Windows Analysis Report
xcYJfxDKL0Sk.exe

Overview

General Information

Sample Name:	xcYJfxDKL0Sk.exe
Analysis ID:	1345576
MD5:	a75658c26b3c3ef739148060446b8d9b
SHA1:	d8ca42c0a901edea00fedce2d306e8e09bf27c91
SHA256:	3a2bc0787d73f2e92b71865154496cef6c1a983c4137f16c3733c1663295fc43
Tags:	exeRemcos
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected UAC Bypass using CMSTP

Contains functionality to bypass UAC (CMSTPLUA)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Sigma detected: Remcos

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Connects to many ports of the same IP (likely port scanning)

Contains functionality to steal Firefox passwords or cookies

Delayed program exit found

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Contains functionality to modify clipboard data

Contains functionality to steal Chrome passwords or cookies

Contains functionalty to change the wallpaper

Deletes itself after installation

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Contains functionality to retrieve information about pressed keystrokes

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality for read data from the clipboard

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "4.9.2 Pro", "Host:Port:Password": "0.tcp.sa.ngrok.io:14096:1", "Assigned name": "RemoteHost (em ingls)", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-7QVKVR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de tela", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for submitted file

Source: xcYJfxDKL0Sk.exe

Virustotal: Detection: 80%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: xcYJfxDKL0Sk.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: 0.tcp.sa.ngrok.io	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 0.tcp.sa.ngrok.io	Virustotal: Detection: 14%			Perma Link
Source: 0.tcp.sa.ngrok.io	Virustotal: Detection: 14%			Perma Link

Machine Learning detection for sample

Source: xcYJfxDKL0Sk.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00433785 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_00433785

Source: xcYJfxDKL0Sk.exe, 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e80f468d-2

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_004074FD _wcslen,CoGetObject,

0_2_004074FD

Uses 32bit PE files

Source: xcYJfxDKL0Sk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C1DF
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C29B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419A43
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BC85

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 54.94.248.37 ports 14096,0,1,4,6,9

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 0.tcp.sa.ngrok.io

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 54.94.248.37:14096

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/X
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: xcYJfxDKL0Sk.exe	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.0000000000673000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.000000000067A000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp5
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp8
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.0000000000673000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.000000000067A000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpb
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.0000000000680000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpl

Source: unknown

DNS traffic detected: queries for: 0.tcp.sa.ngrok.io

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041B2CE InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0041B2CE

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

0_2_0040A2B8

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041680F OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0041680F

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B65C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

0_2_0040A3E0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040B65C

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041C930 SystemParametersInfoW,

0_2_0041C930

System Summary

Malicious sample detected (through community Yara rule)

Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Uses 32bit PE files

Source: xcYJfxDKL0Sk.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: xcYJfxDKL0Sk.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00416702 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_00416702

Detected potential crypto function

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041F048	0_2_0041F048
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043E00C	0_2_0043E00C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0045409A	0_2_0045409A
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_004380A8	0_2_004380A8
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00446130	0_2_00446130
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0045326C	0_2_0045326C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043E23B	0_2_0043E23B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_004272EB	0_2_004272EB
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00437426	0_2_00437426
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043E498	0_2_0043E498
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_004386B0	0_2_004386B0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043783E	0_2_0043783E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0044D889	0_2_0044D889
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00433894	0_2_00433894
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00427994	0_2_00427994
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00427AFD	0_2_00427AFD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041DAB0	0_2_0041DAB0
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00437C73	0_2_00437C73
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00426D5C	0_2_00426D5C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043DDDD	0_2_0043DDDD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00435DA1	0_2_00435DA1
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00413F18	0_2_00413F18
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00436F2A	0_2_00436F2A

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: String function: 004346BE appears 42 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: String function: 00401E65 appears 35 times
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: String function: 00434D70 appears 54 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00413220 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	0_2_00413220
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041BA57 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_0041BA57
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041BA83 OpenProcess,NtResumeProcess,CloseHandle,	0_2_0041BA83

Sample file is different than original file name gathered from version info

Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000068B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs xcYJfxDKL0Sk.exe
Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000068B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs xcYJfxDKL0Sk.exe

Source: xcYJfxDKL0Sk.exe

Virustotal: Detection: 80%

Source: xcYJfxDKL0Sk.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe C:\Users\user\Desktop\xcYJfxDKL0Sk.exe
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"	Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_004178A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_004178A0

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

File created: C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041A998

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040F3C2 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_0040F3C2

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-7QVKVR

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041B3F6 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_0041B3F6

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Software\	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Rmc-7QVKVR	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Exe	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Exe	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Rmc-7QVKVR	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Inj	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Inj	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: 8SG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: exepath	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: 8SG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: exepath	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: licence	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: dMG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: PSG	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: Administrator	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: User	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: del	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: del	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: del	0_2_0040E913
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Command line argument: ^rE	0_2_004571B0

Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: xcYJfxDKL0Sk.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: xcYJfxDKL0Sk.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: xcYJfxDKL0Sk.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xcYJfxDKL0Sk.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xcYJfxDKL0Sk.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xcYJfxDKL0Sk.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xcYJfxDKL0Sk.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00457046 push ecx; ret	0_2_00457059
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00457968 push eax; ret	0_2_00457986
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00434DB6 push ecx; ret	0_2_00434DC9

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041CA9E LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041CA9E

Contains functionality to download and launch executables

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

0_2_00406EB0

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041A998 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_0041A998

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\wscript.exe

File deleted: c:\users\user\desktop\xcyjfxdkl0sk.exe

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

0_2_0041CA9E

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0040F6F5 Sleep,ExitProcess,

0_2_0040F6F5

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_0041A696

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0041C1DF FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041C1DF
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409253
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040C29B
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_00409665
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_0040880C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040783C FindFirstFileW,FindNextFileW,	0_2_0040783C
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00419A43 FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00419A43
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040BC85

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00407C97

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

API call chain: ExitProcess graph end node

Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xcYJfxDKL0Sk.exe, 00000000.00000003.1664670142.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1654211767.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, xcYJfxDKL0Sk.exe, 00000000.00000003.1664172887.00000000006B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg2

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00434947

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

0_2_0041CA9E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0044FA8E GetProcessHeap,

0_2_0044FA8E

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00443214 mov eax, dword ptr fs:[00000030h]

0_2_00443214

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00434947 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00434947
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_0043BA62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043BA62
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00434A95 SetUnhandledExceptionFilter,	0_2_00434A95
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: 0_2_00434F3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00434F3C

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

0_2_00412065

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\frjghkytrkcmwefakksrc.vbs"

Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00419575 mouse_event,

0_2_00419575

Source: xcYJfxDKL0Sk.exe, 00000000.00000002.1752929377.000000000063E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: |Program Manager|

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoA,	0_2_0040F81F
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452004
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoW,	0_2_00452254
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: EnumSystemLocalesW,	0_2_004482C4
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0045237D
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoW,	0_2_00452484
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452551
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: GetLocaleInfoW,	0_2_004487AD
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00451C19
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: EnumSystemLocalesW,	0_2_00451EDC
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: EnumSystemLocalesW,	0_2_00451E91
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: EnumSystemLocalesW,	0_2_00451F77

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_00434BBD cpuid

0_2_00434BBD

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041B74D GetSystemTimes,Sleep,GetSystemTimes,__aulldiv,

0_2_0041B74D

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0044926D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0044926D

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: 0_2_0041B55B GetComputerNameExW,GetUserNameW,

0_2_0041B55B

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		0_2_0040BA7E
Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe	Code function: \key3.db		0_2_0040BA7E

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

0_2_0040B960

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: xcYJfxDKL0Sk.exe, type: SAMPLE
Source: Yara match	File source: 0.0.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.xcYJfxDKL0Sk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1630897285.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1752772463.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: xcYJfxDKL0Sk.exe PID: 6188, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Users\user\Desktop\xcYJfxDKL0Sk.exe

Code function: cmd.exe

0_2_0040569A

Windows Analysis Report
xcYJfxDKL0Sk.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report xcYJfxDKL0Sk.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
xcYJfxDKL0Sk.exe

Malware Threat Intel
Provided by