Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06/03/2024, 13:11
General
-
Target
3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61.exe
-
Size
904KB
-
MD5
f41c63ec04a686dcd7acb8afe12a0a0e
-
SHA1
6e33557b27ab27b72cd7029d3db1f70f6cee2567
-
SHA256
3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
-
SHA512
0eb2dabc2d4a0e04fedc42b35e83dff6a6d83d9ca5f265b12583be9e6690efa6f84cae577516475c98f523709119471a1172ebd2f8deb5840e6bdd79904fbf74
-
SSDEEP
24576:fsZM8GtqcVf77qoVnl9mhFW1eNV3O0yd0Zg7i:HnVf7WoVnl9oWV0ykn
Malware Config
Extracted
remcos
Vps4
192.161.184.21:24054
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
Rlog.dat
-
keylog_flag
false
-
keylog_folder
DrWin
-
mouse_option
false
-
mutex
Rmc2024-Q4AYK1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61.exe"C:\Users\Admin\AppData\Local\Temp\3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB377.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD5f408d65f82df7e0a9ccc9c17deb14508
SHA1b461e3f2625ba33ac0c819cfea87ef54114c74b4
SHA2565e5bbc05e45c49ad95bc10136da2c432791ca9432a9c90f6f6ccfb7f2b2cb9bb
SHA512eaeafac5cce005e9c9b1cad8512cc29482e35dbb7d7783dd964c509eba500826aa70da45346d08341e748028111c9f41aab14ee09bef553d5da2038f2a1e0755
-
Filesize
151B
MD5f936f71679b93db6b43961548a339525
SHA14a058426577394c63de05ededfe1c02741f1ccd6
SHA256cdcb6d6d1ab32c2c6a9e82bb0164b6e87c6c4106dd9e78f852587ae8c8f8dac9
SHA512ba23cbf97716fae7006cd0380016132e5454cc94dad6fca210c8e50264ec3c2af64c656c9002d94a78123c96d671b6b8396c698f60f31da5b8a3aac74428e8d6
-
Filesize
904KB
MD5f41c63ec04a686dcd7acb8afe12a0a0e
SHA16e33557b27ab27b72cd7029d3db1f70f6cee2567
SHA2563103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
SHA5120eb2dabc2d4a0e04fedc42b35e83dff6a6d83d9ca5f265b12583be9e6690efa6f84cae577516475c98f523709119471a1172ebd2f8deb5840e6bdd79904fbf74
-
Filesize
9.9MB
-
Filesize
880KB
-
Filesize
512KB
-
Filesize
912KB
-
Filesize
9.9MB
-
Filesize
104KB
-
Filesize
912KB
-
Filesize
104KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB