remcos | 3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01

Analysis

max time kernel
9s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
Size

2.9MB
MD5

067027b5b20d0d80be90f41dc126fda3
SHA1

b7644f39188e8e8bcb41723833321a43f9474629
SHA256

3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
SHA512

a56fa19a0e6e4263a9d48e17e13ef76084808f98dfba1306feda58f64d92acb15c93794726697982f15cde699874407f7a991138de423eb5fa87b43d5084362a
SSDEEP

49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc9:C2cPK8YwjE2cPK8U

Score

10^/10

remcos remotehost discovery link pdf persistence rat

Malware Config

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

daya4659.ddns.net:8282

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S1KNPZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 13 IoCs

Processes:

remcos_agent_Protected.exeremcos_agent_Protected.exesfc.exedriverquery.exeremcos.exedriverquery.exedriverquery.exesfc.exeremcos.exedriverquery.exedriverquery.exedriverquery.exedriverquery.exe

pid	process
2468	remcos_agent_Protected.exe
2728	remcos_agent_Protected.exe
2984	sfc.exe
2972	driverquery.exe
1636	remcos.exe
2836	driverquery.exe
2832	driverquery.exe
752	sfc.exe
1900	remcos.exe
2032	driverquery.exe
2144	driverquery.exe
3008	driverquery.exe
2148	driverquery.exe

Loads dropped DLL 6 IoCs

Processes:

3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exeremcos_agent_Protected.execmd.exe

pid	process
2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
2468	remcos_agent_Protected.exe
2808	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos_agent_Protected.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	autoit_exe
behavioral1/memory/1012-96-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-97-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-95-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-91-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-89-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-87-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/1012-94-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

remcos_agent_Protected.exesfc.exeremcos.exeremcos.exe

description	pid	process	target process
PID 2468 set thread context of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2984 set thread context of 752	2984	sfc.exe	sfc.exe
PID 1636 set thread context of 1900	1636	remcos.exe	remcos.exe
PID 1900 set thread context of 1012	1900	remcos.exe	svchost.exe

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

remcos_agent_Protected.exeWScript.exeschtasks.exeremcos_agent_Protected.exeAcroRd32.execmd.exeschtasks.exesvchost.exeschtasks.exe3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exeschtasks.exesfc.exedriverquery.exeremcos.exeremcos.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

960 schtasks.exe
2600 schtasks.exe
2344 schtasks.exe
2488 schtasks.exe
3020 schtasks.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exeremcos.exe

pid process

1620 AcroRd32.exe
1620 AcroRd32.exe
1620 AcroRd32.exe
1900 remcos.exe

pid	process
960	schtasks.exe
2600	schtasks.exe
2344	schtasks.exe
2488	schtasks.exe
3020	schtasks.exe

pid	process
1620	AcroRd32.exe
1620	AcroRd32.exe
1620	AcroRd32.exe
1900	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.exetaskeng.execmd.exe

description	pid	process	target process
PID 2532 wrote to memory of 2468	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	remcos_agent_Protected.exe
PID 2532 wrote to memory of 2468	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	remcos_agent_Protected.exe
PID 2532 wrote to memory of 2468	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	remcos_agent_Protected.exe
PID 2532 wrote to memory of 2468	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	remcos_agent_Protected.exe
PID 2532 wrote to memory of 1620	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	AcroRd32.exe
PID 2532 wrote to memory of 1620	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	AcroRd32.exe
PID 2532 wrote to memory of 1620	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	AcroRd32.exe
PID 2532 wrote to memory of 1620	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	AcroRd32.exe
PID 2532 wrote to memory of 2560	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2560	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2560	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2560	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2592	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2592	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2592	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2592	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2244	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2244	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2244	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2244	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2936	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2936	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2936	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2936	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2716	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2716	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2716	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2716	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2316	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2316	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2316	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2316	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
PID 2532 wrote to memory of 2488	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	schtasks.exe
PID 2532 wrote to memory of 2488	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	schtasks.exe
PID 2532 wrote to memory of 2488	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	schtasks.exe
PID 2532 wrote to memory of 2488	2532	3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe	schtasks.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 2728	2468	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2468 wrote to memory of 3020	2468	remcos_agent_Protected.exe	schtasks.exe
PID 2468 wrote to memory of 3020	2468	remcos_agent_Protected.exe	schtasks.exe
PID 2468 wrote to memory of 3020	2468	remcos_agent_Protected.exe	schtasks.exe
PID 2468 wrote to memory of 3020	2468	remcos_agent_Protected.exe	schtasks.exe
PID 2728 wrote to memory of 2796	2728	remcos_agent_Protected.exe	WScript.exe
PID 2728 wrote to memory of 2796	2728	remcos_agent_Protected.exe	WScript.exe
PID 2728 wrote to memory of 2796	2728	remcos_agent_Protected.exe	WScript.exe
PID 2728 wrote to memory of 2796	2728	remcos_agent_Protected.exe	WScript.exe
PID 2796 wrote to memory of 2808	2796	WScript.exe	cmd.exe
PID 2796 wrote to memory of 2808	2796	WScript.exe	cmd.exe
PID 2796 wrote to memory of 2808	2796	WScript.exe	cmd.exe
PID 2796 wrote to memory of 2808	2796	WScript.exe	cmd.exe
PID 1592 wrote to memory of 2984	1592	taskeng.exe	sfc.exe
PID 1592 wrote to memory of 2984	1592	taskeng.exe	sfc.exe
PID 1592 wrote to memory of 2984	1592	taskeng.exe	sfc.exe
PID 1592 wrote to memory of 2984	1592	taskeng.exe	sfc.exe
PID 1592 wrote to memory of 2972	1592	taskeng.exe	driverquery.exe
PID 1592 wrote to memory of 2972	1592	taskeng.exe	driverquery.exe
PID 1592 wrote to memory of 2972	1592	taskeng.exe	driverquery.exe
PID 1592 wrote to memory of 2972	1592	taskeng.exe	driverquery.exe
PID 2808 wrote to memory of 1636	2808	cmd.exe	remcos.exe
PID 2808 wrote to memory of 1636	2808	cmd.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
"C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3020
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe
  "C:\Users\Admin\AppData\Local\Temp\3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01.exe"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2488

C:\Windows\system32\taskeng.exe
taskeng.exe {2000542D-2F14-4DC4-BBB9-0DFEE852454F} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2984
- - C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
    "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
    3⤵
    - Executes dropped EXE
    PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2600
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

Filesize
340KB

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7f29696890bcd1bae33e17b2322254be

SHA1
8058a24143acd1b0040585d3ee8f5e283774dc47

SHA256
0cbc7327219ad4e09dc7e646c145338bb07292b4d871ac6e4c2cda9620d0a0e8

SHA512
31f9ad330f6cc3f52887af0cb748222dfab65e31d0839424883a24c60b7631809c249b78e1a80092487c3999aab221df32c7152e3101de6405ea8fc047549a09

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

Filesize
1.1MB

MD5
a6e6aeab8aa43dd46325cd5aab37e524

SHA1
feb55e519b13c8d7dcdc7ffde5fd11f5e98d2b7c

SHA256
2345a4555cbe58a93884746958c0dd2b23c85998bb9c3b697754eeafce425135

SHA512
240c32a68da2f6b13cec38dad23492e0ea42624e03441503fe6c9d9dc20d400747a6196a6685f70e0c7f90f565cedfd094a4f238bebd055e29f02d1e7f7b295d

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

Filesize
2.9MB

MD5
f7ab50ff7dbcf9b161e4ad94559350dc

SHA1
c77bacdab2286fe26493d09a488182a3be4f7e30

SHA256
1a336e09c273a7bac79029c52c8a6c86eeb9c74b18bab7a1bd4491237680c0e2

SHA512
ace519f152dc07900e44f8b9f8174593d65a4473539fec823905477babfd206190f67be61352affa83f5ddf02df670ecf44d394b970d5a1397d66cae175cc882

Download Submit
\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

Filesize
1.1MB

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
memory/752-56-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-91-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-83-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-94-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-96-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-97-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-95-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-81-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-89-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-87-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1012-85-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1900-74-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1900-73-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1900-70-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1900-69-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1900-66-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-15-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2728-19-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2728-29-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2728-21-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2728-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download