x0000000006260000-0x000000000627E000-memory.dmp

memory/916-55-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/1212-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2488-56-0x0000000006560000-0x0000000006592000-memory.dmp

memory/2488-57-0x000000006FD70000-0x000000006FDBC000-memory.dmp

memory/2488-68-0x0000000007190000-0x0000000007233000-memory.dmp

memory/2488-67-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/2872-71-0x000000006FD70000-0x000000006FDBC000-memory.dmp

memory/2488-70-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/2488-69-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/2488-81-0x0000000007320000-0x000000000732A000-memory.dmp

memory/2872-82-0x0000000007820000-0x00000000078B6000-memory.dmp

memory/2488-83-0x00000000074B0000-0x00000000074C1000-memory.dmp

memory/2872-84-0x00000000077D0000-0x00000000077DE000-memory.dmp

memory/2872-85-0x00000000077E0000-0x00000000077F4000-memory.dmp

memory/2872-86-0x00000000078E0000-0x00000000078FA000-memory.dmp

memory/2488-87-0x00000000075D0000-0x00000000075D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2872-93-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/2488-92-0x0000000075340000-0x0000000075AF0000-memory.dmp

memory/1212-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-95-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-104-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-109-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 acdb79acdfd3d139c731e6d45e5352d8
SHA1 5026d6930490dbd1e935f601fd9f785604a018b4
SHA256 70b6114e144417d83ab6ae7c593819598ae89f894f0f351e06ea6fccdb33aaf5
SHA512 5638dc5f79b816d32b6c7361ceca9c6192445dc60a3d87275f0e721bc7e6cb9c156c45caeef42b7f2e4b03b7cec1e902d323f72c23ca6b258873a0e323f38d6a

memory/1212-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-112-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-115-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-119-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-123-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-126-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-128-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-129-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-131-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-132-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-133-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-135-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-136-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-139-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-140-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-142-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-143-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-146-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-147-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-148-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-150-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-151-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-154-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-155-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-157-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-158-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-159-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-161-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-162-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-164-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-165-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-169-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-171-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-173-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1212-174-0x0000000000400000-0x0000000000482000-memory.dmp