Analysis
-
max time kernel
927s -
max time network
860s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
23-07-2024 14:59
General
-
Target
remcos_a.exe
-
Size
197KB
-
MD5
65457174406297076acf63ff9ea6b836
-
SHA1
6998b6941c84f09162acef6995aa9240fa304ed7
-
SHA256
859e71388525cd23d7d84bd11d6dc2b40387e440cc15ec3aa653f19a34c5fe30
-
SHA512
e863bd6c41ba69e9d0ad31d28e66d78004d22513a1b5d3df4872983bb134b54d2beed76017ea889036112a570a1f4c963cdb98482381922a4a8f9c48e1f97150
-
SSDEEP
3072:cgoqAnruXO+Fsw6yRZgl/HyN7BmBFbhI6kJe6qiaJCEmxiZIvIII:hovgFR6UZgRQ78D8th5iZ
Malware Config
Extracted
remcos
5.1.0 Light
RemoteHost
components-resort.gl.at.ply.gg:9316
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XQF90O
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 9 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt2⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\curl.execurl ascii.live/rick3⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc48f93cb8,0x7ffc48f93cc8,0x7ffc48f93cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,3974539490427356688,9006153775363129990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5572 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bb87c05bdde5672940b661f7cf6c188e
SHA1476f902e4743e846c500423fb7e195151f22f3b5
SHA2567b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063
SHA512c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55478498cbfa587d1d55a9ca5598bf6b9
SHA182fedfb941371c42f041f891ea8eb9fe4cf7dcc8
SHA256a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606
SHA5127641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5bd6d8aa7b9c21bd62378b5c54183c4d4
SHA15b0d0984794445159677b3c373b3ac91499743e8
SHA2563dd3ca963826f402690bb94f032b937e446ca0dbbd3d7f11bb5ca14dc296db07
SHA5126ddc2a7fe8fc8167b3bba7cf52d01e88a32c5897d43be421c9f8df06ac06e5aae56f488d346f7d7e9aa3d4b9cd7bb0bf8490c2aa8a6d790f465e00ec0aaab971
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5eea0be5c4731ec9f5a7aa5526b7ad40b
SHA13203c6015eef7041934a74635d11643581fc7cc4
SHA256cab513580475ed05a919019aca328e30eed04707bb736342424caf09ac0aa7f1
SHA5127af7293d0cda518aaddbbf8ee15646b938681ca95b94a69694b4f564fdf6ac9f752de3f95cb6eae392dafaebd99119aecfedcb1d21ad17d04df8cec2ea1a270f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ca69fb8f18f3bfb251de91a2407f4041
SHA1b80b2ae74bf24ea957f56d91b366e9b8b1021571
SHA25671058369caf6f488d420bbeb73a9961b42cf3ace0213cced9cbad51014844ac8
SHA512ee1ef4995e03f33bc70ecb08c8c2b3e2e047753b614f85be38ac605b1e6aae9b1e90dd9a54d7eb8d1dd23fafcc400bca3c6f092257ab69918c511745bbfdc3f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5225a6ad9b633dfe61d1455e5f90e2ae2
SHA197b4dc24a258d8ad94077a70496cfc9bd701f911
SHA256f5f7da68692515194be7582ad475fcbb3e7a980a5765cd0e688b5dc249b2a96e
SHA5126ad5b7af988a2ed3adbeeeef826e1c9ad90114b92e0587f45ce118ddc1dfb8b85f701318333837ecad785a4af977fb9400860393c971b9d657853b6e64a6f9ff
-
C:\Users\Admin\AppData\Local\Temp\sysinfo.txtFilesize
84KB
MD54fd28ecba4c99e3007467229d5b30f35
SHA14086105990fc1a7ba02975a6cd8b4642d70a3e21
SHA2564936e0a224c79c997ad1e16e27b3af02d600785f6155a60f9cc9142008f172a4
SHA51225c5eb4cb0daf68874cda4d9045d5ac7cd9c37a7d0d8b16c5a8d8f553db5bb5ba93d42cc6e99a0f17f2275337309fc0895612b4e568cd805c15aea7594a79958
-
\??\pipe\LOCAL\crashpad_3456_LRAHAPBLJYZHZFUHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2044-147-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-140-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-146-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-148-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-149-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-150-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-151-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-152-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-142-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2044-141-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2604-108-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/2604-3-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-110-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-117-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-136-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-137-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-138-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-139-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-40-0x0000000000475000-0x0000000000476000-memory.dmpFilesize
4KB
-
memory/2604-109-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/2604-96-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-95-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-94-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-106-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/2604-75-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-34-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-0-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-35-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-1-0x0000000000475000-0x0000000000476000-memory.dmpFilesize
4KB
-
memory/2604-194-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-197-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-198-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-201-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-211-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-212-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-213-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-214-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2604-216-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB