Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28-09-2022 20:20
General
-
Target
INQUIRY 3937489.exe
-
Size
1.1MB
-
MD5
637d6c0ed25f4c0cdb346448d337be6c
-
SHA1
fac78a61ed68ac9d0e1b107814bb56c2828da596
-
SHA256
d4bee566c89c0e8c89f0539d2d49279f844317c54ee3216c049f038b773de8dc
-
SHA512
4a10bd5dc2ff83b6294a417b4d457b544ff24c28c7c7034245fc6360d5e680ffd9947be70827dbb67cc786999c23ab5ce0e15dcd8a5e2fd83d539fb12449db43
-
SSDEEP
12288:Wv1HM7T0I9bgER7BDkw7oPVrL8YIIA0WvJnorEzXOYNJe9OYhUOtLA/0U9q465yp:OMf0ItxRlIPPVrL8sAzxOYOkObU9qmo
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
NEW REM STUB
C2
valvesco.duckdns.org:5050
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-48V73L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"C:\Users\Admin\AppData\Local\Temp\INQUIRY 3937489.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2432-138-0x0000000000000000-mapping.dmp
-
memory/2576-141-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2576-139-0x0000000000000000-mapping.dmp
-
memory/2576-140-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2576-142-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2576-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2576-144-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/4972-134-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/4972-135-0x0000000005AF0000-0x0000000005AFA000-memory.dmpFilesize
40KB
-
memory/4972-136-0x00000000085C0000-0x000000000865C000-memory.dmpFilesize
624KB
-
memory/4972-137-0x00000000088D0000-0x0000000008936000-memory.dmpFilesize
408KB
-
memory/4972-133-0x0000000006110000-0x00000000066B4000-memory.dmpFilesize
5.6MB
-
memory/4972-132-0x0000000000F90000-0x00000000010A2000-memory.dmpFilesize
1.1MB