Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 10:12
Static task
static1
Behavioral task
behavioral1
Sample
ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe
Resource
win7-20240220-en
General
-
Target
ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe
-
Size
906KB
-
MD5
4a10aa4917fc6e79dbb5726438097de1
-
SHA1
0bef4c5bb90092af4b8a65b9759b4846c31c9a03
-
SHA256
ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb
-
SHA512
26da46e659926a9bca5c141d1af2c9d00986bb382c4011335d885d92a7a6056a4ab94af0259231b8da51feda0029cd574657b4d0f9124a97eaf27db0b4281bf6
-
SSDEEP
24576:HU2M/EokdSHmGd4nmzwn2xbUPWJ1znGjXcBfadwO:VMKSHmG6nwZUCzG4Bf
Malware Config
Extracted
remcos
KY MIX
192.210.201.57:52499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-M2GVTY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1572 set thread context of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4672 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84 PID 1572 wrote to memory of 4672 1572 ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe"C:\Users\Admin\AppData\Local\Temp\ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe"C:\Users\Admin\AppData\Local\Temp\ed279d611a2a24da80e4b5c2f6abbf2a0e4f7714b59008bc89d0f39fd64aa6eb.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4672
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD53d42a59e21147e2ff2f2abe18a8fa796
SHA19dc01e5543a99530b92e9066ff74ae548d8f7681
SHA256504341c7450e0275ae145340f9c893a53574fb665f06578567f59088801330ca
SHA512e765fda5a2e4f393dfa1c7099e2930171124b50f736dfaa281d78db159ce429846e138f644a061e7da8bf3f191a1ae68fdea395e23233176f9aea0592c13b3f1