Analysis
-
max time kernel
599s -
max time network
594s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
11-04-2024 00:34
General
-
Target
g2m.dll
-
Size
200.0MB
-
MD5
20c883bfc44dcd6eda231560851723d2
-
SHA1
f479834bfabb38c950a6b2a00f87bf7cdc5e80bb
-
SHA256
570104241aec8d351f43c141352ceefafdad2778edd9dc455aee59f3d5ce250f
-
SHA512
2afa9ed3ded2d1658e1bf3d0b2ea753b302f559feb6de2478dda8f98e757b7a6397b39f284c51ab8822b7585728ae159f12ebcefc456fbdc7c5d55f9f476077d
-
SSDEEP
786432:3UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpH:3UP7GCG64Srkx1hSzYsHQD3t/R
Malware Config
Extracted
remcos
RemoteHost
clepdhunt.duckdns.org:4047
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-S0GVOJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 4 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\g2m.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\g2m.dll2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Holding130rd.vbs"8⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\UNAQP.cmd" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\UUTGX.ps110⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"11⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"7⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
503B
MD55d3fff1b9b0b50c2d1b978b5e26fe28d
SHA18c382cb42267ee979a412bc0a950e67b91822fc3
SHA25602a302fb8ae7cdd340de1726f1e89bd67b012dc311e7f1e555be28bdae3f3ca7
SHA5123848ba48b10eeee832fe18d3d8a5645ccbf0ce294e05fbcdacae19285a12524d1c246fbce6507345a987f5998ab6361169aa4f0977afbc5c57249c9a350f101c
-
Filesize
192B
MD518476bf2c6a14941d249c0bfbe2049bc
SHA19a35a7b51bcafcb8a3ccfa90e5c3dddffcc37041
SHA256a9a13a561eb86d6962774d4164c422319b4b099bac6987f7c79e33edf86f8339
SHA5129e8adca58b8a57cb1e16bc121394158d583c369b9bca87353392ed45acad4832721afcfcda7ad7f66b434cb2104bde1dd97b88d3de6a93e716a794aa6d58ba83
-
Filesize
552B
MD5c25cc2154d0638dcfb9196cdbad6488a
SHA1b85b53141e99a7573c4b4226b129959727b86ebe
SHA2560fae37c9933ef1f05283ad41bad93e56f54786248bc00ab271e3bc7032b4bcfc
SHA5123664639ce3646df3c46842be34545de87a6f8ae8d1304a72d85fd719974321cb375458ec0d9a9bcf060700403067bcc4f7b48495bab416b920a496399a5c12e6
-
Filesize
2KB
MD5e3d77fe9c961841ae8c7c3ed37d6b1e6
SHA144f16e0827eb01c293bcc1fe1e5f19bd9ecc3058
SHA256df4d0c62c8152b380b58341f3236b73a45303b5b36c57f0cee26203d1f75cd21
SHA512147dc8bd8e3e8a75577bc1323c61314f218195c3faf8b2e9e10e7c2ebe13608df778a54e23f463013710d8b4edc1ca60325893d77be55485c6597431089515f0
-
Filesize
18KB
MD54251795e1752134065dccf1c1029241f
SHA1025d125fd2927c746c3f72497957c7de7c7aa2c1
SHA256cbdf5ced4620e16e5ff8b5d927bf58a45c1c6b7b8bf1254791b2503223798da0
SHA512d7befa0fe6c5429ac46ec168e732b60de3d1b3ef30a878fc1e5fa9665c208f8614b8199f93f97dbb7147243df88d54dd73f87a1ad93cb6b113358a4355e4822b
-
Filesize
5.8MB
MD523d7b25f8233971afe7801edb6615eaa
SHA1dd3e2f1fecc1d18af047045dcba2a73359b7019f
SHA256ecac17cda633793bbe91741f4e8ec371000d82ba9cfeab0ee79c9a84d9a0a62c
SHA512090e4e3bb0cfdbda4f40c3ab76d3d11cb95c26e2069a4a05628875eb794f1b48904d353865c51b68c93b9c57d497abcb2a0f837e6611d3fc955511685cc0f3f1
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
276B
MD508573053b297406719cdb275f62815c8
SHA10d82ae88fc747cfacd3a7fd80cb52d9e7f0eaa2f
SHA256b89ba728b322bff609cc24052896f31c11091a82296e0351769543437b0788bb
SHA5126feb1b5a0fee7f3e5d1fb2c76a8a4565e6d6f5441e2e156fbd88ef5324c823a95b2e767f8e2948e899793ba3edcc438f9afdc03fdca8dddb3d7a6537f621505d
-
Filesize
75B
MD5190bb5d0398a86cffba0566aad524749
SHA1cfb0913a6a8ca4404fc94f0875a3e1b7ae222d60
SHA256bf6b4681cb1ea2e7d4e4571a7f80c3a50c8788618cf6437616aefa93b491423b
SHA512d4be5e0fff7f05ad1730908181e8e1889772a03ae72d5c691bdfa4bab584c1e3dd62124b59222c110d74f3884d73bfdeaf316618a3be05a6ffde4fc3ccefbdaf
-
Filesize
1.1MB
MD5a77c5e1a90d97c8c16ff8748fc668b3c
SHA1611679d8a5e1e5bcaf5cdf3148947f0aa0650af8
SHA2569dadb75e08649354b0e891ed8c3a0fb0cc515dbcc79c38f8da0abacd016cbae1
SHA51290669e3a22af8603d754d6bd52c9065e190126e98d41f52a4d729a29afe09e2e4559256a87f3d3715c55087e4c2e61e50ad3f2f314624ff64b83072aa1582bab
-
Filesize
1KB
MD5ba94bb345c24a99c07babfcd399f1e06
SHA1b32601d93fccb9d1254b32f30ba3603abc6b9b3e
SHA25645b60007f0a3217739ea128330dd5838ef88d34de0135ccf228fd1714dc6823e
SHA5120d61439cf183e66c67e1a854ffea80e120952990e1fd65b48592dd4e2ace5d7a2e8e4d11e26ca3322361498a4166e925696355155b93356bcc8b2db6f1b06992
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
45.7MB
-
Filesize
45.7MB
-
Filesize
45.7MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB