Overview

overview

10

Static

static

3

e6284eafa6...92.exe

windows7-x64

10

e6284eafa6...92.exe

windows10-1703-x64

10

e6284eafa6...92.exe

windows10-2004-x64

10

e6284eafa6...92.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 14:14

240409-rj3fvsce6t 10

09-04-2024 14:14

240409-rj2vbsce6s 10

09-04-2024 14:14

240409-rj18ssce51 10

09-04-2024 14:14

240409-rj1x2ahb79 10

04-04-2024 02:44

240404-c8cjeada69 10

Analysis

  • max time kernel
    1202s
  • max time network
    1226s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-04-2024 14:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe

  • Size

    522KB

  • MD5

    366b352bad65c71445747135fe315aec

  • SHA1

    4307b086d0a9f38d0cf4620e4f3f6ac77e7d6d3f

  • SHA256

    e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392

  • SHA512

    49f75b2c87e3d2b78901c05c0fef7011d1ea5de6d91d4eeca8dd8b9c7229efabd015b5b03501c1e4e4bd93fccae336520ecb04d6c00eb57123fc8e68ec4541a1

  • SSDEEP

    12288:YiVvIoaAY5T3SBGmWb7T/CWX8/hbAqm4lgova5WMvEAmD:rIoN+jSBMT/k/Vrm4Cuc

Score
10/10
remcosggrat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

gg

C2

62.102.148.185:9771

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    newstart

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_wgwfvnfssp

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe
    "C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3692
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gAmdlUtlZn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gAmdlUtlZn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72F9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4848
    • C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe
      "C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe"
      2⤵
        PID:1848
      • C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe
        "C:\Users\Admin\AppData\Local\Temp\e6284eafa60ee032f4517d1ce32329cf9a43918aed4026e68b486bc0986bd392.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      c09feab27a2b2228d008cf55400ba877

      SHA1

      7de026d4cae4f39adb013ed66d8dad7e4713289d

      SHA256

      321e00188f37fec46cd7bbb4720a561966efeb9929bbae1e6c18486a8ea750a4

      SHA512

      6c2e6b687401470cc91156bda111a6a6403af5bd49b0255de6fc59b4a7d761743e0fda2ef8fdb1e293d537c7cefac7c4ace34a17d7d4f779d0e7e909208105bc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqpzaumz.sv5.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp72F9.tmp
      Filesize

      1KB

      MD5

      234e032f66a6a5618e10c9f71edfab95

      SHA1

      44e8ac8ff36c07966e18bb49215901ef100832b0

      SHA256

      08bd967ac8c9b65df246d0cc7e39e11c67b214385379f98f7f5f01215c7399f1

      SHA512

      f85af2144f3b2f56f2447881b6eadf8a2c1fa9b83a7b6734ae9650bc88ff4d15601afc64d93b539f6cff1265c3ea81105a1e99c5fc9146886a9a4efa7b51928e

      Download Submit
    • memory/832-75-0x000000007EA10000-0x000000007EA20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/832-90-0x0000000007560000-0x0000000007570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/832-88-0x0000000009D20000-0x0000000009DC5000-memory.dmp
      Filesize

      660KB

      Download
    • memory/832-78-0x0000000009BB0000-0x0000000009BCE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/832-477-0x00000000098B0000-0x00000000098CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/832-77-0x0000000070700000-0x000000007074B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/832-517-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/832-30-0x0000000008420000-0x0000000008770000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/832-27-0x0000000007970000-0x0000000007992000-memory.dmp
      Filesize

      136KB

      Download
    • memory/832-25-0x0000000007BA0000-0x00000000081C8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/832-22-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/832-24-0x0000000007560000-0x0000000007570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/832-23-0x0000000007560000-0x0000000007570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2108-34-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2108-31-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2108-519-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2108-38-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2108-35-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2720-4-0x0000000004F80000-0x0000000004F90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2720-8-0x0000000006560000-0x00000000065BE000-memory.dmp
      Filesize

      376KB

      Download
    • memory/2720-0-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2720-1-0x00000000003C0000-0x0000000000448000-memory.dmp
      Filesize

      544KB

      Download
    • memory/2720-36-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2720-2-0x0000000005210000-0x000000000570E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2720-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2720-11-0x0000000004F80000-0x0000000004F90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2720-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2720-10-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2720-6-0x0000000004F70000-0x0000000004F82000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2720-9-0x0000000008BA0000-0x0000000008C3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2720-7-0x00000000050A0000-0x00000000050AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3692-40-0x0000000008800000-0x000000000884B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3692-20-0x0000000004F90000-0x0000000004FC6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3692-79-0x0000000070700000-0x000000007074B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3692-74-0x000000007E9C0000-0x000000007E9D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3692-89-0x0000000005020000-0x0000000005030000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3692-41-0x0000000008AE0000-0x0000000008B56000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3692-91-0x0000000009E80000-0x0000000009F14000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3692-76-0x0000000009BC0000-0x0000000009BF3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3692-486-0x0000000009860000-0x0000000009868000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3692-39-0x0000000007B80000-0x0000000007B9C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3692-28-0x0000000007A90000-0x0000000007AF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3692-514-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3692-29-0x0000000007BE0000-0x0000000007C46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3692-518-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3692-19-0x0000000073780000-0x0000000073E6E000-memory.dmp
      Filesize

      6.9MB

      Download