remcos | 67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242

Analysis

max time kernel
3s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
Size

368KB
MD5

abb0be3069387cdf28e85e926d1448ff
SHA1

9d95ae26045a6d71d4d0967a998caf2a6d72eb19
SHA256

67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242
SHA512

d1eb4213ec72ca380180c66e388e6077d0e5945b6b33e7c816670a5661cde18bfa70a335dd7c2b2d79a8e0c16ba72c36015006553853116076993e4758ddfd1b
SSDEEP

3072:toFhJsebNVlW1NWgxLJOp6iJRejPoQKvHIbuduaqyuhjDxSIVbOfprMIYsMMgC6z:toF3VoweHW0u8TDB4ty3huDu

Score

10^/10

remcos talentino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Talentino

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-KG5D4I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	nas0.exe

Executes dropped EXE 9 IoCs

pid	Process
4180	nas0.exe
3856	nas0.exe
440	remcos.exe
4656	nas0.exe
4668	remcos.exe
4736	nas0.exe
5632	nas0.exe
4976	nas0.exe
5472	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
File opened for modification	C:\Windows\win.ini	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
File opened for modification	C:\Windows\win.ini	nas0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	nas0.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	nas0.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4180	nas0.exe
4180	nas0.exe
3856	nas0.exe
3856	nas0.exe
440	remcos.exe
440	remcos.exe
4656	nas0.exe
4656	nas0.exe
4668	remcos.exe
4668	remcos.exe
4736	nas0.exe
4736	nas0.exe
5632	nas0.exe
5632	nas0.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4180	nas0.exe
4180	nas0.exe
3856	nas0.exe
3856	nas0.exe
440	remcos.exe
440	remcos.exe
4656	nas0.exe
4656	nas0.exe
4668	remcos.exe
4668	remcos.exe
4736	nas0.exe
4736	nas0.exe
5632	nas0.exe
5632	nas0.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
4180	nas0.exe
3856	nas0.exe
440	remcos.exe
4656	nas0.exe
4668	remcos.exe
4736	nas0.exe
5632	nas0.exe
4976	nas0.exe
5472	remcos.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4852	1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	86
PID 1480 wrote to memory of 4852	1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	86
PID 1480 wrote to memory of 4852	1480	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	86
PID 4852 wrote to memory of 4180	4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	88
PID 4852 wrote to memory of 4180	4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	88
PID 4852 wrote to memory of 4180	4852	67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe	88
PID 4180 wrote to memory of 3856	4180	nas0.exe	90
PID 4180 wrote to memory of 3856	4180	nas0.exe	90
PID 4180 wrote to memory of 3856	4180	nas0.exe	90
PID 2852 wrote to memory of 3000	2852	cmd.exe	95
PID 2852 wrote to memory of 3000	2852	cmd.exe	95
PID 3856 wrote to memory of 3160	3856	nas0.exe	96
PID 3856 wrote to memory of 3160	3856	nas0.exe	96
PID 3856 wrote to memory of 3160	3856	nas0.exe	96
PID 3292 wrote to memory of 440	3292	cmd.exe	97
PID 3292 wrote to memory of 440	3292	cmd.exe	97
PID 3292 wrote to memory of 440	3292	cmd.exe	97
PID 3000 wrote to memory of 4656	3000	wscript.exe	98
PID 3000 wrote to memory of 4656	3000	wscript.exe	98
PID 3000 wrote to memory of 4656	3000	wscript.exe	98
PID 440 wrote to memory of 4668	440	remcos.exe	99
PID 440 wrote to memory of 4668	440	remcos.exe	99
PID 440 wrote to memory of 4668	440	remcos.exe	99
PID 4656 wrote to memory of 4736	4656	nas0.exe	101
PID 4656 wrote to memory of 4736	4656	nas0.exe	101
PID 4656 wrote to memory of 4736	4656	nas0.exe	101
PID 4668 wrote to memory of 5632	4668	remcos.exe	102
PID 4668 wrote to memory of 5632	4668	remcos.exe	102
PID 4668 wrote to memory of 5632	4668	remcos.exe	102
PID 5632 wrote to memory of 4976	5632	nas0.exe	107
PID 5632 wrote to memory of 4976	5632	nas0.exe	107
PID 5632 wrote to memory of 4976	5632	nas0.exe	107
PID 4736 wrote to memory of 1376	4736	nas0.exe	108
PID 4736 wrote to memory of 1376	4736	nas0.exe	108
PID 4736 wrote to memory of 1376	4736	nas0.exe	108
PID 1772 wrote to memory of 4132	1772	cmd.exe	109
PID 1772 wrote to memory of 4132	1772	cmd.exe	109
PID 4748 wrote to memory of 5472	4748	cmd.exe	110
PID 4748 wrote to memory of 5472	4748	cmd.exe	110
PID 4748 wrote to memory of 5472	4748	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
"C:\Users\Admin\AppData\Local\Temp\67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe
  "C:\Users\Admin\AppData\Local\Temp\67de97400d0f7575bdef20b790bc62ce4d17847c7e710d7b1036f12a7fbd9242.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4976
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5904
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5472
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:4472
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2076
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3252
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2228
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5376
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4476
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2960
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3632
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4384
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:3524
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:900
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:4428
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:1568
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
538B

MD5
2c58c0b42c48de7ec75fae83d2125d63

SHA1
7bf3164d61b9eee6897a1393d52857fdbbaca9d3

SHA256
5f1251f6c291cc5613503102a9637bf7d10d7df5d4e3c032f536fd4ee4566a90

SHA512
37829161073e6e96e335863f98904d69bff0c477e2fabe7d2c24d53a4c9e619568619cf1ab9b6b50e6ac8f40390b8cf7447f15ebea3946e859e280d08667dde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
368KB

MD5
0ab9918229315fe3b872c44b539c36e6

SHA1
b836a1daa1f723c1ce9f93ab066658803d1884e1

SHA256
e3d8fd68181312f73e24521f79a19fb5f806ffc3052fe889df7b87e03abb1291

SHA512
988cb32c9ec7bf6db19ab6872d8837d49b503ef0b99cb8c6f526b1942835645383cd5bd24e96ab613cddc6a65bc9e12c274b52a88d245f02c612ef90b0974344

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.vbs

Filesize
93B

MD5
618ef975c35e622ebfa6ca4e11e6090f

SHA1
ede57936f2370771b54d0525761ac3d9d49d61c7

SHA256
1d626388ccbd2a2d69804bc81ef35af9e116e0100554e1771384ee7c3c3b13c9

SHA512
a394ca1784b6c572bb19ea1ffdce39b749d16b9ca16c129ebb5ee40fef08fdb0c8342b6a28a3ab06c2cdb710b68d8c624f80ffc7db060019fee6f62ee6dc7d6f

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1480-4-0x0000000077591000-0x00000000776B1000-memory.dmp

Filesize
1.1MB

Download
memory/1480-9-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/1480-2-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/2228-154-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2228-168-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2228-156-0x00000000020C0000-0x00000000020C5000-memory.dmp

Filesize
20KB

Download
memory/3856-32-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3856-41-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3856-34-0x00000000027A0000-0x00000000027A5000-memory.dmp

Filesize
20KB

Download
memory/4472-175-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4472-193-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4736-70-0x0000000002140000-0x0000000002145000-memory.dmp

Filesize
20KB

Download
memory/4736-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4736-68-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4852-12-0x0000000000550000-0x0000000000555000-memory.dmp

Filesize
20KB

Download
memory/4976-105-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4976-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4976-91-0x0000000002130000-0x0000000002135000-memory.dmp

Filesize
20KB

Download
memory/5904-137-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5904-139-0x00000000020B0000-0x00000000020B5000-memory.dmp

Filesize
20KB

Download
memory/5904-150-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads