Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 24, 2024, 7:39 a.m. | July 24, 2024, 7:42 a.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\doc_00394039424.exe"
2764 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\AZjibU.exe"
2824 -
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp26AD.tmp"
2880 -
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe"
2204 -
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\AZjibU.exe"
2264 -
schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp58C9.tmp"
2488 -
-
-
-
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:145409
2708 -
iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:79875
2584
-
-
-
svchost.exe svchost.exe
2124 -
svchost.exe svchost.exe
148
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
learn.microsoft.com | 23.210.37.172 |
Suricata Alerts
Suricata TLS
No Suricata TLS
request | GET http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0 |
request | GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml |
description | remcos.exe tried to sleep 200 seconds, actually delayed analysis time by 200 seconds |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\AZjibU.exe" |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\doc_00394039424.exe" |
cmdline | http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0 |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\AZjibU.exe" |
cmdline | schtasks.exe /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp58C9.tmp" |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\doc_00394039424.exe" |
cmdline | schtasks.exe /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp26AD.tmp" |
cmdline | svchost.exe |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp26AD.tmp" |
cmdline | powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp58C9.tmp" |
section | {u'size_of_data': u'0x000dbc00', u'virtual_address': u'0x00002000', u'entropy': 7.9805112993072544, u'name': u'.text', u'virtual_size': u'0x000dbb64'} | entropy | 7.98051129931 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00002600', u'virtual_address': u'0x000de000', u'entropy': 7.543834168146704, u'name': u'.rsrc', u'virtual_size': u'0x0000247c'} | entropy | 7.54383416815 | description | A section with a high entropy has been found | |||||||||
entropy | 0.999437570304 | description | Overall entropy of this PE file is high |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Create a windows service | rule | Create_Service | ||||||
description | Client_SW_User_Data_Stealer | rule | Client_SW_User_Data_Stealer | ||||||
description | Win Backdoor RemcosRAT | rule | Win_Backdoor_RemcosRAT | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | browser info stealer | rule | infoStealer_browser_Zero | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Google Chrome User Data Check | rule | Chrome_User_Data_Check_Zero | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg |
cmdline | schtasks.exe /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp58C9.tmp" |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:145409 |
cmdline | schtasks.exe /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp26AD.tmp" |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp26AD.tmp" |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:79875 |
cmdline | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AZjibU" /XML "C:\Users\test22\AppData\Local\Temp\tmp58C9.tmp" |
cmdline | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome |
host | 107.173.4.16 | |||
host | 117.18.232.200 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-QBT08L | reg_value | "C:\Users\test22\AppData\Roaming\Remcos\remcos.exe" |