Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04/12/2023, 05:35
Static task
static1
Behavioral task
behavioral1
Sample
6a9957dd2a19a1bf4af05ca7be1694de.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
6a9957dd2a19a1bf4af05ca7be1694de.exe
Resource
win10v2004-20231127-en
General
-
Target
6a9957dd2a19a1bf4af05ca7be1694de.exe
-
Size
268KB
-
MD5
6a9957dd2a19a1bf4af05ca7be1694de
-
SHA1
72c945a8acf762df42d5d5ae1a281a2e5c3d9196
-
SHA256
17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
-
SHA512
42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
SSDEEP
6144:7sGckEKnZ9WIUwBjbXB2PwpD1l0FxFAZAO4adb/oN:AGcbKnZkIUwBjV2PwpRzu6oN
Malware Config
Extracted
remcos
RemoteHost
185.157.162.241:1303
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NT0JNG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2668 remcos.exe 2536 remcos.exe 2560 remcos.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 6a9957dd2a19a1bf4af05ca7be1694de.exe 2668 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 6a9957dd2a19a1bf4af05ca7be1694de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 6a9957dd2a19a1bf4af05ca7be1694de.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2888 set thread context of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2668 set thread context of 2560 2668 remcos.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 2668 remcos.exe 2668 remcos.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2888 wrote to memory of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2888 wrote to memory of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2888 wrote to memory of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2888 wrote to memory of 2820 2888 6a9957dd2a19a1bf4af05ca7be1694de.exe 29 PID 2820 wrote to memory of 2668 2820 6a9957dd2a19a1bf4af05ca7be1694de.exe 30 PID 2820 wrote to memory of 2668 2820 6a9957dd2a19a1bf4af05ca7be1694de.exe 30 PID 2820 wrote to memory of 2668 2820 6a9957dd2a19a1bf4af05ca7be1694de.exe 30 PID 2820 wrote to memory of 2668 2820 6a9957dd2a19a1bf4af05ca7be1694de.exe 30 PID 2668 wrote to memory of 2536 2668 remcos.exe 32 PID 2668 wrote to memory of 2536 2668 remcos.exe 32 PID 2668 wrote to memory of 2536 2668 remcos.exe 32 PID 2668 wrote to memory of 2536 2668 remcos.exe 32 PID 2668 wrote to memory of 2560 2668 remcos.exe 31 PID 2668 wrote to memory of 2560 2668 remcos.exe 31 PID 2668 wrote to memory of 2560 2668 remcos.exe 31 PID 2668 wrote to memory of 2560 2668 remcos.exe 31 PID 2668 wrote to memory of 2560 2668 remcos.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2560
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
PID:2536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOB1G6ZJ\encrypt[1].bin
Filesize483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113