Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
30/08/2023, 06:04
General
-
Target
2744-28-0x0000000000400000-0x0000000000417000-memory.exe
-
Size
92KB
-
MD5
76cc8e284837cbf99ba063fdca261590
-
SHA1
5713d6267f2ebb8d3b1ccd0e9349225011ae71af
-
SHA256
fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede
-
SHA512
f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52
-
SSDEEP
1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6krl:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+B
Malware Config
Extracted
remcos
1.7 Pro
Turk Summer
ascoitaliasasummer.duckdns.org:4045
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Windows Session Start.exe
-
copy_folder
Microsoft Media Session
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Windows Display
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
Windows Audio
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Windows Sound EndPoints
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Username;password;proforma;invoice;notepad
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2744-28-0x0000000000400000-0x0000000000417000-memory.exe"C:\Users\Admin\AppData\Local\Temp\2744-28-0x0000000000400000-0x0000000000417000-memory.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\Microsoft Media Session\Windows Session Start.exe"C:\Windows\Microsoft Media Session\Windows Session Start.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111B
MD57fe5a8c6b904f70919d38c7170e201de
SHA168b95c26da83c89c1aaafe1337c42759fd99d4aa
SHA2564b1774ffddb1debe67e8938724d2dc873b5a4e174735065935c13a1078c41fa4
SHA512a6bfc1eeec4466d51375d025fcb082c799b008ad56dc073d0462604f5413d9499822fb61434a4b3773c530c3b756236eed0cf4f372699d8eb1eda99b29e291df
-
Filesize
92KB
MD576cc8e284837cbf99ba063fdca261590
SHA15713d6267f2ebb8d3b1ccd0e9349225011ae71af
SHA256fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede
SHA512f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52
-
Filesize
92KB
MD576cc8e284837cbf99ba063fdca261590
SHA15713d6267f2ebb8d3b1ccd0e9349225011ae71af
SHA256fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede
SHA512f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52
-
Filesize
92KB