Analysis
-
max time kernel
113s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
30-11-2023 17:41
General
-
Target
Remcos v4.9.3 Pro.exe
-
Size
467KB
-
MD5
ccb5f97be3daefc9cdeaff2aec1ad323
-
SHA1
3b561e66a88eb6072a363c1b9cc52d0a679c20e6
-
SHA256
f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
-
SHA512
c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
SSDEEP
6144:sXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNF5Gv:sX7tPMK8ctGe4Dzl4h2QnuPs/Zs0cv
Malware Config
Extracted
remcos
nulled
essagbs.ddns.net:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
svhost.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logs
-
mouse_option
false
-
mutex
ewaewefsefsefdseadwadf-21RLZF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass 3 TTPs 3 IoCs
-
Adds policy Run key to start application 2 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 37 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"1⤵
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt4⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xnhrhirejwhaukcpqxomxlhohemjwotzz.vbs"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logs\logs.datFilesize
144B
MD5b5ca88c62504ff698932e49a72a17688
SHA1466404d4d999d91f6ddf5e7fbe2c578024350dba
SHA2569265eb06d69b94967489c440217a44056e939a92934d6c017c003bf928a3f415
SHA512a351113ff3bb1c53f26f3fc669bd5c48a935d57e95e63ced0fae6206c3c288bd75a8f3608658b5db4a9bbddae83d346f7c7ee31cefa64cf48f7b46e1901ce187
-
C:\Users\Admin\AppData\Local\Temp\sysinfo.txtFilesize
84KB
MD5baa86d0d3993cb98e75513ecebdb661a
SHA138fdbbb092d3971e0cc6734e4bac94e6f4dbfea8
SHA2563576796d932549bcfcb3e4409ab6d79b81cd7d8a4ec468b84dfb9278ae36e756
SHA51210c7c5fc8083a1dd0fbb255d4e7e31ee33491e552dffe8323e6c36ab8cc61a7710cc7f7ca05e677b7de4a394e771ae03e29d0f3e3645b9802a27aaf97b0f7888
-
C:\Users\Admin\AppData\Local\Temp\xnhrhirejwhaukcpqxomxlhohemjwotzz.vbsFilesize
404B
MD5add5c07ccccb47a55d146baefa26ae14
SHA1f4f673a17ff2d1ccf91ba8fab00c07869c07f1e7
SHA2563c57ff2c305b8048ce2569a62fe40c600c891a81cece9ee42f2f8310c0a83518
SHA5129786c6f0d60de49a417a194e77859427517a6819f450676a303226f793f108ae4f8345cfd2cb94ecd5a204d6592a81325c7d80a7a08b318a922621495ffa9261
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
memory/4344-17-0x0000000000A30000-0x0000000000AAE000-memory.dmpFilesize
504KB
-
memory/4344-21-0x0000000000A30000-0x0000000000AAE000-memory.dmpFilesize
504KB
-
memory/4344-20-0x0000000000A30000-0x0000000000AAE000-memory.dmpFilesize
504KB
-
memory/4344-18-0x0000000000A30000-0x0000000000AAE000-memory.dmpFilesize
504KB
-
memory/4364-40-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-78-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-19-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-14-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-13-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-22-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-23-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-24-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-27-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-28-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-29-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-30-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-31-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-33-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-34-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-37-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-38-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-11-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-10-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-43-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-44-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-8-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-104-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-101-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-98-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-96-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-94-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-95-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-93-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-89-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-88-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-9-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-75-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-77-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-16-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-84-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-85-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4364-86-0x0000000000F60000-0x0000000000FDE000-memory.dmpFilesize
504KB
-
memory/4436-58-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-57-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-56-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-55-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-53-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-54-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-52-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-48-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-47-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4436-46-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB