Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7kTWRqwrXx.exe

Overview

General Information

Sample name:7kTWRqwrXx.exe
renamed because original name is a hash value
Original sample name:1F1A21095F21BEB7AF3B85FFEDBB79C8.exe
Analysis ID:1566913
MD5:1f1a21095f21beb7af3b85ffedbb79c8
SHA1:5c0edfe6960eecc647fa32c770b8f8dfb104fb4f
SHA256:d3f6851a2a0d067d918b81b1538405e179e8c59a5d1ab658c30092452d927e2b
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7kTWRqwrXx.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\7kTWRqwrXx.exe" MD5: 1F1A21095F21BEB7AF3B85FFEDBB79C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["5.45.79.50:28086:0"], "Assigned name": "206", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "&^%GB7e-C4HPBG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7kTWRqwrXx.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    7kTWRqwrXx.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      7kTWRqwrXx.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        7kTWRqwrXx.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        7kTWRqwrXx.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.7kTWRqwrXx.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.2.7kTWRqwrXx.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.2.7kTWRqwrXx.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.2.7kTWRqwrXx.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      0.2.7kTWRqwrXx.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64e04:$str_b2: Executing file:
                      • 0x65c3c:$str_b3: GetDirectListeningPort
                      • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65780:$str_b7: \update.vbs
                      • 0x64e2c:$str_b9: Downloaded file:
                      • 0x64e18:$str_b10: Downloading file:
                      • 0x64ebc:$str_b12: Failed to upload file:
                      • 0x65c04:$str_b13: StartForward
                      • 0x65c24:$str_b14: StopForward
                      • 0x656d8:$str_b15: fso.DeleteFile "
                      • 0x6566c:$str_b16: On Error Resume Next
                      • 0x65708:$str_b17: fso.DeleteFolder "
                      • 0x64eac:$str_b18: Uploaded file:
                      • 0x64e6c:$str_b19: Unable to delete:
                      • 0x656a0:$str_b20: while fso.FileExists("
                      • 0x65349:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-02T20:07:15.137054+010020327761Malware Command and Control Activity Detected192.168.2.4497305.45.79.5028086TCP
                      2024-12-02T20:08:15.210072+010020327761Malware Command and Control Activity Detected192.168.2.4497685.45.79.5028086TCP
                      2024-12-02T20:09:15.653186+010020327761Malware Command and Control Activity Detected192.168.2.4498935.45.79.5028086TCP
                      2024-12-02T20:10:15.086559+010020327761Malware Command and Control Activity Detected192.168.2.4500065.45.79.5028086TCP
                      2024-12-02T20:11:15.569852+010020327761Malware Command and Control Activity Detected192.168.2.4500075.45.79.5028086TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-02T20:08:44.430770+010020327771Malware Command and Control Activity Detected5.45.79.5028086192.168.2.449768TCP
                      2024-12-02T20:10:44.472800+010020327771Malware Command and Control Activity Detected5.45.79.5028086192.168.2.450006TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 7kTWRqwrXx.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["5.45.79.50:28086:0"], "Assigned name": "206", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "&^%GB7e-C4HPBG", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                      Multi AV Scanner detection for submitted file
                      Source: 7kTWRqwrXx.exeReversingLabs: Detection: 78%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.0% probability
                      Machine Learning detection for sample
                      Source: 7kTWRqwrXx.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_b8127e59-1

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                      Source: 7kTWRqwrXx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Binary string: wmiprop.pdb source: 7kTWRqwrXx.exe
                      Source: Binary string: wmiprop.pdbGCTL source: 7kTWRqwrXx.exe
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49730 -> 5.45.79.50:28086
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49768 -> 5.45.79.50:28086
                      Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 5.45.79.50:28086 -> 192.168.2.4:49768
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49893 -> 5.45.79.50:28086
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50007 -> 5.45.79.50:28086
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50006 -> 5.45.79.50:28086
                      Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 5.45.79.50:28086 -> 192.168.2.4:50006
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 5.45.79.50
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.45.79.50:28086
                      Source: Joe Sandbox ViewASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.45.79.50
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040455B WaitForSingleObject,SetEvent,recv,0_2_0040455B

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041BB71 SystemParametersInfoW,0_2_0041BB71
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041D0710_2_0041D071
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004520D20_2_004520D2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043D0980_2_0043D098
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004371500_2_00437150
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0047F1A00_2_0047F1A0
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004361AA0_2_004361AA
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004262540_2_00426254
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004313770_2_00431377
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043651C0_2_0043651C
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0044C7390_2_0044C739
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004367C60_2_004367C6
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004267CB0_2_004267CB
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00432A490_2_00432A49
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00436A8D0_2_00436A8D
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00436D480_2_00436D48
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00434D220_2_00434D22
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00426E730_2_00426E73
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00440E200_2_00440E20
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00412F450_2_00412F45
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00452F000_2_00452F00
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00426FAD0_2_00426FAD
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: String function: 004338A5 appears 42 times
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: String function: 00433FB0 appears 55 times
                      Source: 7kTWRqwrXx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 7kTWRqwrXx.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/0@0/1
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeMutant created: \Sessions\1\BaseNamedObjects\&^%GB7e-C4HPBG
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Software\0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: &^%GB7e-C4HPBG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: &^%GB7e-C4HPBG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: 0DG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: cvvsrtf0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: cvvsrtf0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: slycpgq0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: `=G0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: dCG0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: Administrator0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: User0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: wgr0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: hqp0_2_0040D767
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCommand line argument: hqp0_2_0040D767
                      Source: 7kTWRqwrXx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 7kTWRqwrXx.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeSection loaded: mswsock.dllJump to behavior
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 7kTWRqwrXx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wmiprop.pdb source: 7kTWRqwrXx.exe
                      Source: Binary string: wmiprop.pdbGCTL source: 7kTWRqwrXx.exe
                      Source: 7kTWRqwrXx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 7kTWRqwrXx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 7kTWRqwrXx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 7kTWRqwrXx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 7kTWRqwrXx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: 7kTWRqwrXx.exeStatic PE information: section name: cqubyg
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeWindow / User API: threadDelayed 9718Jump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeAPI coverage: 9.3 %
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exe TID: 7444Thread sleep count: 277 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exe TID: 7444Thread sleep time: -831000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exe TID: 7444Thread sleep count: 9718 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exe TID: 7444Thread sleep time: -29154000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeAPI call chain: ExitProcess graph end nodegraph_0-47423
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerYf
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerhf
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: 7kTWRqwrXx.exe, 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJf
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoA,0_2_0040E679
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: EnumSystemLocalesW,0_2_004470AE
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoW,0_2_004510BA
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoW,0_2_004512EA
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoW,0_2_00447597
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: EnumSystemLocalesW,0_2_00450D42
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: 0_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00448057

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: \key3.db0_2_0040B335

                      Remote Access Functionality

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 7kTWRqwrXx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.7kTWRqwrXx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1816108453.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272565070.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4272765614.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 7kTWRqwrXx.exe PID: 7428, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\7kTWRqwrXx.exeCode function: cmd.exe0_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		LSA Secrets22
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Access Token Manipulation                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Process Injection                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.