Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2023, 05:35
Static task
static1
Behavioral task
behavioral1
Sample
6a9957dd2a19a1bf4af05ca7be1694de.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
6a9957dd2a19a1bf4af05ca7be1694de.exe
Resource
win10v2004-20231127-en
General
-
Target
6a9957dd2a19a1bf4af05ca7be1694de.exe
-
Size
268KB
-
MD5
6a9957dd2a19a1bf4af05ca7be1694de
-
SHA1
72c945a8acf762df42d5d5ae1a281a2e5c3d9196
-
SHA256
17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
-
SHA512
42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
SSDEEP
6144:7sGckEKnZ9WIUwBjbXB2PwpD1l0FxFAZAO4adb/oN:AGcbKnZkIUwBjV2PwpRzu6oN
Malware Config
Extracted
remcos
RemoteHost
185.157.162.241:1303
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NT0JNG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation 6a9957dd2a19a1bf4af05ca7be1694de.exe -
Executes dropped EXE 2 IoCs
pid Process 4704 remcos.exe 1560 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 6a9957dd2a19a1bf4af05ca7be1694de.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 6a9957dd2a19a1bf4af05ca7be1694de.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4448 set thread context of 4348 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 97 PID 4704 set thread context of 1560 4704 remcos.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 4704 remcos.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4448 wrote to memory of 4348 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 97 PID 4448 wrote to memory of 4348 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 97 PID 4448 wrote to memory of 4348 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 97 PID 4448 wrote to memory of 4348 4448 6a9957dd2a19a1bf4af05ca7be1694de.exe 97 PID 4348 wrote to memory of 4704 4348 6a9957dd2a19a1bf4af05ca7be1694de.exe 98 PID 4348 wrote to memory of 4704 4348 6a9957dd2a19a1bf4af05ca7be1694de.exe 98 PID 4348 wrote to memory of 4704 4348 6a9957dd2a19a1bf4af05ca7be1694de.exe 98 PID 4704 wrote to memory of 1560 4704 remcos.exe 99 PID 4704 wrote to memory of 1560 4704 remcos.exe 99 PID 4704 wrote to memory of 1560 4704 remcos.exe 99 PID 4704 wrote to memory of 1560 4704 remcos.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1560
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d