86f196e6db84218ec0cb4ead59880352b3dfa01d74af93af60347883632f2bf3

Analysis

max time kernel
148s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe
Size

482KB
MD5

e061f0c3a1fc124de1ff7e6dd44e6da7
SHA1

a17fa68fef483ae910661e06c0f83d298e70fe15
SHA256

86f196e6db84218ec0cb4ead59880352b3dfa01d74af93af60347883632f2bf3
SHA512

02ec6180f41701e27fb90f32a0294352f9739f186b7a16521d0599f90ae31e28fea82370d7dafd943f915035852a8018b8be88b95374ae607889a0b01333dab8
SSDEEP

6144:8XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN95Gv:8X7tPMK8ctGe4Dzl4h2QnuPs/ZDAcv

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe

Executes dropped EXE 1 IoCs

pid	Process
3624	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0E35XZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E35XZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-0E35XZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-0E35XZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3624	remcos.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3624	remcos.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3624	remcos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3624	3344	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe	83
PID 3344 wrote to memory of 3624	3344	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe	83
PID 3344 wrote to memory of 3624	3344	963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe	83

C:\Users\Admin\AppData\Local\Temp\963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe
"C:\Users\Admin\AppData\Local\Temp\963c914d288dcc6fd4be76a109feecfe6ade32cb802ef799affed99c39f7185f_payload.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3344
- C:\ProgramData\Remcos\remcos.exe
  "C:\ProgramData\Remcos\remcos.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
178B

MD5
5778224f7e030b196ecb660b917aa9c7

SHA1
04a9136d04d8e1121e2fc6e7b0e8d4da5a0b7295

SHA256
e6bf2f6694c1ff7b41b96fd0eb4488426f113b10ed78a86336b8b0813c5435da

SHA512
5d88c922286b1c06f8da1996b518379e71a7f0dda7fa53071306083987379cceafff1563ac2c5a1b8ca4849b0082b646470f01e873fb2d304e86a4d9b322c63d

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
482KB

MD5
e061f0c3a1fc124de1ff7e6dd44e6da7

SHA1
a17fa68fef483ae910661e06c0f83d298e70fe15

SHA256
86f196e6db84218ec0cb4ead59880352b3dfa01d74af93af60347883632f2bf3

SHA512
02ec6180f41701e27fb90f32a0294352f9739f186b7a16521d0599f90ae31e28fea82370d7dafd943f915035852a8018b8be88b95374ae607889a0b01333dab8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads