Overview

overview

10

Static

static

10

Remcos v4.9.3 Pro.exe

windows7-x64

10

Remcos v4.9.3 Pro.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2023 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remcos v4.9.3 Pro.exe

  • Size

    467KB

  • MD5

    ccb5f97be3daefc9cdeaff2aec1ad323

  • SHA1

    3b561e66a88eb6072a363c1b9cc52d0a679c20e6

  • SHA256

    f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

  • SHA512

    c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

  • SSDEEP

    6144:sXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNF5Gv:sX7tPMK8ctGe4Dzl4h2QnuPs/Zs0cv

Score
10/10
hawkeyeremcosnulledevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

nulled

C2

essagbs.ddns.net:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    svhost.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    logs

  • mouse_option

    false

  • mutex

    ewaewefsefsefdseadwadf-21RLZF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 34 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe
    "C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"
    1⤵
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:2616
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:2512
      • \??\c:\program files (x86)\internet explorer\iexplore.exe
        "c:\program files (x86)\internet explorer\iexplore.exe"
        3⤵
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:2560
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          4⤵
            PID:2728
          • C:\Windows\SysWOW64\dxdiag.exe
            "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
            4⤵
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:332
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wfphnbumtkurc.vbs"
            4⤵
              PID:1536

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\logs\logs.dat
        Filesize

        230B

        MD5

        c894c86f1264d487437ca652291a6c7e

        SHA1

        7c1a00da8d1afb5afdef6fe6c04701738958db95

        SHA256

        ecd3217430b344d77f078c08a8207bd9ab2738bf3844a80050641f6c26d51059

        SHA512

        3a86736dee83c8279786beecfa29e09dee1c2f7c6d2319d1349fa5cb6b024a3bcba73b2d9b32fd2dec42b875fd7f9ddd54c022e35e290dd5b8189dcb34d27361

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        Filesize

        15KB

        MD5

        a29b9352798d0f783cce266c7847017c

        SHA1

        c3bf0df87754c6275773326711059a1058c92851

        SHA256

        82a06462de98e42d3b111f780d9a3d2067edfead18152f1f54b08dda39c68fef

        SHA512

        5616749d739a7b31cfdebbf2b000f24db1946a0245d4a2df560c93ce4dcd9108fbbc570b76b617f9c3c48335854a469a4bd5033fa28534bc9091cb9f4ecf1ca9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wfphnbumtkurc.vbs
        Filesize

        404B

        MD5

        add5c07ccccb47a55d146baefa26ae14

        SHA1

        f4f673a17ff2d1ccf91ba8fab00c07869c07f1e7

        SHA256

        3c57ff2c305b8048ce2569a62fe40c600c891a81cece9ee42f2f8310c0a83518

        SHA512

        9786c6f0d60de49a417a194e77859427517a6819f450676a303226f793f108ae4f8345cfd2cb94ecd5a204d6592a81325c7d80a7a08b318a922621495ffa9261

        Download Submit
      • C:\Windows\svhost.exe
        Filesize

        467KB

        MD5

        ccb5f97be3daefc9cdeaff2aec1ad323

        SHA1

        3b561e66a88eb6072a363c1b9cc52d0a679c20e6

        SHA256

        f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

        SHA512

        c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

        Download Submit
      • C:\Windows\svhost.exe
        Filesize

        467KB

        MD5

        ccb5f97be3daefc9cdeaff2aec1ad323

        SHA1

        3b561e66a88eb6072a363c1b9cc52d0a679c20e6

        SHA256

        f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

        SHA512

        c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

        Download Submit
      • C:\Windows\svhost.exe
        Filesize

        467KB

        MD5

        ccb5f97be3daefc9cdeaff2aec1ad323

        SHA1

        3b561e66a88eb6072a363c1b9cc52d0a679c20e6

        SHA256

        f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043

        SHA512

        c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180

        Download Submit
      • memory/332-93-0x0000000000E20000-0x0000000000E7C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/332-91-0x0000000000850000-0x000000000085A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/332-95-0x0000000000E20000-0x0000000000E7C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/332-94-0x0000000000E20000-0x0000000000E7C000-memory.dmp
        Filesize

        368KB

        Download
      • memory/332-98-0x0000000000C70000-0x0000000000C9A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/332-77-0x0000000000820000-0x000000000082A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/332-76-0x0000000000820000-0x000000000082A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/332-96-0x0000000000C70000-0x0000000000C9A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/332-92-0x0000000000850000-0x000000000085A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/332-100-0x0000000000820000-0x000000000082A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2728-26-0x00000000000D0000-0x000000000014E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2728-25-0x00000000000D0000-0x000000000014E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2728-22-0x00000000000D0000-0x000000000014E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2728-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2740-27-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-74-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-35-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-36-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-37-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-39-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-40-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-41-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-42-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-45-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-46-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-47-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-52-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-53-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-32-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-60-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-61-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-68-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-69-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-70-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-71-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-72-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-73-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-33-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-75-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-31-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-29-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-28-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-24-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-19-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-17-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-18-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-14-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-10-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-13-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-12-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-101-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-104-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-106-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-107-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-109-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-111-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-112-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-113-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-119-0x0000000000080000-0x00000000000FE000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2740-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download