remcos | 6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83

Analysis

max time kernel
5s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Size

372KB
MD5

77f71596ddb1fa8498e660939e4ce909
SHA1

b649888561e4243ff55d086c3091a323a7f29ec6
SHA256

6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83
SHA512

cecfbb5faf3637967231959e4e941d136d2ee0c4d277758bee76d3f79ad88a2b55888ae06a4a0947b0fc7cc80c179332ff03ad1f31b49982132bb6c199fe0478
SSDEEP

6144:t5dgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiee:tbqQx+H2i+8LBNbdypazCXYY

Score

10^/10

remcos tino discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

185.140.53.140:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
true
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-5S9O07
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	hab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe

Executes dropped EXE 14 IoCs

pid	Process
5212	hab.exe
460	hab.exe
4936	remcos.exe
5840	hab.exe
6044	remcos.exe
3004	hab.exe
1636	hab.exe
5616	remcos.exe
3968	hab.exe
5164	hab.exe
2836	remcos.exe
5264	hab.exe
1236	remcos.exe
5572	hab.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bru = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hab.vbs\""	hab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	hab.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	hab.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	remcos.exe
File opened for modification	C:\Windows\win.ini	hab.exe
File opened for modification	C:\Windows\win.ini	hab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hab.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	hab.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	hab.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
5212	hab.exe
5212	hab.exe
460	hab.exe
460	hab.exe
4936	remcos.exe
4936	remcos.exe
5840	hab.exe
5840	hab.exe
6044	remcos.exe
6044	remcos.exe
3004	hab.exe
3004	hab.exe
1636	hab.exe
1636	hab.exe
5616	remcos.exe
5616	remcos.exe
5164	hab.exe
3968	hab.exe
5164	hab.exe
3968	hab.exe
2836	remcos.exe
2836	remcos.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
5212	hab.exe
5212	hab.exe
460	hab.exe
460	hab.exe
4936	remcos.exe
4936	remcos.exe
5840	hab.exe
5840	hab.exe
6044	remcos.exe
6044	remcos.exe
3004	hab.exe
3004	hab.exe
1636	hab.exe
1636	hab.exe
5616	remcos.exe
5616	remcos.exe
5164	hab.exe
3968	hab.exe
5164	hab.exe
3968	hab.exe
2836	remcos.exe
2836	remcos.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
5212	hab.exe
460	hab.exe
4936	remcos.exe
5840	hab.exe
6044	remcos.exe
3004	hab.exe
1636	hab.exe
5616	remcos.exe
3968	hab.exe
5164	hab.exe
2836	remcos.exe
5264	hab.exe
1236	remcos.exe
5572	hab.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5320 wrote to memory of 1356	5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	87
PID 5320 wrote to memory of 1356	5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	87
PID 5320 wrote to memory of 1356	5320	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	87
PID 1356 wrote to memory of 5212	1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	88
PID 1356 wrote to memory of 5212	1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	88
PID 1356 wrote to memory of 5212	1356	6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe	88
PID 5212 wrote to memory of 460	5212	hab.exe	90
PID 5212 wrote to memory of 460	5212	hab.exe	90
PID 5212 wrote to memory of 460	5212	hab.exe	90
PID 2716 wrote to memory of 4972	2716	cmd.exe	95
PID 2716 wrote to memory of 4972	2716	cmd.exe	95
PID 460 wrote to memory of 1804	460	hab.exe	96
PID 460 wrote to memory of 1804	460	hab.exe	96
PID 460 wrote to memory of 1804	460	hab.exe	96
PID 4688 wrote to memory of 4936	4688	cmd.exe	97
PID 4688 wrote to memory of 4936	4688	cmd.exe	97
PID 4688 wrote to memory of 4936	4688	cmd.exe	97
PID 4972 wrote to memory of 5840	4972	wscript.exe	98
PID 4972 wrote to memory of 5840	4972	wscript.exe	98
PID 4972 wrote to memory of 5840	4972	wscript.exe	98
PID 4936 wrote to memory of 6044	4936	remcos.exe	100
PID 4936 wrote to memory of 6044	4936	remcos.exe	100
PID 4936 wrote to memory of 6044	4936	remcos.exe	100
PID 5840 wrote to memory of 3004	5840	hab.exe	101
PID 5840 wrote to memory of 3004	5840	hab.exe	101
PID 5840 wrote to memory of 3004	5840	hab.exe	101
PID 6044 wrote to memory of 1636	6044	remcos.exe	107
PID 6044 wrote to memory of 1636	6044	remcos.exe	107
PID 6044 wrote to memory of 1636	6044	remcos.exe	107
PID 3004 wrote to memory of 5152	3004	hab.exe	108
PID 3004 wrote to memory of 5152	3004	hab.exe	108
PID 3004 wrote to memory of 5152	3004	hab.exe	108
PID 2148 wrote to memory of 4288	2148	cmd.exe	109
PID 2148 wrote to memory of 4288	2148	cmd.exe	109
PID 5500 wrote to memory of 5616	5500	cmd.exe	110
PID 5500 wrote to memory of 5616	5500	cmd.exe	110
PID 5500 wrote to memory of 5616	5500	cmd.exe	110
PID 1636 wrote to memory of 3968	1636	hab.exe	111
PID 1636 wrote to memory of 3968	1636	hab.exe	111
PID 1636 wrote to memory of 3968	1636	hab.exe	111
PID 4288 wrote to memory of 5164	4288	wscript.exe	112
PID 4288 wrote to memory of 5164	4288	wscript.exe	112
PID 4288 wrote to memory of 5164	4288	wscript.exe	112
PID 5616 wrote to memory of 2836	5616	remcos.exe	113
PID 5616 wrote to memory of 2836	5616	remcos.exe	113
PID 5616 wrote to memory of 2836	5616	remcos.exe	113
PID 5164 wrote to memory of 5264	5164	hab.exe	114
PID 5164 wrote to memory of 5264	5164	hab.exe	114
PID 5164 wrote to memory of 5264	5164	hab.exe	114
PID 3968 wrote to memory of 2344	3968	hab.exe	119
PID 3968 wrote to memory of 2344	3968	hab.exe	119
PID 3968 wrote to memory of 2344	3968	hab.exe	119
PID 1336 wrote to memory of 1236	1336	cmd.exe	120
PID 1336 wrote to memory of 1236	1336	cmd.exe	120
PID 1336 wrote to memory of 1236	1336	cmd.exe	120
PID 3808 wrote to memory of 3240	3808	cmd.exe	121
PID 3808 wrote to memory of 3240	3808	cmd.exe	121
PID 2836 wrote to memory of 5572	2836	remcos.exe	122
PID 2836 wrote to memory of 5572	2836	remcos.exe	122
PID 2836 wrote to memory of 5572	2836	remcos.exe	122

C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
"C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5320
- C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe
  "C:\Users\Admin\AppData\Local\Temp\6e0beb7345baecae6f77fcfc0f4dfb6093ec4de7e9ee161289ee7bef7a937d83.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5212
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5840
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5164
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5264
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5500
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5616
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5572
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:3156
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:3240
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1236
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:1840
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        6⤵
        
        PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:1108
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:2676
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:1480
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:3476
    - - C:\Users\Admin\AppData\Local\Temp\hab.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hab.exe"
        5⤵
        
        PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:4424
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:5492
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1812
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:5300
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:452
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:4972
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4720
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:2904
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:4840
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:5892
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:4780
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:5776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:4628
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:3188
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:2540
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:2116
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\hab.exe
      "C:\Users\Admin\AppData\Local\Temp\hab.exe"
      4⤵
      PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
1⤵
PID:908
- C:\Windows\system32\wscript.exe
  wscript "C:\Users\Admin\AppData\Local\Temp\hab.vbs"
  2⤵
  PID:4608
- - C:\Users\Admin\AppData\Local\Temp\hab.exe
    "C:\Users\Admin\AppData\Local\Temp\hab.exe"
    3⤵
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
1⤵
PID:3572
- C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
  2⤵
  PID:1540
- - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
    3⤵
    PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hab.exe

Filesize
372KB

MD5
3333a3970229a06046faff40d2b1aed5

SHA1
55c92891d0ea74129ebab881d5dc8df83f1548be

SHA256
7d0e8172814f2e53c4d875eba3217423417f5c565bc9f8a58ec9da905f7a15ae

SHA512
09ac724435981c3b66993e701404da10117a93c1b06815cd728ec11563691dd359386488a73e652352e722cfafdbf7c61e9105c3846216ec6d7fe73880c6a793

Download Submit
C:\Users\Admin\AppData\Local\Temp\hab.vbs

Filesize
92B

MD5
924c10de3467040c668a0c01b7b3f6b7

SHA1
24e7f554808c9047bd74448023727aeffafd5ba9

SHA256
0045a1cae6a54111951d5f03d8843e250001405742937683744bec9afb4ff0f4

SHA512
feaa18c4c36c54e3bfba5a8c4b57f7088ad05887b91f1a6384af5ea2c54cb39ebd7930b4e6e23ddc18938ff0f4c041083dbe03362c8811c2d0274002459578f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
b4118bddcc9fe0ae73396b2b1b58c970

SHA1
23afa06fa78bbcc9c11e8549681fd4956f9d6c45

SHA256
e5d5005f7c9fdada426273f14e2ebe328b84f9161e80acc1396dadbe9897e98f

SHA512
fdc29fb8fafb990e52487b9ec22140dcbc8c684efa53da41e348584c623fff1a7ce1a9b3deaccdb25867479b393d52d199c8f09cb365e6c84e5980f6d4285b67

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/460-32-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/460-41-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/460-34-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/1128-168-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1128-166-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1128-171-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1356-12-0x0000000001FB0000-0x0000000001FB6000-memory.dmp

Filesize
24KB

Download
memory/1812-255-0x0000000001FC0000-0x0000000001FC6000-memory.dmp

Filesize
24KB

Download
memory/1812-269-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1812-253-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1840-198-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1840-222-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1840-200-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/2904-273-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/2904-271-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2904-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3004-75-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3004-67-0x0000000002920000-0x0000000002926000-memory.dmp

Filesize
24KB

Download
memory/3004-65-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3156-185-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3156-163-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3156-165-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/3960-265-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/3960-263-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3960-267-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3968-107-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3968-97-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5264-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5264-122-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5320-2-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

Filesize
24KB

Download
memory/5320-4-0x0000000077041000-0x0000000077161000-memory.dmp

Filesize
1.1MB

Download
memory/5320-11-0x0000000002BC0000-0x0000000002BC6000-memory.dmp

Filesize
24KB

Download
memory/5436-206-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5436-203-0x0000000002820000-0x0000000002826000-memory.dmp

Filesize
24KB

Download
memory/5436-202-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads