Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
689s -
max time network
495s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/09/2024, 21:10
Behavioral task
behavioral1
Sample
remcos_a.exe
Resource
win10v2004-20240802-en
hawkeyeremcosremotehostcollectioncredential_accessdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
remcos_a.exe
-
Size
469KB
-
MD5
48f4a8f633bf5535811c23a81d8d8506
-
SHA1
c2a98525bfda82421cb8670db223b19acef31f23
-
SHA256
9ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912
-
SHA512
7903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSOn9:uiLJbpI7I2WhQqZ7O9
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
192.168.1.56:13970
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windows32.exe
-
copy_folder
Health
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
filer32
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
Rmc-36XJ31
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%WinDir%\System32
-
screenshot_time
10
-
startup_value
WindowsHealth
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Adds policy Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run remcos_a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" remcos_a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Windows32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Windows32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation remcos_a.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 1284 WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 4180 Windows32.exe 2052 Windows32.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" remcos_a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" remcos_a.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHealth = "\"C:\\Windows\\SysWOW64\\Health\\Windows32.exe\"" Windows32.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Health\Windows32.exe remcos_a.exe File created C:\Windows\SysWOW64\filer32\logs.dat iexplore.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f\keyboard.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created C:\Windows\SysWOW64\Health\Windows32.exe remcos_a.exe File created C:\Windows\SysWOW64\Screenshots\time_20240917_211047.dat iexplore.exe File opened for modification C:\Windows\SysWOW64\filer32\logs.dat iexplore.exe File opened for modification C:\Windows\SysWOW64\Health remcos_a.exe File created C:\Windows\System32\DriverStore\FileRepository\usbport.inf_amd64_254cd5ae09de6b08\usbport.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_533c8d455025cc59\hdaudbus.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_b748590104fe1c15\machine.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_adeb6424513f60a2\input.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_1793a485b491b199\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\mshdc.PNF dxdiag.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 4180 set thread context of 2460 4180 Windows32.exe 92 PID 2460 set thread context of 4796 2460 iexplore.exe 98 PID 2460 set thread context of 4844 2460 iexplore.exe 113 PID 2460 set thread context of 556 2460 iexplore.exe 114 PID 2460 set thread context of 1272 2460 iexplore.exe 115 PID 2052 set thread context of 2156 2052 Windows32.exe 118 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos_a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe -
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B} dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{092925E4-C4F5-4DCF-AB7C-2FABB0DC7591} dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7} dxdiag.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{80B2548E-189F-4A30-B1BD-E5C6C2450773} dxdiag.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings remcos_a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32 dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1 dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID dxdiag.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1864 reg.exe 3116 reg.exe 1956 reg.exe 1316 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2460 iexplore.exe 3432 taskmgr.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4180 Windows32.exe 2460 iexplore.exe 2460 iexplore.exe 2460 iexplore.exe 2460 iexplore.exe 2052 Windows32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3432 taskmgr.exe Token: SeSystemProfilePrivilege 3432 taskmgr.exe Token: SeCreateGlobalPrivilege 3432 taskmgr.exe Token: SeDebugPrivilege 1272 iexplore.exe Token: 33 3432 taskmgr.exe Token: SeIncBasePriorityPrivilege 3432 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2460 iexplore.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2460 iexplore.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe 3432 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2460 iexplore.exe 4000 dxdiag.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 5004 wrote to memory of 4672 5004 remcos_a.exe 84 PID 5004 wrote to memory of 4672 5004 remcos_a.exe 84 PID 5004 wrote to memory of 4672 5004 remcos_a.exe 84 PID 4672 wrote to memory of 1864 4672 cmd.exe 86 PID 4672 wrote to memory of 1864 4672 cmd.exe 86 PID 4672 wrote to memory of 1864 4672 cmd.exe 86 PID 5004 wrote to memory of 1284 5004 remcos_a.exe 87 PID 5004 wrote to memory of 1284 5004 remcos_a.exe 87 PID 5004 wrote to memory of 1284 5004 remcos_a.exe 87 PID 1284 wrote to memory of 3440 1284 WScript.exe 88 PID 1284 wrote to memory of 3440 1284 WScript.exe 88 PID 1284 wrote to memory of 3440 1284 WScript.exe 88 PID 3440 wrote to memory of 4180 3440 cmd.exe 90 PID 3440 wrote to memory of 4180 3440 cmd.exe 90 PID 3440 wrote to memory of 4180 3440 cmd.exe 90 PID 4180 wrote to memory of 1812 4180 Windows32.exe 91 PID 4180 wrote to memory of 1812 4180 Windows32.exe 91 PID 4180 wrote to memory of 1812 4180 Windows32.exe 91 PID 4180 wrote to memory of 2460 4180 Windows32.exe 92 PID 4180 wrote to memory of 2460 4180 Windows32.exe 92 PID 4180 wrote to memory of 2460 4180 Windows32.exe 92 PID 4180 wrote to memory of 2460 4180 Windows32.exe 92 PID 2460 wrote to memory of 3292 2460 iexplore.exe 94 PID 2460 wrote to memory of 3292 2460 iexplore.exe 94 PID 2460 wrote to memory of 3292 2460 iexplore.exe 94 PID 1812 wrote to memory of 3116 1812 cmd.exe 97 PID 1812 wrote to memory of 3116 1812 cmd.exe 97 PID 1812 wrote to memory of 3116 1812 cmd.exe 97 PID 3292 wrote to memory of 1956 3292 cmd.exe 99 PID 2460 wrote to memory of 4796 2460 iexplore.exe 98 PID 3292 wrote to memory of 1956 3292 cmd.exe 99 PID 3292 wrote to memory of 1956 3292 cmd.exe 99 PID 2460 wrote to memory of 4796 2460 iexplore.exe 98 PID 2460 wrote to memory of 4796 2460 iexplore.exe 98 PID 2460 wrote to memory of 4796 2460 iexplore.exe 98 PID 2460 wrote to memory of 4000 2460 iexplore.exe 111 PID 2460 wrote to memory of 4000 2460 iexplore.exe 111 PID 2460 wrote to memory of 4000 2460 iexplore.exe 111 PID 2460 wrote to memory of 4844 2460 iexplore.exe 113 PID 2460 wrote to memory of 4844 2460 iexplore.exe 113 PID 2460 wrote to memory of 4844 2460 iexplore.exe 113 PID 2460 wrote to memory of 4844 2460 iexplore.exe 113 PID 2460 wrote to memory of 556 2460 iexplore.exe 114 PID 2460 wrote to memory of 556 2460 iexplore.exe 114 PID 2460 wrote to memory of 556 2460 iexplore.exe 114 PID 2460 wrote to memory of 556 2460 iexplore.exe 114 PID 2460 wrote to memory of 1272 2460 iexplore.exe 115 PID 2460 wrote to memory of 1272 2460 iexplore.exe 115 PID 2460 wrote to memory of 1272 2460 iexplore.exe 115 PID 2460 wrote to memory of 1272 2460 iexplore.exe 115 PID 4796 wrote to memory of 2052 4796 svchost.exe 116 PID 4796 wrote to memory of 2052 4796 svchost.exe 116 PID 4796 wrote to memory of 2052 4796 svchost.exe 116 PID 2052 wrote to memory of 4356 2052 Windows32.exe 117 PID 2052 wrote to memory of 4356 2052 Windows32.exe 117 PID 2052 wrote to memory of 4356 2052 Windows32.exe 117 PID 2052 wrote to memory of 2156 2052 Windows32.exe 118 PID 2052 wrote to memory of 2156 2052 Windows32.exe 118 PID 2052 wrote to memory of 2156 2052 Windows32.exe 118 PID 2052 wrote to memory of 2156 2052 Windows32.exe 118 PID 4356 wrote to memory of 1316 4356 cmd.exe 120 PID 4356 wrote to memory of 1316 4356 cmd.exe 120 PID 4356 wrote to memory of 1316 4356 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1864
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Health\Windows32.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Health\Windows32.exeC:\Windows\SysWOW64\Health\Windows32.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3116
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"5⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1956
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Health\Windows32.exe"C:\Windows\SysWOW64\Health\Windows32.exe"7⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f9⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1316
-
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"8⤵PID:2156
-
-
-
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt6⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kalloqvx"6⤵
- System Location Discovery: System Language Discovery
PID:4844
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdqehjgrcfce"6⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:556
-
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fxeohbqtqnujgsh"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530B
MD56784c2405607c045981319c5fd5b43c9
SHA12b4e2992215cc6446b74a19b90837576bc3f9d75
SHA256af1a632c6db106051517586cc70e10329d95fe4222fe2770f69c4ee05c2bb8ce
SHA512aedb8b3a48f13290761383a8ccb4027f81a657cc8fb7e1b9d5e92ec8f42f16e3cefeb06d6cd40f65d6a1f0747794983eb3321b42a21d3362a3925f685ddc2e0c
-
Filesize
4KB
MD5a7e181f6aa185be0ab0ca68b30406fe6
SHA158c86162658dc609615b8b6400f85c92506dfdc8
SHA256c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2
SHA51249969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f
-
Filesize
84KB
MD5192efc6306df3490d11dec2b21259291
SHA188397fd81e86973194908af350d683675bbaa766
SHA2562b2d05d7dea856220fc56df53b51ac55b958712dddc354c02d3c78db7b75cfae
SHA512885d761e26f334f491cc825311ac4dd57c2a613b8ba18c99ec574d8de2b2d61e493fdac9137223c8478a7692c5c41dbc2bb964920889f96cbfeb437d197ee6c7
-
Filesize
469KB
MD548f4a8f633bf5535811c23a81d8d8506
SHA1c2a98525bfda82421cb8670db223b19acef31f23
SHA2569ec9c4c81c67d6628d141981a7020bb7ded83b4c40ff693870cd98eaebf74912
SHA5127903c322d886bcffc06a9310ba451b0f0eac53d2acedf45b544548ae3656ef477b5a03a86d54452d65461957df4c643082338119bdeb0f2303f528daf0642e29
-
Filesize
584B
MD5e069db22c582870556bb31636e941244
SHA1e0ba5b65af898828e3193cdd4b24ef9bd95c7cf8
SHA25664264a1b92f18c86c90dd299288e16974b86f005b24a7701be03ac41f2bbd7af
SHA512dbf5c88e3fd2b93fe11cbb721983b911e10fe841126f37b312e29766aeda9cbd9490ae7da6dfe23d78d1efe4e7931908a87ddb739c46eee96343ff157c30555b
-
Filesize
742B
MD5e921e01fc6f2980321881ff55c2e4f15
SHA14bf595f5b62264506f5e83824b782f73363719f9
SHA25692fe2e92be41231c51f0cf503234d5f1c91c5a75790c626e23bfa086366db956
SHA5121412e325fdfa43deffea85743dad03e224edadef4ad26adcc938a5fa27e27cb315c4d1a4e543184e89bd1769c4a0eca34dee437ee31e746c7489542a0d002221
-
Filesize
824B
MD5c8e9ee51e764db551139fc90bc659a3d
SHA1bc228c51f8276413bf06270cd077bf9a4a0750ea
SHA256d36e6db854121fa1a2cb86f9f74fa076425595971adfeb901d28d8e65895ed7e
SHA512d7467379dc51c6f61e981e2e03fbe11da063a55a8b86f56a0c5ce234f7b65497d2bce5b4b4328dcff3c2b31a7046c8a9edc47f9fb2791dd5d54cc71adb690565
-
Filesize
902B
MD53949585020ae42859800a94d1eab203d
SHA1f15539b39eb88132f4db766f18f95aa62d7525aa
SHA256401a39db33e90db276a3a1d8e5c9c3adc68bb2d77a46152340bc93bc8db3447d
SHA512a5b98c0cfdb81fcfc94baaffd61e487f21cfefbdef60b36266046d281cc3ca1a60451db4dc648e383aeac68d27e7ae5726908e8beb72b6f0c3dde1009d40ead1
-
Filesize
1KB
MD59233f9151aba2241905fa71f7ccc7bec
SHA1c68d746cacfba976f16df080f64b48d05c01d6df
SHA25608ee263b0329931ac52a60d6f0a7f6082b24982edd9a735f457a1ce46c39e529
SHA512968f0e90ec5fd344950c57cd3317c9d75307f69ed03f9bff335de55bb40efe83d4c742f52848b21fd22e0ec8a68239e880bc6de8142c01686eebf1f5cc514f11
-
Filesize
428B
MD51fcc289ef3f6763f148126ab1bf2a2b4
SHA1bec76b18ef307d4c6fe34f56c1e7078ca349c9f6
SHA2567c7a1c6fe9c422aced330b4e1d99b7bbb47466159cce8338f0c660bf98ef8f6a
SHA5124feb12e4db7915807e9bec19e493e980d2128c7a7354441b604e1690d654ac7aa77f90469d6676cca2cdb4cddbc949f95204dba2a0b497ac87dd176bcfd25201
-
Filesize
504B
MD52f8d2edc0255e9d3cc7a3b4404def342
SHA12ba6f3cd354830e243437911f49c3fef2df78135
SHA25613b15b183e336f9b58455bb6306ef17ead98ee4dc480b7628c47b28a9ddaa76d
SHA512fbf4b6c9b9a2403c911f8472a0c95a50892d4a56def7695ca8f988ac9abf95504b7ea6e520ee8456011509e3397774f38925ddb2466a8b24cda94a827328af8a