Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-12-2021 09:03
Behavioral task
behavioral1
Sample
tmp/4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe
Resource
win7-en-20211014
General
-
Target
tmp/4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe
-
Size
463KB
-
MD5
a603a8a69bbcd08f4899a605ab1c68e4
-
SHA1
59f7a2f88a8a3fc13f685672b72506b28ba1614e
-
SHA256
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81
-
SHA512
367238cbdaadbfbe42e08da5596f44efb00844505b7a415a57fd3a2d969b8ca83ac4b6ab3c0a4f6c348d9fec0229baee760bb0798768325710a7e70a3f8a4612
Malware Config
Extracted
remcos
3.3.2 Pro
remrem102
18.218.132.40:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
jre
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-QIKEGJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exedescription pid process target process PID 1344 set thread context of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exepid process 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.execmd.exedescription pid process target process PID 1344 wrote to memory of 2040 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 1344 wrote to memory of 2040 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 1344 wrote to memory of 2040 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 1344 wrote to memory of 2040 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe cmd.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 2040 wrote to memory of 856 2040 cmd.exe reg.exe PID 2040 wrote to memory of 856 2040 cmd.exe reg.exe PID 2040 wrote to memory of 856 2040 cmd.exe reg.exe PID 2040 wrote to memory of 856 2040 cmd.exe reg.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe PID 1344 wrote to memory of 1456 1344 4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe"C:\Users\Admin\AppData\Local\Temp\tmp\4a843bea699f8a40ae3b92c04e01139d61880ce1c519e369a966e814593d1d81.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-65-0x0000000000000000-mapping.dmp
-
memory/1344-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1456-61-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-59-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-58-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-60-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-57-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-62-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-63-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-64-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-66-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1456-67-0x0000000000430472-mapping.dmp
-
memory/1456-69-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2040-56-0x0000000000000000-mapping.dmp