Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29-08-2024 05:44
General
-
Target
Document SWIFT Payment Copy Ref#8374837293.exe
-
Size
1.3MB
-
MD5
e3504f07ea46e8c5ce1321b44e752556
-
SHA1
e5c612e6de7696296a13a5c59ee1712084559919
-
SHA256
dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e
-
SHA512
5aeb6baa9d02cdcfed6a02301bce02460b4b68c06ef3e9038bb4b1ba01ce3ad4884a5271653352527c625801519cfcfffdd9c1d03e005dbe3c21d3b460c4db5d
-
SSDEEP
24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaYMCcRJjERtK/cfrWIlcf6NyEi5:9h+ZkldoPK8YaYrc/jYK/cf6YcCM
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
dorobumajor
C2
84.38.132.40:2404
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
testhostex.exe
-
copy_folder
dorbion
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WBALP5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass 3 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe"C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Document SWIFT Payment Copy Ref#8374837293.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
16KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB