Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-06-2023 11:34
General
-
Target
497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe
-
Size
114KB
-
MD5
53d4ab9c429de02b7efc94d7be3e6059
-
SHA1
2dba6ac014c7115407fbd56e6367c3f57679404f
-
SHA256
497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714
-
SHA512
a19570164b7bc47c6975b93835b408c80f7fed8a9874d398cf0227e2dd2c033d4e31f0bb332c800bab0f60073eec084a0bebac4abc6ba069aa3547c27c9622cb
-
SSDEEP
3072:1toI3eJY6z2cQEjbCTb6TbEVDR2fxvPXj5:1aJJ9zpblEVDsvj5
Malware Config
Extracted
remcos
RemoteHost
pekonomia.duckdns.org:30861
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B0VP4N
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 8 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe"C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\skqz"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\cewstph"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\nyjcuhrijk"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\nyjcuhrijk"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ori.exe"C:\Users\Admin\AppData\Local\Temp\ori.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 38 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 386⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"6⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ori.exe" "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 376⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 376⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 13⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ori.exeFilesize
765KB
MD5c6d43b7e399cdb8f37c3b920cd592b6b
SHA1756c5d2d46bb796e7af63e53a7c00e747a65c5f9
SHA2565f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5
SHA512b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c
-
C:\Users\Admin\AppData\Local\Temp\ori.exeFilesize
765KB
MD5c6d43b7e399cdb8f37c3b920cd592b6b
SHA1756c5d2d46bb796e7af63e53a7c00e747a65c5f9
SHA2565f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5
SHA512b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c
-
C:\Users\Admin\AppData\Local\Temp\ori.exeFilesize
765KB
MD5c6d43b7e399cdb8f37c3b920cd592b6b
SHA1756c5d2d46bb796e7af63e53a7c00e747a65c5f9
SHA2565f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5
SHA512b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c
-
C:\Users\Admin\AppData\Local\Temp\skqzFilesize
4KB
MD5b1a407ed9778faba2aa43f92e4e85dca
SHA1cb9c6835291dde8bf4227b3adafdc8e0ef07a4bb
SHA2561d16f0d3fe199ac744b1305b95e04ed2fd8711ada610cfbe373a14ea301277f5
SHA5127d9ca374f1d3464a9ba12c8a7708593e43eee2a7f2b7ac7cecf6fe36845d6407bc2938dddab63ee912a16dd70488ffeae6c4408e7c1e57457441c4a3243103ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exeFilesize
571KB
MD583e968ea79da03bc0e20716cd99d5fcb
SHA143234878888b72b4d6e9b7704f5c7715edff72c2
SHA2566ca06d119da53e4bcd4752e62971541d0d4d2cfc86bad01b9ba8253c3d2615d3
SHA5120f27f08b933fe2566bbfcc5b99bf748948a35d8e977aa9bb75a45201fec7e1e005462e3b454725142f902906999247634cff533c43002507817f6e7c9fa93162
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exeFilesize
571KB
MD583e968ea79da03bc0e20716cd99d5fcb
SHA143234878888b72b4d6e9b7704f5c7715edff72c2
SHA2566ca06d119da53e4bcd4752e62971541d0d4d2cfc86bad01b9ba8253c3d2615d3
SHA5120f27f08b933fe2566bbfcc5b99bf748948a35d8e977aa9bb75a45201fec7e1e005462e3b454725142f902906999247634cff533c43002507817f6e7c9fa93162
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exeFilesize
571KB
MD583e968ea79da03bc0e20716cd99d5fcb
SHA143234878888b72b4d6e9b7704f5c7715edff72c2
SHA2566ca06d119da53e4bcd4752e62971541d0d4d2cfc86bad01b9ba8253c3d2615d3
SHA5120f27f08b933fe2566bbfcc5b99bf748948a35d8e977aa9bb75a45201fec7e1e005462e3b454725142f902906999247634cff533c43002507817f6e7c9fa93162
-
C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exeFilesize
765KB
MD5c6d43b7e399cdb8f37c3b920cd592b6b
SHA1756c5d2d46bb796e7af63e53a7c00e747a65c5f9
SHA2565f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5
SHA512b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c
-
C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exeFilesize
765KB
MD5c6d43b7e399cdb8f37c3b920cd592b6b
SHA1756c5d2d46bb796e7af63e53a7c00e747a65c5f9
SHA2565f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5
SHA512b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c
-
memory/112-163-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/112-182-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/112-175-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/112-167-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/112-170-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/228-164-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/228-169-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/228-179-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/228-172-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/228-211-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1248-137-0x000002A5B76E0000-0x000002A5B76F0000-memory.dmpFilesize
64KB
-
memory/1248-133-0x000002A5B7360000-0x000002A5B737C000-memory.dmpFilesize
112KB
-
memory/1564-238-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-237-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-236-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-232-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-239-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-230-0x0000000000B50000-0x0000000000C16000-memory.dmpFilesize
792KB
-
memory/1564-233-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-240-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/1564-231-0x00000000058F0000-0x0000000005900000-memory.dmpFilesize
64KB
-
memory/2116-168-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2116-180-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2116-173-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2116-174-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2116-212-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3424-225-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-234-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-149-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-226-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-201-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-160-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-162-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-157-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-156-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-155-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-151-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-235-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-209-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-159-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-190-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3424-188-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-154-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-153-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-152-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-184-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3424-187-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/3424-218-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-219-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-221-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3424-222-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4404-147-0x000001CCB0170000-0x000001CCB0204000-memory.dmpFilesize
592KB
-
memory/4404-148-0x000001CCCA7F0000-0x000001CCCA800000-memory.dmpFilesize
64KB
-
memory/4520-207-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-217-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-216-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-215-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-214-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-213-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-210-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-208-0x0000000005E10000-0x0000000005E20000-memory.dmpFilesize
64KB
-
memory/4520-206-0x00000000059F0000-0x00000000059FA000-memory.dmpFilesize
40KB
-
memory/4520-205-0x0000000005B90000-0x0000000005C2C000-memory.dmpFilesize
624KB
-
memory/4520-204-0x0000000005A50000-0x0000000005AE2000-memory.dmpFilesize
584KB
-
memory/4520-203-0x0000000006140000-0x00000000066E4000-memory.dmpFilesize
5.6MB
-
memory/4520-202-0x0000000000F80000-0x0000000001046000-memory.dmpFilesize
792KB