remcos | eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34

Analysis

max time kernel
4s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Size

368KB
MD5

3b6f01867a856980aebf4bfefd580b05
SHA1

aabfde9fa7910ff59d6a2fd4de8f2280e4554695
SHA256

eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34
SHA512

df27c242f07c2ba0c8b2f526a189b3ba9fea78c75aa63da57f982c5d6a55ba73ba2e934f9f0ccbff68c9cb2795810f2d5f6b9f4bd6b87da4007f592512df77f7
SSDEEP

3072:tRFhJsebNVlW1NWgxLJOp6iJRejPoQKvHIbuduaqyuhjDxSIVbOfprMIYsMMgC6U:tRF3VoweHW0u8TDB4ty3huYu

Score

10^/10

remcos talentino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Talentino

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-KG5D4I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe

Executes dropped EXE 13 IoCs

pid	Process
2904	nas0.exe
2624	nas0.exe
4716	remcos.exe
4656	nas0.exe
3912	remcos.exe
4944	nas0.exe
4856	nas0.exe
4252	nas0.exe
2036	remcos.exe
4268	nas0.exe
3544	remcos.exe
2900	nas0.exe
5820	remcos.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	nas0.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	nas0.exe
Key created	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings	nas0.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2904	nas0.exe
2904	nas0.exe
2624	nas0.exe
2624	nas0.exe
4716	remcos.exe
4716	remcos.exe
4656	nas0.exe
4656	nas0.exe
3912	remcos.exe
3912	remcos.exe
4944	nas0.exe
4944	nas0.exe
4856	nas0.exe
4856	nas0.exe
2036	remcos.exe
2036	remcos.exe
4252	nas0.exe
4252	nas0.exe
4268	nas0.exe
4268	nas0.exe
3544	remcos.exe
3544	remcos.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2904	nas0.exe
2904	nas0.exe
2624	nas0.exe
2624	nas0.exe
4716	remcos.exe
4716	remcos.exe
4656	nas0.exe
4656	nas0.exe
3912	remcos.exe
3912	remcos.exe
4944	nas0.exe
4944	nas0.exe
4856	nas0.exe
4856	nas0.exe
2036	remcos.exe
2036	remcos.exe
4252	nas0.exe
4252	nas0.exe
4268	nas0.exe
4268	nas0.exe
3544	remcos.exe
3544	remcos.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
2904	nas0.exe
2624	nas0.exe
4716	remcos.exe
4656	nas0.exe
3912	remcos.exe
4944	nas0.exe
4856	nas0.exe
4252	nas0.exe
2036	remcos.exe
4268	nas0.exe
3544	remcos.exe
5820	remcos.exe
2900	nas0.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 5612	3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 3080 wrote to memory of 5612	3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 3080 wrote to memory of 5612	3080	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	86
PID 5612 wrote to memory of 2904	5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 5612 wrote to memory of 2904	5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 5612 wrote to memory of 2904	5612	eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe	89
PID 2904 wrote to memory of 2624	2904	nas0.exe	90
PID 2904 wrote to memory of 2624	2904	nas0.exe	90
PID 2904 wrote to memory of 2624	2904	nas0.exe	90
PID 2748 wrote to memory of 4576	2748	cmd.exe	95
PID 2748 wrote to memory of 4576	2748	cmd.exe	95
PID 2624 wrote to memory of 4712	2624	nas0.exe	96
PID 2624 wrote to memory of 4712	2624	nas0.exe	96
PID 2624 wrote to memory of 4712	2624	nas0.exe	96
PID 4040 wrote to memory of 4716	4040	cmd.exe	97
PID 4040 wrote to memory of 4716	4040	cmd.exe	97
PID 4040 wrote to memory of 4716	4040	cmd.exe	97
PID 4576 wrote to memory of 4656	4576	wscript.exe	98
PID 4576 wrote to memory of 4656	4576	wscript.exe	98
PID 4576 wrote to memory of 4656	4576	wscript.exe	98
PID 4716 wrote to memory of 3912	4716	remcos.exe	100
PID 4716 wrote to memory of 3912	4716	remcos.exe	100
PID 4716 wrote to memory of 3912	4716	remcos.exe	100
PID 4656 wrote to memory of 4944	4656	nas0.exe	101
PID 4656 wrote to memory of 4944	4656	nas0.exe	101
PID 4656 wrote to memory of 4944	4656	nas0.exe	101
PID 3912 wrote to memory of 4856	3912	remcos.exe	168
PID 3912 wrote to memory of 4856	3912	remcos.exe	168
PID 3912 wrote to memory of 4856	3912	remcos.exe	168
PID 4944 wrote to memory of 4628	4944	nas0.exe	107
PID 4944 wrote to memory of 4628	4944	nas0.exe	107
PID 4944 wrote to memory of 4628	4944	nas0.exe	107
PID 4856 wrote to memory of 4252	4856	nas0.exe	108
PID 4856 wrote to memory of 4252	4856	nas0.exe	108
PID 4856 wrote to memory of 4252	4856	nas0.exe	108
PID 5736 wrote to memory of 2140	5736	cmd.exe	109
PID 5736 wrote to memory of 2140	5736	cmd.exe	109
PID 5420 wrote to memory of 2036	5420	cmd.exe	110
PID 5420 wrote to memory of 2036	5420	cmd.exe	110
PID 5420 wrote to memory of 2036	5420	cmd.exe	110
PID 2140 wrote to memory of 4268	2140	wscript.exe	111
PID 2140 wrote to memory of 4268	2140	wscript.exe	111
PID 2140 wrote to memory of 4268	2140	wscript.exe	111
PID 2036 wrote to memory of 3544	2036	remcos.exe	112
PID 2036 wrote to memory of 3544	2036	remcos.exe	112
PID 2036 wrote to memory of 3544	2036	remcos.exe	112
PID 4252 wrote to memory of 2284	4252	nas0.exe	117
PID 4252 wrote to memory of 2284	4252	nas0.exe	117
PID 4252 wrote to memory of 2284	4252	nas0.exe	117
PID 4268 wrote to memory of 2900	4268	nas0.exe	118
PID 4268 wrote to memory of 2900	4268	nas0.exe	118
PID 4268 wrote to memory of 2900	4268	nas0.exe	118
PID 5512 wrote to memory of 5820	5512	cmd.exe	119
PID 5512 wrote to memory of 5820	5512	cmd.exe	119
PID 5512 wrote to memory of 5820	5512	cmd.exe	119
PID 4220 wrote to memory of 3916	4220	cmd.exe	120
PID 4220 wrote to memory of 3916	4220	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
"C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe
  "C:\Users\Admin\AppData\Local\Temp\eb5bcadcc3f76a63527061c741dbc47b3a538cef9a46b8d0feb502eae64b6f34.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4252
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:5736
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2900
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5972
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:3684
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5512
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5820
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:668
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:684
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2376
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4568
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3628
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4840
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:732
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5336
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4816
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2792
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3448
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3956
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4644
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3708
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5096
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:1528
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:2924
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5832
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:6140
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5772
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2876
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:740
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
538B

MD5
2c58c0b42c48de7ec75fae83d2125d63

SHA1
7bf3164d61b9eee6897a1393d52857fdbbaca9d3

SHA256
5f1251f6c291cc5613503102a9637bf7d10d7df5d4e3c032f536fd4ee4566a90

SHA512
37829161073e6e96e335863f98904d69bff0c477e2fabe7d2c24d53a4c9e619568619cf1ab9b6b50e6ac8f40390b8cf7447f15ebea3946e859e280d08667dde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
368KB

MD5
55d309908ea8c683ae94e9c2a9c03df3

SHA1
ff990b1d1c5c1cb679dcc3d7a4217022def7c7a1

SHA256
fda4908eb13f6539b8c4eb000792de7f2cc6069c1edd7d68fdd39d41587792ad

SHA512
a45c32791980ead77f8cf1dce5a489d1f74309183eafb59305e050e2f9fb0ecd0f7ff82dae9370790348354ae3fc3ae6f4d7f4cd28633183a74908f5262d3634

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.vbs

Filesize
93B

MD5
618ef975c35e622ebfa6ca4e11e6090f

SHA1
ede57936f2370771b54d0525761ac3d9d49d61c7

SHA256
1d626388ccbd2a2d69804bc81ef35af9e116e0100554e1771384ee7c3c3b13c9

SHA512
a394ca1784b6c572bb19ea1ffdce39b749d16b9ca16c129ebb5ee40fef08fdb0c8342b6a28a3ab06c2cdb710b68d8c624f80ffc7db060019fee6f62ee6dc7d6f

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/668-227-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/668-237-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/668-229-0x0000000002810000-0x0000000002815000-memory.dmp

Filesize
20KB

Download
memory/732-251-0x0000000000620000-0x0000000000625000-memory.dmp

Filesize
20KB

Download
memory/732-249-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/732-261-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1980-210-0x0000000000550000-0x0000000000555000-memory.dmp

Filesize
20KB

Download
memory/1980-225-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1980-208-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2624-44-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2624-34-0x00000000029B0000-0x00000000029B5000-memory.dmp

Filesize
20KB

Download
memory/2624-32-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-142-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2900-134-0x00000000007A0000-0x00000000007A5000-memory.dmp

Filesize
20KB

Download
memory/2900-132-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3080-2-0x0000000002360000-0x0000000002365000-memory.dmp

Filesize
20KB

Download
memory/3080-4-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/3080-9-0x0000000002360000-0x0000000002365000-memory.dmp

Filesize
20KB

Download
memory/3448-278-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3448-263-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3624-190-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3624-183-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3624-185-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download
memory/3684-187-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3684-166-0x00000000020B0000-0x00000000020B5000-memory.dmp

Filesize
20KB

Download
memory/3684-164-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4252-97-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4252-105-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4252-99-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/4944-68-0x0000000002140000-0x0000000002145000-memory.dmp

Filesize
20KB

Download
memory/4944-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4944-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5612-12-0x0000000002040000-0x0000000002045000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads