Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
28-03-2023 06:08
General
-
Target
on demand.exe
-
Size
541KB
-
MD5
a6ef3293f66f1f2d3ae7a368b60dc577
-
SHA1
af2f768b813b8a05908ab2040551728427a7078a
-
SHA256
cf9bbb8ecfcffe72f03f134197a9e6e58c405b6f0eba941bf079899d4411c5db
-
SHA512
a0c03dc2f552c51552c8dfcb54b46757aeb0efc5160e1c82f91951c8e1ef3106b2609129f01eaab0cbf3eedbb350afde693749c14b38c1877df75b3deea5dd0d
-
SSDEEP
12288:KYTv1iDSrrW+gEYdOobbP/x6Gc6OFGXF4ifMyyqBgD+J:KYTv1iOgGWlKF/K7gD+J
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:55898
180.214.238.18:55898
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-08QBMU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\on demand.exe"C:\Users\Admin\AppData\Local\Temp\on demand.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe"C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe" C:\Users\Admin\AppData\Local\Temp\wvoxvopxjva.w2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe"C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD5505a4af11e36c4c9b88c7dbf755b712a
SHA1e14cc9a6e0c38a9d507793d72223b204c5696d45
SHA256821df975a5340b7d15b79334e24d8ab1c5360efb5842c916f5c905c5371e0ba0
SHA5125bf0f45ff6ecca4a14981ccde63ffc8dd9a378e6a02e408ea1a59bc5429e8af20eeeea25a2b06d658fc50fa606dc4feb055efe943fb70c130322a4f625095dc5
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
C:\Users\Admin\AppData\Local\Temp\wvoxvopxjva.wFilesize
7KB
MD51f908367955b6d2238e2d5640f05177e
SHA1b24c2f3c2dcdbbb8d5a74ea3db8349225f9ee926
SHA256b8cb0a382514f8598ece81d01ed770a182420fe92f0049fbf0285668d8eca0ef
SHA51288aa1bb3078471416cbbd511435896bcc064de414cdc7362d1f64070559f623c99597370d78503aff12f5da69113697a7a301471c14445bc76598c9a013532b7
-
C:\Users\Admin\AppData\Local\Temp\xpwswdvofjr.blaFilesize
496KB
MD554ecaf4f40b83a83f7667ab7016c7b5c
SHA1a3d877d72f7b8986d196a9ee09c01e7c4a8df453
SHA25658c07d62898690ecbb0ed26859c087ae7f22ee71f1973eaab4041a1a48754d82
SHA5129ee717cce17da6f754330f660c94fb9cf7bf614f6a1715046acd5d001b660dace0d827831eb37938d48ac0b9b7a36098b5905467b63b77f6dc96e21cf30a9a82
-
\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
\Users\Admin\AppData\Local\Temp\pghscxwgeb.exeFilesize
138KB
MD582334772e194ae5493a7dbb0659eaeda
SHA1c3fd675eeabce7da7440e5675105239693b2bee7
SHA2564dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530
SHA512766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed
-
memory/1412-89-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-95-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-76-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-77-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-78-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-79-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-82-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-84-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-86-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-88-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-73-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-69-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-91-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-93-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-94-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-74-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-101-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-102-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-103-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-106-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-108-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-111-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-112-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-116-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-119-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-121-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-122-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-126-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-129-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-132-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-133-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1412-137-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB