Analysis
-
max time kernel
300s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-07-2024 22:32
Static task
static1
Behavioral task
behavioral1
Sample
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe
Resource
win10-20240404-en
General
-
Target
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe
-
Size
487KB
-
MD5
01f41ee384978addc85c2e8e1569410c
-
SHA1
f9da80e058e4e7c4dd31594fbd9441d3d921aa70
-
SHA256
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410
-
SHA512
4927a1b4d3bc4613d5efb10363d58aef5814dc8d4e07854b35de4ecc07b6ace972628557f193862993d7d415809bd233c8e25709fa57d5645cbed90a9486dc03
-
SSDEEP
12288:woGLcIytOjHRKurBiFCF6umwyl1r77J4Bc52OEqiAb8d8jQY:045tOzRKus4F7m3l9HJ4BcP/h5
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:58122
ikbro.duckdns.org:58122
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9VQUE2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exepid process 4192 162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe"C:\Users\Admin\AppData\Local\Temp\162589ef58a383d83767a1e5d5d6be6f4f61eb94243daaf242646cdea1b6f410.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5348b2674d584ba6642711887675321f6
SHA12a5c9029330495b57e58c07b41d67c2d5bb0fcab
SHA256ad583904130546f052c72eebf8e41ffc82b8be8999a1d04c1454a00022c0422e
SHA512494debea7fa05ec7d8be64aee365da424e22f49320370c21827bce733a25d937806668bd963b08ef8f441a4734f90de6d337c7e7257f95d145bb2072013b2076