Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/02/2024, 00:57
Static task
static1
Behavioral task
behavioral1
Sample
9c89d5c943e0569efd3d2bc58b62a4ea.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9c89d5c943e0569efd3d2bc58b62a4ea.exe
Resource
win10v2004-20231215-en
General
-
Target
9c89d5c943e0569efd3d2bc58b62a4ea.exe
-
Size
846KB
-
MD5
9c89d5c943e0569efd3d2bc58b62a4ea
-
SHA1
5560da6d905f87a54585d896e2d60cdd76e55f63
-
SHA256
2274248efc8c44261f3f742f58cf46853ef66ee351b6612c6ffbfffcd06c1508
-
SHA512
296aa08705d751fa49886bb0e669dd1b922531a30965fdf6283d4ea1908bdcc39587244527138222c9e5573fa657923a9e21f27d2a2f377d49402ef89544ce40
-
SSDEEP
12288:ffIx+DGo6SpgiJ/zQ/+opWWoPQWrjWoYCsWR2p1nW9oTVut2fQIK6woYB5NgcI58:0G7J/zQ/+oZr0Tz6FFznN2PETrWhW4
Malware Config
Extracted
remcos
3.1.5 Pro
RemoteHost1
185.157.160.215:2405
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-L7JSN5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3024 remcos.exe 2620 remcos.exe -
Loads dropped DLL 2 IoCs
pid Process 2820 cmd.exe 2820 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" 9c89d5c943e0569efd3d2bc58b62a4ea.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2256 set thread context of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 3024 set thread context of 2620 3024 remcos.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 3024 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2620 remcos.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2256 wrote to memory of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 2256 wrote to memory of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 2256 wrote to memory of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 2256 wrote to memory of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 2256 wrote to memory of 2916 2256 9c89d5c943e0569efd3d2bc58b62a4ea.exe 28 PID 2916 wrote to memory of 2700 2916 9c89d5c943e0569efd3d2bc58b62a4ea.exe 29 PID 2916 wrote to memory of 2700 2916 9c89d5c943e0569efd3d2bc58b62a4ea.exe 29 PID 2916 wrote to memory of 2700 2916 9c89d5c943e0569efd3d2bc58b62a4ea.exe 29 PID 2916 wrote to memory of 2700 2916 9c89d5c943e0569efd3d2bc58b62a4ea.exe 29 PID 2700 wrote to memory of 2820 2700 WScript.exe 30 PID 2700 wrote to memory of 2820 2700 WScript.exe 30 PID 2700 wrote to memory of 2820 2700 WScript.exe 30 PID 2700 wrote to memory of 2820 2700 WScript.exe 30 PID 2820 wrote to memory of 3024 2820 cmd.exe 32 PID 2820 wrote to memory of 3024 2820 cmd.exe 32 PID 2820 wrote to memory of 3024 2820 cmd.exe 32 PID 2820 wrote to memory of 3024 2820 cmd.exe 32 PID 3024 wrote to memory of 2620 3024 remcos.exe 33 PID 3024 wrote to memory of 2620 3024 remcos.exe 33 PID 3024 wrote to memory of 2620 3024 remcos.exe 33 PID 3024 wrote to memory of 2620 3024 remcos.exe 33 PID 3024 wrote to memory of 2620 3024 remcos.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c89d5c943e0569efd3d2bc58b62a4ea.exe"C:\Users\Admin\AppData\Local\Temp\9c89d5c943e0569efd3d2bc58b62a4ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\9c89d5c943e0569efd3d2bc58b62a4ea.exe"C:\Users\Admin\AppData\Local\Temp\9c89d5c943e0569efd3d2bc58b62a4ea.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD5b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
Filesize
148B
MD5c42b5f7aa65b005fa825285014fc8e12
SHA16adaa03f43ea36028f1c228450d68d077262b845
SHA25649874b40248fce7e013ada47f0651eff1e39425a650b15e9cfef8d3a51ac8637
SHA512b27fe2b46fbb8ee0525e149d2e3ed113a1ff8e455ff52c8a839a8adc50916d66d23a7eace293a4b947d45fc726f663084b978f0dd112f433adac70fab6a97190
-
Filesize
846KB
MD59c89d5c943e0569efd3d2bc58b62a4ea
SHA15560da6d905f87a54585d896e2d60cdd76e55f63
SHA2562274248efc8c44261f3f742f58cf46853ef66ee351b6612c6ffbfffcd06c1508
SHA512296aa08705d751fa49886bb0e669dd1b922531a30965fdf6283d4ea1908bdcc39587244527138222c9e5573fa657923a9e21f27d2a2f377d49402ef89544ce40