Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 07:03
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220715-en
windows7-x64
5 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
466KB
-
MD5
3df9b4700366c9b2cad6a8ea983f8ad6
-
SHA1
ee7b516a234a1e9107fd0655d55a0bafb5744cd5
-
SHA256
285320e80186bcb40d93226fd64ed821cd935c6bfd222ee8b1b0c28806fb7a42
-
SHA512
2c5661f5dc2333035a04dfb01de259976fb7a3ddad28f0f0b85ad3b9589164abf0b37135a783ba39fe4e2b1d6a8382151ef7d69b21b4ccd8eb70bfd052df4658
Malware Config
Extracted
Family
remcos
Botnet
msmpeng
C2
191.101.30.16:4444
securewebareaxxx.ddns.net:4444
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-08LKIV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
svchost
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp.exedescription pid process target process PID 4804 set thread context of 4320 4804 tmp.exe svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tmp.exepid process 4804 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tmp.exepid process 4804 tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tmp.exedescription pid process target process PID 4804 wrote to memory of 4320 4804 tmp.exe svchost.exe PID 4804 wrote to memory of 4320 4804 tmp.exe svchost.exe PID 4804 wrote to memory of 4320 4804 tmp.exe svchost.exe PID 4804 wrote to memory of 4320 4804 tmp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵