Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
08-08-2023 07:14
General
-
Target
c88d4757ee5c295c3ff996dca43e737a.exe
-
Size
987KB
-
MD5
c88d4757ee5c295c3ff996dca43e737a
-
SHA1
dc307074db36fefeb99a5c1715b90a1382493d70
-
SHA256
f197a58d2ac9ac937c5d417d0800d4804a80402395cdde0fe42dec0931674da4
-
SHA512
a2901e2941f0fd5b72b46840852e2f056a006e665eb2f54dedd30c3a139e0f8d1f780d237626e9f3a2df2e95daf1e25f9430de4e9cc8a82e7d2aef92decfd5f6
-
SSDEEP
12288:x+h7rFnTibJ2tYdG7T+IAmvHfvT2Nxda5vWfco//3HS8meXaI1eIEJJZ3gSeYApt:S6byT+I/vXT2NMWfco//3y8m29MQCyt
Malware Config
Extracted
remcos
RemoteHost
212.193.30.230:3343
79.110.49.161:3343
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-CQL1U6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88d4757ee5c295c3ff996dca43e737a.exe"C:\Users\Admin\AppData\Local\Temp\c88d4757ee5c295c3ff996dca43e737a.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell set-mppreference -exclusionpath C:\3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52de98301142039828d6351a1cfcb5898
SHA1c55da6fb63f2c8f90ebe4d6d4f68c22b79240c84
SHA2560a82c72e8d6c5a7f7976089660b638d45f63abbba67b613e1e36eb05dae5e3b8
SHA512701a4bf9058437742664496b04062c9591d9f0994bb128e74bc44a99fc4d85787e3760301d909bb65b93ade3bf204d21dbc9c1d0b365aed153ebb28abecacc12
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
256KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
976KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
952KB
-
Filesize
1016KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
304KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
516KB
-
Filesize
516KB