Loading ...

Play interactive tourEdit tour

Analysis Report Attached pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218797
Start date:30.03.2020
Start time:05:55:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Attached pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winEXE@19/6@9/2
EGA Information:
  • Successful, ratio: 60%
HDC Information:
  • Successful, ratio: 80.8% (good quality ratio 73.6%)
  • Quality average: 77.5%
  • Quality standard deviation: 31.4%
HCA Information:
  • Successful, ratio: 87%
  • Number of executed functions: 209
  • Number of non-executed functions: 251
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 172.217.18.174, 2.18.68.82, 2.20.143.16, 2.20.143.23, 23.36.237.68, 72.247.178.43, 72.247.178.11
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, e5684.g.akamaiedge.net, fs.microsoft.com, audownload.windowsupdate.nsatc.net, drive.google.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net
  • Execution Graph export aborted for target mshta.exe, PID 2860 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 3620 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Remcos
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Registry Run Keys / Startup Folder1Process Injection12Software Packing11Input Capture21System Time Discovery1Application Deployment SoftwareScreen Capture1Data Encrypted1Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Scheduled Task1Scheduled Task1Deobfuscate/Decode Files or Information1Network SniffingSecurity Software Discovery111Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Application Shimming1Application Shimming1Scripting1Input CaptureFile and Directory Discovery2Windows Remote ManagementInput Capture21Automated ExfiltrationRemote Access Tools1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseCommand-Line Interface1System FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Information Discovery14Logon ScriptsClipboard Data1Data EncryptedStandard Non-Application Layer Protocol1SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationScheduled Task1Shortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationVirtualization/Sandbox Evasion1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceModify Registry1Brute ForceProcess Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion1Two-Factor Authentication InterceptionApplication Window Discovery11Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection12Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\Cseg\Csegsew.exeVirustotal: Detection: 15%Perma Link
Source: C:\Users\user\Cseg\Csegsew.exeReversingLabs: Detection: 12%
Multi AV Scanner detection for submitted fileShow sources
Source: Attached pdf.exeVirustotal: Detection: 15%Perma Link
Source: Attached pdf.exeReversingLabs: Detection: 12%
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 1740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Attached pdf.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 9.2.Csegsew.exe.42f0000.8.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 11.2.Csegsew.exe.2b50000.5.unpackAvira: Label: BDS/Backdoor.Gen
Source: 9.2.Csegsew.exe.4320000.9.unpackAvira: Label: BDS/Backdoor.Gen
Source: 11.2.Csegsew.exe.2b20000.4.unpackAvira: Label: TR/Crypt.Morphine.Gen
Source: 0.2.Attached pdf.exe.2cf0000.5.unpackAvira: Label: BDS/Backdoor.Gen
Source: 0.2.Attached pdf.exe.2cc0000.4.unpackAvira: Label: TR/Crypt.Morphine.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_00406164
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,9_2_00406164
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,11_2_00406164

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2026019 ET TROJAN Win32/Remcos RAT Checkin 29 192.168.2.7:49703 -> 185.244.30.125:2404
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.7:49703 -> 185.244.30.125:2404
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: doc-0k-04-docs.googleusercontent.com
Urls found in memory or binary dataShow sources
Source: Csegsew.exe, 0000000B.00000002.593647481.0000000002273000.00000004.00000001.sdmp, Attached pdf.exeString found in binary or memory: http://blackman.wp-club.net
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1.crl0
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000002.566037657.00000000006B1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o10
Source: Csegsew.exe, 00000009.00000002.566037657.00000000006B1000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS
Source: Attached pdf.exe, 00000000.00000002.923436982.00000000008AC000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/Persistent-AuthWWW-AuthenticateAccept-EncodingVaryNID=
Source: Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-04-docs.googleusercontent.com/
Source: Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0k-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/6dvv3dkp
Source: Csegsew.exe, 00000009.00000002.565951024.000000000068C000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/s
Source: Csegsew.exe, 0000000B.00000002.593439523.0000000002239000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1bpSwXgeTfUQhGF7a4lwQmZroVPGuKeUO&export=download
Source: Csegsew.exe, 00000009.00000002.565951024.000000000068C000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1bpSwXgeTfUQhGF7a4lwQmZroVPGuKeUO&export=downloadb
Source: Attached pdf.exe, 00000000.00000002.924099614.0000000002497000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000002.567057706.00000000021C7000.00000004.00000001.sdmp, Csegsew.exe, 0000000B.00000002.593357275.0000000002217000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/u/0/uc?id=1bpSwXgeTfUQhGF7a4lwQmZroVPGuKeUO&export=downloadnClick
Source: Attached pdf.exe, 00000000.00000002.923414033.0000000000896000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard dataShow sources
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0042DB0C GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,9_2_0042DB0C
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0042E220 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,0_2_0042E220
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00449D04 GetKeyboardState,0_2_00449D04
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Attached pdf.exe, 00000000.00000002.923264912.0000000000820000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 1740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Attached pdf.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
Source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0045D8200_2_0045D820
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0049E1100_2_0049E110
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0040222C0_2_0040222C
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0049CB280_2_0049CB28
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004391BC0_2_004391BC
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0046B8100_2_0046B810
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0045D8209_2_0045D820
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0049E1109_2_0049E110
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0040222C9_2_0040222C
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0049CB289_2_0049CB28
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_004391BC9_2_004391BC
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0046B8109_2_0046B810
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00491B589_2_00491B58
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00441DE49_2_00441DE4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_042A20E49_2_042A20E4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0045D82011_2_0045D820
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0049E11011_2_0049E110
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0040222C11_2_0040222C
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0049CB2811_2_0049CB28
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_004391BC11_2_004391BC
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0046B81011_2_0046B810
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00491B5811_2_00491B58
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00441DE411_2_00441DE4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_02AD20E411_2_02AD20E4
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: String function: 00407000 appears 62 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 0040503C appears 38 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 00406D20 appears 34 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 00411434 appears 60 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 02AD4A10 appears 58 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 00407000 appears 124 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 00404854 appears 32 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 00404830 appears 98 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 042A4A10 appears 58 times
Source: C:\Users\user\Cseg\Csegsew.exeCode function: String function: 0041008C appears 42 times
PE file contains strange resourcesShow sources
Source: Attached pdf.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Csegsew.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Attached pdf.exe, 00000000.00000002.932623473.00000000044A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Attached pdf.exe
Source: Attached pdf.exe, 00000000.00000002.922771444.00000000004CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilename" vs Attached pdf.exe
Source: Attached pdf.exe, 00000000.00000002.932569763.0000000004470000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs Attached pdf.exe
Source: Attached pdf.exe, 00000000.00000002.932610656.0000000004490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Attached pdf.exe
Source: Attached pdf.exe, 00000000.00000002.932585221.0000000004480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs Attached pdf.exe
Source: Attached pdf.exeBinary or memory string: OriginalFilename" vs Attached pdf.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Uses reg.exe to modify the Windows registryShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Yara signature matchShow sources
Source: 00000009.00000002.573676500.00000000042A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000B.00000002.596904471.0000000002AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 11.2.Csegsew.exe.2ad0000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.Csegsew.exe.42a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winEXE@19/6@9/2
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0042A954 GetLastError,FormatMessageA,0_2_0042A954
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00409C0E GetDiskFreeSpaceA,9_2_00409C0E
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004771D8 CoCreateInstance,0_2_004771D8
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041CEAC FindResourceA,0_2_0041CEAC
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeFile created: C:\Users\user\CsegJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
Source: C:\Users\user\Desktop\Attached pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-CHWDM7
Executes batch filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Attached pdf.exeVirustotal: Detection: 15%
Source: Attached pdf.exeReversingLabs: Detection: 12%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeFile read: C:\Users\user\Desktop\Attached pdf.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Attached pdf.exe 'C:\Users\user\Desktop\Attached pdf.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' '
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM '
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Cseg.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Cseg.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe'
Source: C:\Users\user\Desktop\Attached pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Natso.bat' 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe' Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected

Data Obfuscation:

barindex
Detected unpacking (creates a PE file in dynamic memory)Show sources
Source: C:\Users\user\Cseg\Csegsew.exeUnpacked PE file: 9.2.Csegsew.exe.4320000.9.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A4214 VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,0_2_004A4214
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A60AC push 004A6125h; ret 0_2_004A611D
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041C138 push ecx; mov dword ptr [esp], edx0_2_0041C13D
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A65D0 push 004A665Dh; ret 0_2_004A6655
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A40F8 push 004A4136h; ret 0_2_004A412E
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0048C0F4 push 0048C120h; ret 0_2_0048C118
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A6144 push 004A61ECh; ret 0_2_004A61E4
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0043616C push 004361A4h; ret 0_2_0043619C
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00476168 push ecx; mov dword ptr [esp], edx0_2_0047616D
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A61F8 push 004A6288h; ret 0_2_004A6280
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00456248 push 004562AEh; ret 0_2_004562A6
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00424294 push ecx; mov dword ptr [esp], edx0_2_00424299
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004103C4 push 004103F0h; ret 0_2_004103E8
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004863FC push ecx; mov dword ptr [esp], edx0_2_004863FD
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041C394 push ecx; mov dword ptr [esp], edx0_2_0041C399
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004263B4 push 004263F2h; ret 0_2_004263EA
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0047E3B0 push ecx; mov dword ptr [esp], ecx0_2_0047E3B5
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0049A440 push ecx; mov dword ptr [esp], edx0_2_0049A448
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041C4F8 push ecx; mov dword ptr [esp], edx0_2_0041C4FD
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041C4B4 push ecx; mov dword ptr [esp], edx0_2_0041C4B9
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0041A534 push 0041A581h; ret 0_2_0041A579
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004726A4 push ecx; mov dword ptr [esp], eax0_2_004726A7
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00458720 push ecx; mov dword ptr [esp], edx0_2_00458724
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A67CC push 004A6834h; ret 0_2_004A682C
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0043A7C8 push 0043A7F4h; ret 0_2_0043A7EC
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00418804 push 0041887Ah; ret 0_2_00418872
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0048A8D4 push 0048A92Bh; ret 0_2_0048A923
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A48B8 push 004A48F0h; ret 0_2_004A48E8
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00442964 push 004429CFh; ret 0_2_004429C7
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A6974 push 004A69C3h; ret 0_2_004A69BB
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004589C4 push ecx; mov dword ptr [esp], edx0_2_004589C8
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00492A60 push ecx; mov dword ptr [esp], edx0_2_00492A67

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeFile created: C:\Users\user\Cseg\Csegsew.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CsegJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CsegJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CsegJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce CsegJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004644D0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_004644D0
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004265F0 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004265F0
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00450854 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_00450854
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00464C00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,0_2_00464C00
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00464CC4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,0_2_00464CC4
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0046100C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,0_2_0046100C
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_0044F544 IsIconic,GetCapture,0_2_0044F544
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_004644D0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,9_2_004644D0
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_004265F0 IsIconic,GetWindowPlacement,GetWindowRect,9_2_004265F0
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00450854 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,9_2_00450854
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00464C00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,9_2_00464C00
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00464CC4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,9_2_00464CC4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0046100C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,9_2_0046100C
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0044F544 IsIconic,GetCapture,9_2_0044F544
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0044FE4C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,9_2_0044FE4C
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_004644D0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,11_2_004644D0
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_004265F0 IsIconic,GetWindowPlacement,GetWindowRect,11_2_004265F0
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00450854 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,11_2_00450854
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00464C00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,DefWindowProcA,11_2_00464C00
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00464CC4 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,11_2_00464CC4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0046100C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,ShowWindow,11_2_0046100C
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0044F544 IsIconic,GetCapture,11_2_0044F544
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_0044FE4C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,11_2_0044FE4C
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00431408 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00431408
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected Windows Security DisablerShow sources
Source: Yara matchFile source: 0000000B.00000002.592712937.000000000218C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925263986.0000000002C70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.573676500.00000000042A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.923915258.000000000240C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.596904471.0000000002AD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.566447267.000000000213C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925501930.0000000002D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 1740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Attached pdf.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: C:\Users\Public\Yako.bat, type: DROPPED
Source: Yara matchFile source: 11.2.Csegsew.exe.2ad0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.42a0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2c70000.3.raw.unpack, type: UNPACKEDPE
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00463790
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,9_2_00463790
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,11_2_00463790
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeWindow / User API: threadDelayed 706Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeAPI coverage: 9.4 %
Source: C:\Users\user\Cseg\Csegsew.exeAPI coverage: 7.9 %
Source: C:\Users\user\Cseg\Csegsew.exeAPI coverage: 7.9 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Attached pdf.exe TID: 4088Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Attached pdf.exe TID: 4208Thread sleep time: -7060000s >= -30000sJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exe TID: 2432Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Cseg\Csegsew.exe TID: 896Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_00406164
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,9_2_00406164
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 11_2_00406164 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,11_2_00406164
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: reg.exe, 00000005.00000002.515185245.0000000000CE0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.519671719.0000000000F50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Attached pdf.exe, 00000000.00000002.923414033.0000000000896000.00000004.00000001.sdmp, Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Attached pdf.exe, 00000000.00000002.923316917.000000000084A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH
Source: reg.exe, 00000005.00000002.515185245.0000000000CE0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.519671719.0000000000F50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Csegsew.exe, 00000009.00000002.566037657.00000000006B1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
Source: reg.exe, 00000005.00000002.515185245.0000000000CE0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.519671719.0000000000F50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: reg.exe, 00000005.00000002.515185245.0000000000CE0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.519671719.0000000000F50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A4214 VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,0_2_004A4214

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\Environment /v windir /d 'cmd /c start /min C:\Users\Public\Yako.bat reg delete hkcu\Environment /v windir /f && REM 'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /IJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg delete hkcu\Environment /v windir /f Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe' Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\Cseg\Csegsew.exe 'C:\Users\user\Cseg\Csegsew.exe' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|891578wG
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: Program Managerr|cmd|665125|cmd|4896359
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: Program Managerrcmd|4664672|cmd|881359
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Managerr|cmd|
Source: Attached pdf.exe, 00000000.00000002.923516052.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: =Program Managerb
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|4664578|cmd|4911406OG|
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665563|cmd|[G
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Managercmd|cmd|US|cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Managerr|cmd|4664765
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: Program Managerr|cmd|4664578|cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: art]@L0|cmd|Program Manager|cmd|4664703|cmd|4876343
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Managerr
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|665437-G^
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665500cmd|4921343UG
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program ManageraG
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Managercmd|665313|cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664750|cmd|4871359
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664703|cmd|x2
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664750|cmd|851343:=
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664828|cmd|4861359V==
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Manager
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664750
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Managerr|cmd|b=)
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664828
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|665313|cmd|4856359
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665500|cmd|4931390
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|891|cmd|md|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664703|cmd|4876343
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program Manager@=
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|4665172
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: art]@L0|cmd|Program Manager|cmd|4665500|cmd|4931390OMAIN_ROAM
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager}G
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664922|cmd|8913433Gh
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664765|cmd|4866343
Source: Attached pdf.exe, 00000000.00000002.923516052.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Attached pdf.exe, 00000000.00000002.923516052.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664922cmd|4906359
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665500|cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|891|cmd|271812'GT
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Managercmd|4665422
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Managercmd|664578|cmd|48363434=
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4664703cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665422|cmd|4846343
Source: Attached pdf.exe, 00000000.00000002.923516052.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: Program ManagerH24
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Managercmd|4665266|cmd|
Source: Attached pdf.exe, 00000000.00000002.923888379.00000000023C6000.00000004.00000040.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|665531
Source: Attached pdf.exe, 00000000.00000002.932931100.0000000004D70000.00000004.00000001.sdmpBinary or memory string: 0|cmd|Program Manager|cmd|4665563|cmd|4916406

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_00406328
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,0_2_00406434
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: GetLocaleInfoA,0_2_0040D0D4
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: GetLocaleInfoA,0_2_0040D088
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,9_2_00406328
Source: C:\Users\user\Cseg\Csegsew.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,9_2_00406434
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetLocaleInfoA,9_2_0040D0D4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetLocaleInfoA,9_2_0040D088
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,11_2_00406328
Source: C:\Users\user\Cseg\Csegsew.exeCode function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,11_2_00406434
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetLocaleInfoA,11_2_0040D0D4
Source: C:\Users\user\Cseg\Csegsew.exeCode function: GetLocaleInfoA,11_2_0040D088
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Cseg\Csegsew.exeCode function: 9_2_0040BA34 GetLocalTime,9_2_0040BA34
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Attached pdf.exeCode function: 0_2_004A65D0 GetVersion,0_2_004A65D0

Stealing of Sensitive Information:

barindex
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 1740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Attached pdf.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Remcos RATShow sources
Source: Attached pdf.exe, 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Attached pdf.exe, 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Source: Csegsew.exe, 00000009.00000003.563186827.00000000006CC000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_InjA
Source: Csegsew.exe, 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Csegsew.exe, 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Source: Csegsew.exe, 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
Source: Csegsew.exe, 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmpString found in binary or memory: NormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.5.0 Propth_unencoverridev
Yara detected Remcos RATShow sources
Source: Yara matchFile source: 00000009.00000002.574084773.00000000042F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.574403576.0000000004320000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597109914.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925420453.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.597187630.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.925343865.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 1740, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Attached pdf.exe PID: 4944, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Csegsew.exe PID: 4764, type: MEMORY
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b50000.5.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cc0000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.4320000.9.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.Csegsew.exe.42f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 11.2.Csegsew.exe.2b20000.4.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Attached pdf.exe.2cf0000.5.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 218797 Sample: Attached pdf.exe Startdate: 30/03/2020 Architecture: WINDOWS Score: 100 38 site-cdn.onenote.net 2->38 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 8 Attached pdf.exe 3 9 2->8         started        12 mshta.exe 1 2->12         started        14 mshta.exe 19 2->14         started        signatures3 process4 dnsIp5 48 rex2016.hopto.org 185.244.30.125, 2404, 49703 unknown Netherlands 8->48 50 rex2016.freeddns.org 8->50 52 5 other IPs or domains 8->52 32 C:\Users\user\Cseg\Csegsew.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 8->34 dropped 36 C:\Users\Public\Yako.bat, ASCII 8->36 dropped 16 cmd.exe 1 8->16         started        19 Csegsew.exe 12->19         started        22 Csegsew.exe 14->22         started        file6 process7 dnsIp8 54 Uses cmd line tools excessively to alter registry or file data 16->54 24 conhost.exe 16->24         started        26