Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
12-09-2022 08:04
General
-
Target
ITEM DATA SHEET.exe
-
Size
1.2MB
-
MD5
c95b522710130a7d48a91a7adf58fbb4
-
SHA1
c8177c93f5a01434516f43bfb34b49c82b8a4a00
-
SHA256
b6ebe092221b9cb70949480fbc97133fa1e408c657150bb50c41171321b2fb73
-
SHA512
d7ac349ae55357c73db01780bec16712fe58dea44a75e792d99dd22766b06a5cbb0272c9a3752b3fb0de7c2354beb64e51bf241d2370749a1d48cff61a0f06ac
-
SSDEEP
12288:cx1goP2MRzbeykkXoposLC6/M698kgMhMk6jwv+rB/4vVWwPN:co85edLv/M698U6jI+rx4vVXP
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
NEW REM STUB
C2
valvesco.duckdns.org:5050
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-48V73L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"C:\Users\Admin\AppData\Local\Temp\ITEM DATA SHEET.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/448-132-0x00000000006F0000-0x0000000000822000-memory.dmpFilesize
1.2MB
-
memory/448-133-0x0000000005800000-0x0000000005DA4000-memory.dmpFilesize
5.6MB
-
memory/448-134-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/448-135-0x00000000051D0000-0x00000000051DA000-memory.dmpFilesize
40KB
-
memory/448-136-0x0000000007A00000-0x0000000007A9C000-memory.dmpFilesize
624KB
-
memory/448-137-0x0000000007BA0000-0x0000000007C06000-memory.dmpFilesize
408KB
-
memory/2268-138-0x0000000000000000-mapping.dmp
-
memory/4524-139-0x0000000000000000-mapping.dmp
-
memory/4524-140-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4524-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4524-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4524-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4524-144-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB