Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 00:21
Static task
static1
Behavioral task
behavioral1
Sample
SPECIFICATIONS DOCS 2021.20.10.exe
Resource
win7-en-20210920
General
-
Target
SPECIFICATIONS DOCS 2021.20.10.exe
-
Size
706KB
-
MD5
d3f5cc4888e982cef9efbce21c381960
-
SHA1
27232e77ad11ba1797d4ef7aa966cb31bdef7cbe
-
SHA256
54d9e04a23e8117c940b8e6e46335aec76138fe38bc6423207ef98223516a0f9
-
SHA512
8107ddfce14d3e4c38e64f18ce5ba8cb35dc1e5e6299928d345076ed94a4d99117f93941393aec99977f281ac56894a75d7c1925934c2cd7d984d5afe4a106c2
Malware Config
Extracted
remcos
3.1.4 Pro
servers
kashbilly2.ddns.net:6060
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-XI8GX1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SPECIFICATIONS DOCS 2021.20.10.exedescription pid process target process PID 1832 set thread context of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SPECIFICATIONS DOCS 2021.20.10.exepid process 1832 SPECIFICATIONS DOCS 2021.20.10.exe 1832 SPECIFICATIONS DOCS 2021.20.10.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SPECIFICATIONS DOCS 2021.20.10.exedescription pid process Token: SeDebugPrivilege 1832 SPECIFICATIONS DOCS 2021.20.10.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SPECIFICATIONS DOCS 2021.20.10.exepid process 808 SPECIFICATIONS DOCS 2021.20.10.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SPECIFICATIONS DOCS 2021.20.10.exedescription pid process target process PID 1832 wrote to memory of 3764 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 3764 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 3764 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe PID 1832 wrote to memory of 808 1832 SPECIFICATIONS DOCS 2021.20.10.exe SPECIFICATIONS DOCS 2021.20.10.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-124-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/808-125-0x000000000042EEEF-mapping.dmp
-
memory/808-126-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1832-115-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/1832-117-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/1832-118-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/1832-119-0x0000000006EA0000-0x000000000739E000-memory.dmpFilesize
5.0MB
-
memory/1832-120-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/1832-121-0x000000000A650000-0x000000000A657000-memory.dmpFilesize
28KB
-
memory/1832-122-0x000000000A850000-0x000000000A851000-memory.dmpFilesize
4KB
-
memory/1832-123-0x000000000AA30000-0x000000000AAC4000-memory.dmpFilesize
592KB