Analysis Overview
SHA256
1aa8e0e39ef44f0906f9f8036df2eff25f53c985a22b24c4f8ac994c3cd5e6d2
Threat Level: Known bad
The file remcos_a.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
Remcos family
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 05:54
Signatures
Remcos family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 05:54
Reported
2024-08-12 05:56
Platform
win7-20240704-en
Max time kernel
81s
Max time network
79s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2292 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 2012 set thread context of 3056 | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SplitTest.M2T"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp |
Files
memory/2012-2-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-4-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-8-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-5-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-15-0x0000000000110000-0x0000000000192000-memory.dmp
memory/3056-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2012-12-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/3056-17-0x0000000000110000-0x0000000000192000-memory.dmp
memory/3056-18-0x0000000000110000-0x0000000000192000-memory.dmp
memory/2012-20-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/3056-23-0x0000000000110000-0x0000000000192000-memory.dmp
memory/2664-27-0x000007FEFB630000-0x000007FEFB664000-memory.dmp
memory/2664-26-0x000000013FD60000-0x000000013FE58000-memory.dmp
memory/2664-29-0x000007FEFB940000-0x000007FEFB958000-memory.dmp
memory/2664-30-0x000007FEFB8E0000-0x000007FEFB8F7000-memory.dmp
memory/2664-31-0x000007FEF7D50000-0x000007FEF7D61000-memory.dmp
memory/2664-32-0x000007FEF7D30000-0x000007FEF7D47000-memory.dmp
memory/2664-33-0x000007FEF7D10000-0x000007FEF7D21000-memory.dmp
memory/2664-34-0x000007FEF7CF0000-0x000007FEF7D0D000-memory.dmp
memory/2664-28-0x000007FEF6790000-0x000007FEF6A46000-memory.dmp
memory/2664-35-0x000007FEF7C40000-0x000007FEF7C51000-memory.dmp
memory/2664-37-0x000007FEF54D0000-0x000007FEF56DB000-memory.dmp
memory/2664-38-0x000007FEF7780000-0x000007FEF77C1000-memory.dmp
memory/2664-36-0x000007FEF56E0000-0x000007FEF6790000-memory.dmp
memory/2664-39-0x000007FEF71A0000-0x000007FEF71C1000-memory.dmp
memory/2664-40-0x000007FEF7730000-0x000007FEF7748000-memory.dmp
memory/2664-41-0x000007FEF7180000-0x000007FEF7191000-memory.dmp
memory/2664-42-0x000007FEF7160000-0x000007FEF7171000-memory.dmp
memory/2664-43-0x000007FEF7140000-0x000007FEF7151000-memory.dmp
memory/2664-44-0x000007FEF6C50000-0x000007FEF6C6B000-memory.dmp
memory/2664-45-0x000007FEF6C30000-0x000007FEF6C41000-memory.dmp
memory/2664-48-0x000007FEF6C10000-0x000007FEF6C28000-memory.dmp
memory/2664-49-0x000007FEF6BE0000-0x000007FEF6C10000-memory.dmp
memory/2664-50-0x000007FEF6B70000-0x000007FEF6BD7000-memory.dmp
memory/2664-51-0x000007FEF4E20000-0x000007FEF4E9C000-memory.dmp
memory/2664-52-0x000007FEF49B0000-0x000007FEF49C1000-memory.dmp
memory/2664-53-0x000007FEF46B0000-0x000007FEF4707000-memory.dmp
memory/2664-54-0x000007FEF48A0000-0x000007FEF48C8000-memory.dmp
memory/2664-55-0x000007FEF4870000-0x000007FEF4894000-memory.dmp
memory/2664-56-0x000007FEF4830000-0x000007FEF4848000-memory.dmp
memory/2664-57-0x000007FEF4800000-0x000007FEF4823000-memory.dmp
memory/2664-58-0x000007FEF47E0000-0x000007FEF47F1000-memory.dmp
memory/2664-59-0x000007FEF47C0000-0x000007FEF47D2000-memory.dmp
memory/2664-60-0x000007FEF4790000-0x000007FEF47B1000-memory.dmp
memory/2664-61-0x000007FEF4770000-0x000007FEF4783000-memory.dmp
memory/2664-72-0x000000013FD60000-0x000000013FE58000-memory.dmp
memory/2664-74-0x000007FEF6790000-0x000007FEF6A46000-memory.dmp
memory/2664-73-0x000007FEFB630000-0x000007FEFB664000-memory.dmp
memory/2664-75-0x000007FEF56E0000-0x000007FEF6790000-memory.dmp
memory/2012-77-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-78-0x0000000000130000-0x00000000001B2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 7e6c1d8d37a2fa0d97dcee7b70a1ee64 |
| SHA1 | ea43a941f27158e6aa7f32993eb86b48cdefb822 |
| SHA256 | 8e0f7dd40b6dadb8405109dff0c45269958c748b046e777388b265d94306ce60 |
| SHA512 | 40672b779329044f6a4c02abbbeec9bde1d0819edf2228dbf02704567a30ff609f8d0cc5de8a20b4b02569e6f88b5bb432f163aa738f5992708233f43ba479bc |
memory/2012-83-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-84-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-89-0x0000000000130000-0x00000000001B2000-memory.dmp
memory/2012-91-0x0000000000130000-0x00000000001B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 05:54
Reported
2024-08-12 05:57
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4672 set thread context of 5056 | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | \??\c:\program files (x86)\internet explorer\iexplore.exe |
| PID 5056 set thread context of 3532 | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remcos_a.exe | N/A |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\program files (x86)\internet explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 192.168.1.252:2404 | tcp | |
| N/A | 192.168.1.252:2404 | tcp |
Files
memory/5056-0-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-1-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-3-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-10-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/3532-11-0x0000000000C00000-0x0000000000C82000-memory.dmp
memory/5056-9-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-6-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-2-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/3532-13-0x0000000000C00000-0x0000000000C82000-memory.dmp
memory/3532-12-0x0000000000C00000-0x0000000000C82000-memory.dmp
memory/3532-14-0x0000000000C00000-0x0000000000C82000-memory.dmp
memory/5056-19-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-20-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-21-0x0000000000C40000-0x0000000000CC2000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | ce9409567a06261b3844a8ff356b6944 |
| SHA1 | 999a145ccf64d78ed1d267d54399777cebda30eb |
| SHA256 | a32df2593438506f117f1a396866a3972b34fb242f7f2eb773594ba158d27ea1 |
| SHA512 | 864626a34c900ce6bdda07e6a8db630b24fa9157e0098f1ef6db661a8181d657cc37144b74fc22f12fcf5b9be442544f64b73e22e15a976ce620ba11362ea297 |
memory/5056-26-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-27-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-32-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-34-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-39-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-40-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-45-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-46-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-52-0x0000000000C40000-0x0000000000CC2000-memory.dmp
memory/5056-53-0x0000000000C40000-0x0000000000CC2000-memory.dmp