remcos | 954fb1de84898cdaeacaf0c48a252497884888ac9b11347f1428bb543689e8c2

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c446746efb2f1adcbfa66f98fa4b5dca_JaffaCakes118.rtf
Size

773KB
MD5

c446746efb2f1adcbfa66f98fa4b5dca
SHA1

20f57f4eb6cf358af82cbc4bb18433063b6f263e
SHA256

954fb1de84898cdaeacaf0c48a252497884888ac9b11347f1428bb543689e8c2
SHA512

030cc485d8033c21a194a103d214ea1d4438360fb1aee194c2845464a245ca7449bd6e994cc443faa0d6685bbfdae261e5a0069dc1daa65d206b355ba307875b
SSDEEP

12288:CxrQXRas40+CzMfUdokNlaJPSFOSdbrAC:Cx8Bar0lCzJaIYbrAC

Score

10^/10

remcos defense_evasion discovery rat

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2840	2852	cmd.exe	29
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	660	2852	cmd.exe	29

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2576	mondi.exe
2080	mondi.exe

Loads dropped DLL 5 IoCs

pid	Process
2640	cmd.exe
2640	cmd.exe
1656	cmd.exe
1656	cmd.exe
2576	mondi.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mondi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mondi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Office loads VBA resources, possible macro or embedded object present

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2360	timeout.exe
1608	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2244	taskkill.exe
976	taskkill.exe

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\StepStart.docx\:Zone.Identifier:$DATA	cmd.exe
File created	C:\Users\Admin\Desktop\StepStart.docx\:Zone.Identifier:$DATA	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier	cmd.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2852	WINWORD.EXE
2432	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2852	WINWORD.EXE
2852	WINWORD.EXE
2852	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2432	WINWORD.EXE
2304	help.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2840	2852	WINWORD.EXE	30
PID 2852 wrote to memory of 2840	2852	WINWORD.EXE	30
PID 2852 wrote to memory of 2840	2852	WINWORD.EXE	30
PID 2852 wrote to memory of 2840	2852	WINWORD.EXE	30
PID 2840 wrote to memory of 2608	2840	cmd.exe	32
PID 2840 wrote to memory of 2608	2840	cmd.exe	32
PID 2840 wrote to memory of 2608	2840	cmd.exe	32
PID 2840 wrote to memory of 2608	2840	cmd.exe	32
PID 2608 wrote to memory of 2640	2608	cmd.exe	33
PID 2608 wrote to memory of 2640	2608	cmd.exe	33
PID 2608 wrote to memory of 2640	2608	cmd.exe	33
PID 2608 wrote to memory of 2640	2608	cmd.exe	33
PID 2852 wrote to memory of 660	2852	WINWORD.EXE	34
PID 2852 wrote to memory of 660	2852	WINWORD.EXE	34
PID 2852 wrote to memory of 660	2852	WINWORD.EXE	34
PID 2852 wrote to memory of 660	2852	WINWORD.EXE	34
PID 2640 wrote to memory of 1608	2640	cmd.exe	36
PID 2640 wrote to memory of 1608	2640	cmd.exe	36
PID 2640 wrote to memory of 1608	2640	cmd.exe	36
PID 2640 wrote to memory of 1608	2640	cmd.exe	36
PID 660 wrote to memory of 1728	660	cmd.exe	37
PID 660 wrote to memory of 1728	660	cmd.exe	37
PID 660 wrote to memory of 1728	660	cmd.exe	37
PID 660 wrote to memory of 1728	660	cmd.exe	37
PID 2640 wrote to memory of 2576	2640	cmd.exe	38
PID 2640 wrote to memory of 2576	2640	cmd.exe	38
PID 2640 wrote to memory of 2576	2640	cmd.exe	38
PID 2640 wrote to memory of 2576	2640	cmd.exe	38
PID 1728 wrote to memory of 1656	1728	cmd.exe	39
PID 1728 wrote to memory of 1656	1728	cmd.exe	39
PID 1728 wrote to memory of 1656	1728	cmd.exe	39
PID 1728 wrote to memory of 1656	1728	cmd.exe	39
PID 2640 wrote to memory of 976	2640	cmd.exe	40
PID 2640 wrote to memory of 976	2640	cmd.exe	40
PID 2640 wrote to memory of 976	2640	cmd.exe	40
PID 2640 wrote to memory of 976	2640	cmd.exe	40
PID 1656 wrote to memory of 2360	1656	cmd.exe	41
PID 1656 wrote to memory of 2360	1656	cmd.exe	41
PID 1656 wrote to memory of 2360	1656	cmd.exe	41
PID 1656 wrote to memory of 2360	1656	cmd.exe	41
PID 1656 wrote to memory of 2080	1656	cmd.exe	42
PID 1656 wrote to memory of 2080	1656	cmd.exe	42
PID 1656 wrote to memory of 2080	1656	cmd.exe	42
PID 1656 wrote to memory of 2080	1656	cmd.exe	42
PID 1656 wrote to memory of 2244	1656	cmd.exe	43
PID 1656 wrote to memory of 2244	1656	cmd.exe	43
PID 1656 wrote to memory of 2244	1656	cmd.exe	43
PID 1656 wrote to memory of 2244	1656	cmd.exe	43
PID 2640 wrote to memory of 1080	2640	cmd.exe	46
PID 2640 wrote to memory of 1080	2640	cmd.exe	46
PID 2640 wrote to memory of 1080	2640	cmd.exe	46
PID 2640 wrote to memory of 1080	2640	cmd.exe	46
PID 1656 wrote to memory of 2764	1656	cmd.exe	45
PID 1656 wrote to memory of 2764	1656	cmd.exe	45
PID 1656 wrote to memory of 2764	1656	cmd.exe	45
PID 1656 wrote to memory of 2764	1656	cmd.exe	45
PID 1656 wrote to memory of 1196	1656	cmd.exe	47
PID 1656 wrote to memory of 1196	1656	cmd.exe	47
PID 1656 wrote to memory of 1196	1656	cmd.exe	47
PID 1656 wrote to memory of 1196	1656	cmd.exe	47
PID 1196 wrote to memory of 1664	1196	cmd.exe	48
PID 1196 wrote to memory of 1664	1196	cmd.exe	48
PID 1196 wrote to memory of 1664	1196	cmd.exe	48
PID 1196 wrote to memory of 1664	1196	cmd.exe	48

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c446746efb2f1adcbfa66f98fa4b5dca_JaffaCakes118.rtf"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\dqfm.cMd"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmd
      4⤵
      Loads dropped DLL
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\mondi.exe
        
        C:\Users\Admin\AppData\Local\Temp\mondi.eXe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Windows\SysWOW64\help.exe
        
        C:\Users\Admin\AppData\Local\Temp\mondi.eXe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2304
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:380
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:592
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:772
    - - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StepStart.docx"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:2432
      - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        6⤵
        
        PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\Admin\AppData\Local\Temp\dqfm.cMd"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\cmd.exe
    CmD
    3⤵
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmd
      4⤵
      Loads dropped DLL
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT 1
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\mondi.exe
        
        C:\Users\Admin\AppData\Local\Temp\mondi.eXe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM winword.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dqfm.cMd

Filesize
186B

MD5
6eb8fca5a12e7634b8103d4a2a3d9fab

SHA1
653fef2184f37d86bb6497ea65f568d4715f2bdb

SHA256
b77a97cb8e5db38e9ab356f8e07ff71b19c504d9753ad9cade63f43d85fa0f41

SHA512
741327ec0e91bcd61c311aaaf72c8ea5235d9b943fd0de89cc0386306cf9e4c5557eed57f88a295f83f1cc61fa9292d809f3a0d3c409e5ebe13e1bb1d31c3c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\trbatehtqevyay.ScT

Filesize
599B

MD5
aa71a44bf5dfe09062e37ca88607a62f

SHA1
b4a724e009500eb2c7f18a70cedfda7058ebf488

SHA256
e942325b1059a2aa7ee8b739eb138500fbb669233f3332fe7a79c339d626225c

SHA512
18f75ec35f745a2303ed56b3bc8127021e6894b1172a18a67b7e08a457c3a2755fa270c330bddd50f6fe96904e0abb129601b12985eb4811f8e214cb1364a347

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
4de25695b4de9e3f8f585f0d49eca364

SHA1
ec5799bd166b72187e032658a45a866902de9eef

SHA256
121bfe7430d6ecf6bdecb5bf32ede8a273a11fda35eb39b29fdd2ca419cda0bb

SHA512
5d9a6adfb9cda3d856e891ee6ff893dc79b3b1038fcf017885c261a72c687cde4edff836474288dee46ed598efea036b5b496799af868b6d9af5ad48aea0a8a8

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
78B

MD5
f7eeb9025080b4b86a4e80a2d7d9f5aa

SHA1
66db36e871619d7e06d6f3fe4c26f8df96b45d39

SHA256
eeddfc61552082a7db51359c7476e0dd115e7dcb0064edd2ab45364242655be1

SHA512
8dbd2d7418674d19955d4fe6bcbf8ed8c1189b433900dc487ba126155c5550fbffbb41e687bcaef82a55ed6420481b8cd4a9c6bcd34a58b3168c0caca3cdf0f8

Download Submit
C:\Users\Admin\Desktop\StepStart.docx

Filesize
60KB

MD5
85d0af70f100f25ad77b3a063fad8bf9

SHA1
04faed82750d6f55f8a4c029a1ac33f57752947d

SHA256
054bb3ec25fddb8101ad4605d8e903d35102866e8c845c2d02527d8506530542

SHA512
9b8089e2924514aac565b4f4ae9f69146c27495c3123c18d9f580c149b0c7b122d5df63f4ad3f1717a5c7fd467d90fb6b376990eb18fbf2c1bf5cdd888c697b4

Download Submit
\Users\Admin\AppData\Local\Temp\mondi.exe

Filesize
307KB

MD5
01eda1007022d4e1c079526aa0da6e0c

SHA1
e20a482db21a54be51bee9ed6e1215f1b0895ac4

SHA256
ecada471dde61af1b972583d2a39db4247d3e3b4b4ba33f6671b8e4282d2c705

SHA512
2f2ebdcfda791c3b2807c00e70e55606d4796ef5738371745984c2ca849ff1eff47a6d99017f15fd37f4633815d80ae360597e4e1c8fe0fb585ed679ba2d8c9d

Download Submit
\Users\Admin\AppData\Local\svchostdd\svchostdd.exe

Filesize
307KB

MD5
d553bc1fbe3334386ade6b28f9ec9413

SHA1
02fc064fce2255a2d5059393d96d09a2a20cc531

SHA256
e02e66da2ff0799c1b85bb7f630bc1b869dde0456e0d3ef45663e16a3d81be8e

SHA512
0a5b27cab4945a92d5de6654bfd0d26003bd76938cbbfc7696f0650f880d92627214578b8413d6ed967553f9a62e90bbe6982b31d2353368a7e4d2d7a9881203

Download Submit
memory/2304-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2432-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2432-119-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2576-44-0x0000000001D90000-0x0000000001F10000-memory.dmp

Filesize
1.5MB

Download
memory/2576-43-0x0000000000340000-0x0000000000390000-memory.dmp

Filesize
320KB

Download
memory/2576-45-0x0000000001D90000-0x0000000001EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-46-0x0000000000340000-0x0000000000387000-memory.dmp

Filesize
284KB

Download
memory/2852-0-0x000000002FC61000-0x000000002FC62000-memory.dmp

Filesize
4KB

Download
memory/2852-56-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2852-2-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2852-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download