remcos | 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
Size

2.9MB
MD5

5519df0a635727fc10991148bfe970a0
SHA1

2a6ff2e8cd98ce0bb1e8a8cf024f616aa922edb7
SHA256

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554
SHA512

13ce91d2931ae1aefa618d43919b8c00a612b67a886451a696b5e764c833eb4ce27d07c41ca4c4f95f92791d54b35d55d6efc1f3fec66c4aee1f1d7271f7ee3f
SSDEEP

49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcL:C2cPK8YwjE2cPK8y

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

daya4659.ddns.net:8282

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S1KNPZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 26 IoCs

Processes:

remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exesfc.exedriverquery.exedriverquery.exedriverquery.exedriverquery.exedriverquery.exedriverquery.exe

pid	process
2524	remcos_agent_Protected.exe
2864	remcos_agent_Protected.exe
1860	remcos.exe
2076	remcos.exe
2508	driverquery.exe
1040	sfc.exe
1556	sfc.exe
2988	driverquery.exe
2020	driverquery.exe
2680	driverquery.exe
1572	driverquery.exe
3060	driverquery.exe
1192	driverquery.exe
2524	remcos_agent_Protected.exe
2864	remcos_agent_Protected.exe
1860	remcos.exe
2076	remcos.exe
2508	driverquery.exe
1040	sfc.exe
1556	sfc.exe
2988	driverquery.exe
2020	driverquery.exe
2680	driverquery.exe
1572	driverquery.exe
3060	driverquery.exe
1192	driverquery.exe

Loads dropped DLL 12 IoCs

Processes:

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exeremcos_agent_Protected.execmd.exe

pid	process
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
2524	remcos_agent_Protected.exe
1468	cmd.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
2524	remcos_agent_Protected.exe
1468	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos_agent_Protected.exeremcos.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2144-75-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-78-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-77-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-72-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-70-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-68-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-76-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-109-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-110-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-108-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-75-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-78-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-77-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-72-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-70-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-68-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2144-76-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-109-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-110-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/540-108-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

remcos_agent_Protected.exeremcos.exeremcos.exesfc.exe

description	pid	process	target process
PID 2524 set thread context of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1860 set thread context of 2076	1860	remcos.exe	remcos.exe
PID 2076 set thread context of 2144	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 540	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 1492	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 2392	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 832	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 752	2076	remcos.exe	svchost.exe
PID 1040 set thread context of 1556	1040	sfc.exe	sfc.exe
PID 2524 set thread context of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1860 set thread context of 2076	1860	remcos.exe	remcos.exe
PID 2076 set thread context of 2144	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 540	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 1492	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 2392	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 832	2076	remcos.exe	svchost.exe
PID 2076 set thread context of 752	2076	remcos.exe	svchost.exe
PID 1040 set thread context of 1556	1040	sfc.exe	sfc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

remcos.exesvchost.exeschtasks.exeWScript.exesvchost.exesfc.exeAcroRd32.exeremcos_agent_Protected.exeschtasks.exeremcos_agent_Protected.exesvchost.exesvchost.exesvchost.exeschtasks.exe6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exeremcos.exeschtasks.exesvchost.exedriverquery.exeschtasks.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2756 schtasks.exe
828 schtasks.exe
2060 schtasks.exe
2476 schtasks.exe
2744 schtasks.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

AcroRd32.exeremcos.exe

pid process

2776 AcroRd32.exe
2776 AcroRd32.exe
2776 AcroRd32.exe
2076 remcos.exe
2776 AcroRd32.exe
2776 AcroRd32.exe
2776 AcroRd32.exe
2076 remcos.exe

pid	process
2756	schtasks.exe
828	schtasks.exe
2060	schtasks.exe
2476	schtasks.exe
2744	schtasks.exe

pid	process
2776	AcroRd32.exe
2776	AcroRd32.exe
2776	AcroRd32.exe
2076	remcos.exe
2776	AcroRd32.exe
2776	AcroRd32.exe
2776	AcroRd32.exe
2076	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeremcos.exe

description	pid	process	target process
PID 1984 wrote to memory of 2524	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	remcos_agent_Protected.exe
PID 1984 wrote to memory of 2524	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	remcos_agent_Protected.exe
PID 1984 wrote to memory of 2524	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	remcos_agent_Protected.exe
PID 1984 wrote to memory of 2524	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	remcos_agent_Protected.exe
PID 1984 wrote to memory of 2776	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	AcroRd32.exe
PID 1984 wrote to memory of 2776	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	AcroRd32.exe
PID 1984 wrote to memory of 2776	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	AcroRd32.exe
PID 1984 wrote to memory of 2776	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	AcroRd32.exe
PID 1984 wrote to memory of 2204	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2204	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2204	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2204	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2476	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2476	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2476	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2476	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2340	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2340	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2340	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2340	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2136	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2136	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2136	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2136	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 1968	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 1968	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 1968	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 1968	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2740	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2740	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2740	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2740	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
PID 1984 wrote to memory of 2744	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	schtasks.exe
PID 1984 wrote to memory of 2744	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	schtasks.exe
PID 1984 wrote to memory of 2744	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	schtasks.exe
PID 1984 wrote to memory of 2744	1984	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe	schtasks.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2864	2524	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2524 wrote to memory of 2756	2524	remcos_agent_Protected.exe	schtasks.exe
PID 2524 wrote to memory of 2756	2524	remcos_agent_Protected.exe	schtasks.exe
PID 2524 wrote to memory of 2756	2524	remcos_agent_Protected.exe	schtasks.exe
PID 2524 wrote to memory of 2756	2524	remcos_agent_Protected.exe	schtasks.exe
PID 2864 wrote to memory of 2596	2864	remcos_agent_Protected.exe	WScript.exe
PID 2864 wrote to memory of 2596	2864	remcos_agent_Protected.exe	WScript.exe
PID 2864 wrote to memory of 2596	2864	remcos_agent_Protected.exe	WScript.exe
PID 2864 wrote to memory of 2596	2864	remcos_agent_Protected.exe	WScript.exe
PID 2596 wrote to memory of 1468	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 1468	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 1468	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 1468	2596	WScript.exe	cmd.exe
PID 1468 wrote to memory of 1860	1468	cmd.exe	remcos.exe
PID 1468 wrote to memory of 1860	1468	cmd.exe	remcos.exe
PID 1468 wrote to memory of 1860	1468	cmd.exe	remcos.exe
PID 1468 wrote to memory of 1860	1468	cmd.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe
PID 1860 wrote to memory of 2076	1860	remcos.exe	remcos.exe

C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
"C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2756
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554.exe"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2744

C:\Windows\system32\taskeng.exe
taskeng.exe {BEE181C3-36BF-4F6C-A2E1-55F1472DC9BA} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:2036
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2988
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:1192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2060
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
    "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
    3⤵
    - Executes dropped EXE
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

Filesize
340KB

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8a3eb7b5372c7e9ade140679d161680f

SHA1
a3efce21674c601e3bcea237afae7c9b7e6b8f0d

SHA256
f357782a7310e1060080d6309e79ec212fbd0ab748f52d8f6a5efa3db26248be

SHA512
efa87637e4254f5ee77414c954d2cf76dc4083b7947d93341588f9ed8954e965b10f6a26bbbe63936da8624330e52de2dde40fce4317b385c85f69728013bc46

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

Filesize
1.1MB

MD5
726403fc997cebc9f37ff2c741737c5e

SHA1
a7a851f19769f22095e48c82331d76fafdac4966

SHA256
60c665ed04909cb3e250dd98231d4987acea05c033c33bab97f2d2bec85d87ac

SHA512
204a07d3274a64e218a70fd0d65055fd6bfd05885ef2b9ce44b9f20c8068fa512377396910a3e7e97d8cf54623c595d15c089ae601cee05bf2d7d252ab7e3100

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

Filesize
2.9MB

MD5
f7c54140065303003a97300954345934

SHA1
43e6ea34ef6b2fd7e544c9b3c5eed6b581955904

SHA256
fe6eabf6ecaa695c964acbd6e1e8481a7638431dbadda982c4bb9110b9c7735e

SHA512
19f46222569a03b157d9c7b3ead5ffd1ca228fa537106ff9150bca64ccf9b4caf3271a4715ee56a930d56f42f2d1d6a6d894e80a02a51e7e066e797ab3937b58

Download Submit
\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

Filesize
1.1MB

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
memory/540-109-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/540-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/540-109-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/540-110-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/540-108-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/540-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/540-110-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/540-108-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1984-15-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1984-15-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2076-54-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-58-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-53-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2076-57-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-54-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-57-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-58-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-53-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2076-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-75-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-66-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-76-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-64-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-66-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-68-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-62-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-76-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-64-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-62-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-72-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-77-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-78-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-75-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-78-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-77-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2144-72-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2144-68-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2864-29-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-19-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-21-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-29-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-19-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-21-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2864-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download