Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
20-03-2022 02:05
General
-
Target
bbf6829ce1ce8dc4b0d023e92e0766d4f74c129c1cfbcfcfbac0dfa07a5533b7.dll
-
Size
1.1MB
-
MD5
c46912b6dedfa5321e367998711599a1
-
SHA1
629ce7047b6f1e949212d49f962e6d1f95c563f0
-
SHA256
bbf6829ce1ce8dc4b0d023e92e0766d4f74c129c1cfbcfcfbac0dfa07a5533b7
-
SHA512
89aeb5e6ec79e04b55cb0b7a8983ad4569e5cfbe741c6570deec78faeccadefd43f925b3d937a5d455971bc9634156878c87f002f810dd6d0ea922e1655335e6
Malware Config
Extracted
remcos
2.6.0 Pro
BTC
94.242.206.175:5886
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
MSI
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
MSI-PBVFMV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbf6829ce1ce8dc4b0d023e92e0766d4f74c129c1cfbcfcfbac0dfa07a5533b7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbf6829ce1ce8dc4b0d023e92e0766d4f74c129c1cfbcfcfbac0dfa07a5533b7.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exe"C:\Windows\system32\extrac32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3be01df5.pngMD5
4d06546ee69e342d7cb3965234316d82
SHA1ff3fb3285792ab73825503562af31089c3c7ab52
SHA256e766d755441cd994f3f4fad51b676477bebf5e206d0d202c4b090f04e124c611
SHA512e06b168c114051b6a258b8e703b7a839cc726e2c55c8081deb944b539faae5cdaaeffd5c0a61c1c75c05601bed415bc13e7ce3eb2969af89a69f6ff34ae436e0
-
memory/364-135-0x0000000000FE0000-0x0000000000FEA000-memory.dmpFilesize
40KB
-
memory/364-134-0x0000000002CB0000-0x0000000002DD4000-memory.dmpFilesize
1.1MB
-
memory/2876-143-0x00007FFE1A170000-0x00007FFE1A365000-memory.dmpFilesize
2.0MB
-
memory/2876-141-0x00000000010C0000-0x00000000010C8000-memory.dmpFilesize
32KB
-
memory/2876-142-0x0000000016F97000-0x0000000016FA7000-memory.dmpFilesize
64KB
-
memory/2876-136-0x0000000000CE0000-0x0000000000CE2000-memory.dmpFilesize
8KB
-
memory/4296-137-0x0000013206D80000-0x0000013206D90000-memory.dmpFilesize
64KB
-
memory/4296-139-0x0000013209C00000-0x0000013209C04000-memory.dmpFilesize
16KB
-
memory/4296-138-0x0000013207660000-0x0000013207670000-memory.dmpFilesize
64KB
-
memory/4476-144-0x00007FFE1A170000-0x00007FFE1A365000-memory.dmpFilesize
2.0MB
-
memory/4476-149-0x0000000000760000-0x0000000000768000-memory.dmpFilesize
32KB
-
memory/4476-150-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
