Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
26-03-2023 01:35
General
-
Target
Lecture 10.exe
-
Size
1.2MB
-
MD5
df59dea5d8a77ae66f24cc7d25924cec
-
SHA1
f5a25cdae133bf6851e85c934d90508033d7b579
-
SHA256
c9ec59e23695adca831f06aca398c511cac81f2fd65c7353f14b4725791ab80a
-
SHA512
c5a35e079dd7113eaa8ea55fba702572ef3d4f7fa32f7542055583783bc967888c981bb3690fad9ae1cf833ed2baefcd3e964ff7f44c2b9555f9421012347b3b
-
SSDEEP
24576:al06MFYr0PLhaX7nXdrj1IJNf+QQCwQZI5RHsHgZfW4l0:alL8YnzU+QtC5RHsA
Malware Config
Extracted
remcos
RemoteHost
ennenbach.duckdns.org:5800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-QWQZF3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 14 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 47 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgiXnjSvRpTK.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgiXnjSvRpTK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE8DA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"C:\Users\Admin\AppData\Local\Temp\Lecture 10.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.04⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:4207618 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:406534 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:603155 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:865299 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:1127453 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:537672 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:1324095 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD5e4025697409e1cf6db68bae3ffb7cdeb
SHA18baf0d60ffb5b74e56351b6ed10cb2c10db50340
SHA256259f7a1a036227f0e7d7b5d1cc03176a754dc6358caf3ecb0341bdaac796ec19
SHA512200f50c41e6698e7bdcab4c28caecb92f9169b54664e0f8561e8aa8c470a08741ac32012a42e0a3a959180ad8636c127a2ba215b393e2ffa62f2cb9fddb8b82a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA5D7P93\NewErrorPageTemplate[1]Filesize
1KB
MD5cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA18f12010dfaacdecad77b70a3e781c707cf328496
SHA256204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYXN1WWD\dnserror[1]Filesize
1KB
MD573c70b34b5f8f158d38a94b9d7766515
SHA1e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA2563ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SKXYVKI3\errorPageStrings[1]Filesize
2KB
MD5e3e4a98353f119b80b323302f26b78fa
SHA120ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA2569466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SKXYVKI3\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\httpErrorPagesScripts[2]Filesize
8KB
MD53f57b781cb3ef114dd0b665151571b7b
SHA1ce6a63f996df3a1cccb81720e21204b825e0238c
SHA25646e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA5128cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa
-
C:\Users\Admin\AppData\Local\Temp\tmpE8DA.tmpFilesize
1KB
MD51ea5fc52be737c27583f46fba8d07104
SHA1ff1a67541a8122eac7a2a39e2e23db637114fee1
SHA2560baa2cf1e2b9d3444c8662307640cdc1e48dec52c650f62a0d2eceeb86786c19
SHA51216787038756b323da478da86448d980f04e173da57702df9e340fe27412c823f36b8877e2f8502f2f908d40ff547b2e6db1342f06a3a264e0e5a2dca2c83d6f5
-
C:\Users\Admin\AppData\Local\Temp\~DFF277FF5989C76F64.TMPFilesize
16KB
MD558d691069f199d7f837fc91275b6355c
SHA19b6265816c8a30407f66fd66e490c7b5fc22b5c0
SHA256931c3e056380bda5d61a734422514bfd35e83ea04d5d26b9934cacc1213402c0
SHA51223640fe66cd830dcf8f5e2f59902069ef3ff357fbd0ec371a9d3d9080bfbebef7e06bd551e351ebd4d3f8b3f5da0d04b838e6a01858d43df7593b2d1074e871c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TJJTMPB4.txtFilesize
607B
MD5ed9e391899b82720aaf3cd962668454a
SHA12672bd156a4e03d9db2dfb289d3311e17e51b515
SHA256d029004f3dab53bbbb678b18402ddea4fc2142e4c9dd2745617d07fae84e8ab3
SHA512ab64df4c1ff06bb0e7bc885f8961260935b76bbd67ee25a2795bfab7a29763e7bdfa0c95ff6dd809895f415d743473d82bb59189e30cef8c43c4df0f9dcfd653
-
memory/1192-112-0x0000000000100000-0x0000000000238000-memory.dmpFilesize
1.2MB
-
memory/1192-110-0x0000000000100000-0x0000000000238000-memory.dmpFilesize
1.2MB
-
memory/1192-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1192-108-0x0000000000100000-0x0000000000238000-memory.dmpFilesize
1.2MB
-
memory/1368-87-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1368-92-0x0000000000080000-0x00000000001B8000-memory.dmpFilesize
1.2MB
-
memory/1368-90-0x0000000000080000-0x00000000001B8000-memory.dmpFilesize
1.2MB
-
memory/1368-88-0x0000000000080000-0x00000000001B8000-memory.dmpFilesize
1.2MB
-
memory/1388-132-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-136-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-80-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-81-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-83-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-84-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-85-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-68-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1388-75-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-74-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-93-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-94-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-70-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-148-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-97-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-147-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-78-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-134-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-133-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-104-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-105-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-73-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-72-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-71-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-69-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-113-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-114-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-115-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-131-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-129-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-128-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1388-123-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1664-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1664-142-0x0000000000180000-0x00000000002B8000-memory.dmpFilesize
1.2MB
-
memory/1664-140-0x0000000000180000-0x00000000002B8000-memory.dmpFilesize
1.2MB
-
memory/1664-138-0x0000000000180000-0x00000000002B8000-memory.dmpFilesize
1.2MB
-
memory/1976-77-0x0000000002690000-0x00000000026D0000-memory.dmpFilesize
256KB
-
memory/1976-96-0x0000000002690000-0x00000000026D0000-memory.dmpFilesize
256KB
-
memory/1976-95-0x0000000002690000-0x00000000026D0000-memory.dmpFilesize
256KB
-
memory/2012-59-0x0000000008000000-0x00000000080F4000-memory.dmpFilesize
976KB
-
memory/2012-58-0x00000000002A0000-0x00000000002AC000-memory.dmpFilesize
48KB
-
memory/2012-55-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/2012-56-0x0000000000280000-0x0000000000292000-memory.dmpFilesize
72KB
-
memory/2012-54-0x0000000000800000-0x0000000000938000-memory.dmpFilesize
1.2MB
-
memory/2012-67-0x0000000008340000-0x00000000083C0000-memory.dmpFilesize
512KB
-
memory/2012-57-0x0000000004C80000-0x0000000004CC0000-memory.dmpFilesize
256KB
-
memory/2020-118-0x0000000000190000-0x00000000002C8000-memory.dmpFilesize
1.2MB
-
memory/2020-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2020-120-0x0000000000190000-0x00000000002C8000-memory.dmpFilesize
1.2MB
-
memory/2020-122-0x0000000000190000-0x00000000002C8000-memory.dmpFilesize
1.2MB
-
memory/2028-101-0x0000000000240000-0x0000000000378000-memory.dmpFilesize
1.2MB
-
memory/2028-103-0x0000000000240000-0x0000000000378000-memory.dmpFilesize
1.2MB
-
memory/2028-99-0x0000000000240000-0x0000000000378000-memory.dmpFilesize
1.2MB
-
memory/2028-98-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB