remcos | 9273e6c9157cc1846b6b236bc59914161ec91fdfdfe1979090bfabdf0ad06543

Analysis

max time kernel
43s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
Size

2.9MB
MD5

21948d42c2c1e49cadea88e80dfe6880
SHA1

d7f6837f76f3785eef87048c4a28c4b664f99dbd
SHA256

2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7
SHA512

14054453d259e53d88881a6b50061960befc06309fc14d1f557d5cb3cbc2ac7e855a805cc483915e8b5ce737c328dd03a8cfbc9a68a670e0238896009befa863
SSDEEP

49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcm:C2cPK8YwjE2cPK8f

Score

10^/10

remcos remotehost discovery link pdf persistence rat

Malware Config

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

daya4659.ddns.net:8282

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S1KNPZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Executes dropped EXE 13 IoCs

pid	Process
2680	remcos_agent_Protected.exe
3040	remcos_agent_Protected.exe
2876	remcos.exe
2788	remcos.exe
2488	sfc.exe
2140	driverquery.exe
916	sfc.exe
2032	driverquery.exe
2416	driverquery.exe
908	driverquery.exe
2344	driverquery.exe
2952	driverquery.exe
2532	driverquery.exe

Loads dropped DLL 6 IoCs

pid	Process
2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
2680	remcos_agent_Protected.exe
1900	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001211a-2.dat	autoit_exe
behavioral1/memory/2936-69-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-68-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-77-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-76-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-75-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-74-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2936-71-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2196-109-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2196-110-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/memory/2196-108-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral1/files/0x000a000000015db1-405.dat	autoit_exe
behavioral1/files/0x0007000000015d9a-406.dat	autoit_exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 2680 set thread context of 3040	2680	remcos_agent_Protected.exe	40
PID 2876 set thread context of 2788	2876	remcos.exe	47
PID 2788 set thread context of 2936	2788	remcos.exe	48
PID 2788 set thread context of 2196	2788	remcos.exe	51
PID 2788 set thread context of 2000	2788	remcos.exe	52
PID 2788 set thread context of 1112	2788	remcos.exe	53
PID 2788 set thread context of 1664	2788	remcos.exe	54
PID 2788 set thread context of 1940	2788	remcos.exe	55
PID 2788 set thread context of 1456	2788	remcos.exe	56
PID 2788 set thread context of 328	2788	remcos.exe	57
PID 2788 set thread context of 1536	2788	remcos.exe	58
PID 2788 set thread context of 2812	2788	remcos.exe	59
PID 2788 set thread context of 2764	2788	remcos.exe	60
PID 2788 set thread context of 2260	2788	remcos.exe	61
PID 2788 set thread context of 484	2788	remcos.exe	62
PID 2788 set thread context of 2932	2788	remcos.exe	63
PID 2788 set thread context of 2872	2788	remcos.exe	64
PID 2788 set thread context of 400	2788	remcos.exe	65
PID 2788 set thread context of 2264	2788	remcos.exe	66
PID 2788 set thread context of 624	2788	remcos.exe	68
PID 2788 set thread context of 1308	2788	remcos.exe	69
PID 2488 set thread context of 916	2488	sfc.exe	73

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0007000000015d87-37.dat	pdf_with_link_action
behavioral1/files/0x0007000000015d9a-406.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
332	schtasks.exe
2404	schtasks.exe
1276	schtasks.exe
2092	schtasks.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2592	AcroRd32.exe
2592	AcroRd32.exe
2592	AcroRd32.exe
2788	remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2680	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 2764 wrote to memory of 2680	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 2764 wrote to memory of 2680	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 2764 wrote to memory of 2680	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	30
PID 2764 wrote to memory of 2592	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 2764 wrote to memory of 2592	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 2764 wrote to memory of 2592	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 2764 wrote to memory of 2592	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	31
PID 2764 wrote to memory of 2816	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 2764 wrote to memory of 2816	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 2764 wrote to memory of 2816	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 2764 wrote to memory of 2816	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	32
PID 2764 wrote to memory of 2940	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 2764 wrote to memory of 2940	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 2764 wrote to memory of 2940	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 2764 wrote to memory of 2940	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	33
PID 2764 wrote to memory of 2256	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 2764 wrote to memory of 2256	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 2764 wrote to memory of 2256	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 2764 wrote to memory of 2256	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	34
PID 2764 wrote to memory of 2692	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	35
PID 2764 wrote to memory of 2692	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	35
PID 2764 wrote to memory of 2692	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	35
PID 2764 wrote to memory of 2692	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	35
PID 2764 wrote to memory of 2604	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	36
PID 2764 wrote to memory of 2604	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	36
PID 2764 wrote to memory of 2604	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	36
PID 2764 wrote to memory of 2604	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	36
PID 2764 wrote to memory of 2668	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	37
PID 2764 wrote to memory of 2668	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	37
PID 2764 wrote to memory of 2668	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	37
PID 2764 wrote to memory of 2668	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	37
PID 2764 wrote to memory of 2804	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	38
PID 2764 wrote to memory of 2804	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	38
PID 2764 wrote to memory of 2804	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	38
PID 2764 wrote to memory of 2804	2764	2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe	38
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 3040	2680	remcos_agent_Protected.exe	40
PID 2680 wrote to memory of 332	2680	remcos_agent_Protected.exe	41
PID 2680 wrote to memory of 332	2680	remcos_agent_Protected.exe	41
PID 2680 wrote to memory of 332	2680	remcos_agent_Protected.exe	41
PID 2680 wrote to memory of 332	2680	remcos_agent_Protected.exe	41
PID 3040 wrote to memory of 2520	3040	remcos_agent_Protected.exe	43
PID 3040 wrote to memory of 2520	3040	remcos_agent_Protected.exe	43
PID 3040 wrote to memory of 2520	3040	remcos_agent_Protected.exe	43
PID 3040 wrote to memory of 2520	3040	remcos_agent_Protected.exe	43
PID 2520 wrote to memory of 1900	2520	WScript.exe	44
PID 2520 wrote to memory of 1900	2520	WScript.exe	44
PID 2520 wrote to memory of 1900	2520	WScript.exe	44
PID 2520 wrote to memory of 1900	2520	WScript.exe	44
PID 1900 wrote to memory of 2876	1900	cmd.exe	46
PID 1900 wrote to memory of 2876	1900	cmd.exe	46
PID 1900 wrote to memory of 2876	1900	cmd.exe	46
PID 1900 wrote to memory of 2876	1900	cmd.exe	46
PID 2876 wrote to memory of 2788	2876	remcos.exe	47
PID 2876 wrote to memory of 2788	2876	remcos.exe	47
PID 2876 wrote to memory of 2788	2876	remcos.exe	47
PID 2876 wrote to memory of 2788	2876	remcos.exe	47
PID 2876 wrote to memory of 2788	2876	remcos.exe	47
PID 2876 wrote to memory of 2788	2876	remcos.exe	47

C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
"C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:332
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe
  "C:\Users\Admin\AppData\Local\Temp\2ef1aedbfa1d92513e8a45015b59cdd649eb7aac25e420b18c5d564c30066ea7.exe"
  2⤵
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2804

C:\Windows\system32\taskeng.exe
taskeng.exe {173483A6-4F64-4599-B69E-0018EFC76004} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
PID:2012
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2488
- - C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
    "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1276
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:908
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2532
- - C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

Filesize
340KB

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
7b8b387248d647cd9e7c1cae0d94bcee

SHA1
2cbb0f53eb469c3ff73fa1d395c8184cd05dd49c

SHA256
891a2f37420cecf8455b42f587f0d49adba1f4f86bbcb1f123a90937ba841dc6

SHA512
3aa2323437ae4b946feba83aa164f880495993e80a6f34ee92e4cbc2ff1a23e32c2d4ec8c6d376a528492979027d88324ebc03910d89657cd06e5bfb8785ca7b

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

Filesize
1.1MB

MD5
8ef6982af84ab2a564e75b063c26cb79

SHA1
a3cd425b142f60931f1b78651ae004c91356b264

SHA256
3419752b897615138713d521d3de33969a16de535dd5e16e0e839237fa0ee7d8

SHA512
b93d0753183c117026087712dd5953ed5012174334ce3f549853a93201969e9a37bff19dbdb4c791a29ad406070e8f07ed59c8059bfe4cb9e31e4065c9e47d8d

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

Filesize
2.9MB

MD5
f78075a101e9e34dadb700b472c7b150

SHA1
c2791bd3378a24e81263c8fa90567e952414923b

SHA256
5af1f77e634cb0b723d62eabca4a79a42cbddba905f7d6813c65065662159518

SHA512
f773a433dd0ac0faeb68aae485162e564933e3de612cb0d2327a4bb6da2bcfcd8f9657aed3f38517586644e2b37d92bf0a33be32faabdc49660cd2775e19e908

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
107B

MD5
238f8008fc3e35dd4006a6b9b23a805d

SHA1
8e462a06dfa55ce63e982102e8f73f1acbf2efc5

SHA256
5a3cee596370562896b69df90da6badf009a57feb9a87c78128dad5a92555c13

SHA512
8b783e691bffc032c0bd960fb13ac82a6f519fcda8542fdefab32bf16ef64faa18aafa0ff1b4620553c42a463b8aaadc226893c79b351a6c8788306e306bc709

Download Submit
\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

Filesize
1.1MB

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
memory/2196-108-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2196-109-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-110-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2764-16-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2788-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2788-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2936-68-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-65-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-63-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-61-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-74-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-71-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-75-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-76-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-77-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2936-69-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3040-29-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/3040-19-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/3040-21-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/3040-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads