Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 00:21
General
-
Target
SPECIFICATIONS DOCS 2021.20.10.exe
-
Size
706KB
-
MD5
d3f5cc4888e982cef9efbce21c381960
-
SHA1
27232e77ad11ba1797d4ef7aa966cb31bdef7cbe
-
SHA256
54d9e04a23e8117c940b8e6e46335aec76138fe38bc6423207ef98223516a0f9
-
SHA512
8107ddfce14d3e4c38e64f18ce5ba8cb35dc1e5e6299928d345076ed94a4d99117f93941393aec99977f281ac56894a75d7c1925934c2cd7d984d5afe4a106c2
Score
10/10
Malware Config
Extracted
Family
remcos
Version
3.1.4 Pro
Botnet
servers
C2
kashbilly2.ddns.net:6060
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-XI8GX1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"C:\Users\Admin\AppData\Local\Temp\SPECIFICATIONS DOCS 2021.20.10.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-124-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/808-125-0x000000000042EEEF-mapping.dmp
-
memory/808-126-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1832-115-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/1832-117-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/1832-118-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/1832-119-0x0000000006EA0000-0x000000000739E000-memory.dmpFilesize
5.0MB
-
memory/1832-120-0x0000000006F50000-0x0000000006F51000-memory.dmpFilesize
4KB
-
memory/1832-121-0x000000000A650000-0x000000000A657000-memory.dmpFilesize
28KB
-
memory/1832-122-0x000000000A850000-0x000000000A851000-memory.dmpFilesize
4KB
-
memory/1832-123-0x000000000AA30000-0x000000000AAC4000-memory.dmpFilesize
592KB