remcos | 0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588

Analysis

max time kernel
3s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
Size

368KB
MD5

5134a1b30fd65a952f3365ca2b4f1577
SHA1

95341d54aa34697c3e8616996779d2cdd756ede3
SHA256

0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588
SHA512

76eb048462d0ebd2ea14dced7cba758cb68a3f824f54acef0b70fda9d5345275d2a6bb5e2c00a607d74dfe4eed68cdf2e8ea81b0dc02cea1b1aabd3e3f6b9cc4
SSDEEP

3072:t3FhJsebNVlW1NWgxLJOp6iJRejPoQKvHIbuduaqyuhjDxSIVbOfprMIYsMMgC6j:t3F3VoweHW0u8TDB4ty3hunu

Score

10^/10

remcos talentino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

Talentino

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-KG5D4I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	nas0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 8 IoCs

pid	Process
6056	nas0.exe
1632	nas0.exe
5792	remcos.exe
3872	nas0.exe
4988	remcos.exe
2388	nas0.exe
928	nas0.exe
2476	nas0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	nas0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\men0 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nas0.vbs\""	nas0.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	nas0.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	nas0.exe
File opened for modification	C:\Windows\win.ini	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nas0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	nas0.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
6056	nas0.exe
6056	nas0.exe
1632	nas0.exe
1632	nas0.exe
5792	remcos.exe
5792	remcos.exe
3872	nas0.exe
3872	nas0.exe
4988	remcos.exe
4988	remcos.exe
2388	nas0.exe
2388	nas0.exe
928	nas0.exe
928	nas0.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
6056	nas0.exe
6056	nas0.exe
1632	nas0.exe
1632	nas0.exe
5792	remcos.exe
5792	remcos.exe
3872	nas0.exe
3872	nas0.exe
4988	remcos.exe
4988	remcos.exe
2388	nas0.exe
2388	nas0.exe
928	nas0.exe
928	nas0.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
6056	nas0.exe
1632	nas0.exe
5792	remcos.exe
3872	nas0.exe
4988	remcos.exe
2388	nas0.exe
928	nas0.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 5548	3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	89
PID 3632 wrote to memory of 5548	3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	89
PID 3632 wrote to memory of 5548	3632	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	89
PID 5548 wrote to memory of 6056	5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	91
PID 5548 wrote to memory of 6056	5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	91
PID 5548 wrote to memory of 6056	5548	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	91
PID 6056 wrote to memory of 1632	6056	nas0.exe	92
PID 6056 wrote to memory of 1632	6056	nas0.exe	92
PID 6056 wrote to memory of 1632	6056	nas0.exe	92
PID 3412 wrote to memory of 4844	3412	cmd.exe	97
PID 3412 wrote to memory of 4844	3412	cmd.exe	97
PID 4660 wrote to memory of 5792	4660	cmd.exe	98
PID 4660 wrote to memory of 5792	4660	cmd.exe	98
PID 4660 wrote to memory of 5792	4660	cmd.exe	98
PID 1632 wrote to memory of 5028	1632	nas0.exe	99
PID 1632 wrote to memory of 5028	1632	nas0.exe	99
PID 1632 wrote to memory of 5028	1632	nas0.exe	99
PID 4844 wrote to memory of 3872	4844	wscript.exe	100
PID 4844 wrote to memory of 3872	4844	wscript.exe	100
PID 4844 wrote to memory of 3872	4844	wscript.exe	100
PID 5792 wrote to memory of 4988	5792	remcos.exe	101
PID 5792 wrote to memory of 4988	5792	remcos.exe	101
PID 5792 wrote to memory of 4988	5792	remcos.exe	101
PID 3872 wrote to memory of 2388	3872	nas0.exe	102
PID 3872 wrote to memory of 2388	3872	nas0.exe	102
PID 3872 wrote to memory of 2388	3872	nas0.exe	102
PID 4988 wrote to memory of 928	4988	remcos.exe	103
PID 4988 wrote to memory of 928	4988	remcos.exe	103
PID 4988 wrote to memory of 928	4988	remcos.exe	103
PID 928 wrote to memory of 2476	928	nas0.exe	108
PID 928 wrote to memory of 2476	928	nas0.exe	108
PID 928 wrote to memory of 2476	928	nas0.exe	108

C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
"C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
  "C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5548
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:6056
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2388
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5792
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        Executes dropped EXE
        
        PID:2476
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5872
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1272
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:1204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:864
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:4628
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2116
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2700
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:6132
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3540
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4752
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:872
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2540
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2444
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5076
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4216
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:2796
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4364
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:2412
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5696
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:1528
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:5212
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4824
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:1912
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3964
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4724
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:4044
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
        5⤵
        
        PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5940
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:3392
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2812
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:5944
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
1⤵
PID:5256
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\nas0.vbs"
  2⤵
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
538B

MD5
2c58c0b42c48de7ec75fae83d2125d63

SHA1
7bf3164d61b9eee6897a1393d52857fdbbaca9d3

SHA256
5f1251f6c291cc5613503102a9637bf7d10d7df5d4e3c032f536fd4ee4566a90

SHA512
37829161073e6e96e335863f98904d69bff0c477e2fabe7d2c24d53a4c9e619568619cf1ab9b6b50e6ac8f40390b8cf7447f15ebea3946e859e280d08667dde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
368KB

MD5
201e1a85d61cf808a89d74f2d2292f9c

SHA1
c32d442eefcb23a7067acde2180586ade908315b

SHA256
72f35bf8677ea65abd2c96d7b717558785baa277f293bbb8f43950e6f399b716

SHA512
339d74980e43db02c1c939b67cbd6d080e6a723b3ebe1a85313ceddb61f5f5b10f797868ce9eb19d9dbdf9a38838ac130e9500ad23ade47b13ccdec25e8595f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nas0.vbs

Filesize
93B

MD5
618ef975c35e622ebfa6ca4e11e6090f

SHA1
ede57936f2370771b54d0525761ac3d9d49d61c7

SHA256
1d626388ccbd2a2d69804bc81ef35af9e116e0100554e1771384ee7c3c3b13c9

SHA512
a394ca1784b6c572bb19ea1ffdce39b749d16b9ca16c129ebb5ee40fef08fdb0c8342b6a28a3ab06c2cdb710b68d8c624f80ffc7db060019fee6f62ee6dc7d6f

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1128-287-0x0000000002920000-0x0000000002925000-memory.dmp

Filesize
20KB

Download
memory/1128-291-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1128-285-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1632-34-0x00000000028A0000-0x00000000028A5000-memory.dmp

Filesize
20KB

Download
memory/1632-33-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1632-46-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1912-279-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/1912-293-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1912-277-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2388-69-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2388-70-0x0000000002040000-0x0000000002045000-memory.dmp

Filesize
20KB

Download
memory/2388-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2476-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2476-103-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2476-91-0x00000000027A0000-0x00000000027A5000-memory.dmp

Filesize
20KB

Download
memory/2540-218-0x0000000002930000-0x0000000002935000-memory.dmp

Filesize
20KB

Download
memory/2540-236-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2540-216-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2700-159-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2700-161-0x0000000002070000-0x0000000002075000-memory.dmp

Filesize
20KB

Download
memory/2700-175-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3488-143-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3488-128-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3488-130-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/3632-274-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/3632-2-0x0000000002A40000-0x0000000002A45000-memory.dmp

Filesize
20KB

Download
memory/3632-11-0x0000000002A40000-0x0000000002A45000-memory.dmp

Filesize
20KB

Download
memory/3632-4-0x00000000774E1000-0x0000000077601000-memory.dmp

Filesize
1.1MB

Download
memory/4628-180-0x00000000020C0000-0x00000000020C5000-memory.dmp

Filesize
20KB

Download
memory/4628-193-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4628-178-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5332-228-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5332-230-0x0000000001FE0000-0x0000000001FE5000-memory.dmp

Filesize
20KB

Download
memory/5332-232-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/5548-12-0x00000000020C0000-0x00000000020C5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads