Overview

overview

10

Static

static

5

csrss.exe

windows7-x64

7

csrss.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    csrss.exe

  • Size

    1.2MB

  • MD5

    354b34a3694e2b4d54ba3bca624aa3c3

  • SHA1

    660ee183f7f7a17eace0556c8883a2c361424cb0

  • SHA256

    52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384

  • SHA512

    f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870

  • SSDEEP

    24576:+tb20pkaCqT5TBWgNQ7aLHWD2rmiOWlcIqDBZLAkxy06A:rVg5tQ7aLHWDd/B9A65

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

spacesave.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-RLABK3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\directory\dddddd.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Users\Admin\AppData\Local\directory\dddddd.exe
        "C:\Users\Admin\AppData\Local\directory\dddddd.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aut7A7F.tmp
    Filesize

    384KB

    MD5

    4a528c9e55817786057cd2ab4271dac0

    SHA1

    2c0b82cb50af76330de89b69164b9a32f59ea5d8

    SHA256

    02ef6f365d2d9e4ab97c80fe70d89f7b51cc5914a6756b17e1d372b40af25b44

    SHA512

    5e672a53bb82b881d3ad1c492a93096589e8a9c2ed920be5d1e5ef93453baded47db96be55b74a84547edcf33d95b0ae1b1c2aed5d2d103e26481960545c517c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut7A90.tmp
    Filesize

    10KB

    MD5

    794dd42e43c9f5f2a14a526c2c78e768

    SHA1

    4e31258ac80b9ecbdd8e9001c07378f2868b8350

    SHA256

    8927cfafaefe0cc666afbeefcb0c4558e67df5e184f30f6a6420bcfdafd6229d

    SHA512

    642254b6c1b3d414a239a431cff2910f8707d638aca5d7af03ad5fe655766b18cbf1e8f94f0593b9ffe3de17a4205e5762a2b244a336f91d30e4c0e6ea3d5c05

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\definitization
    Filesize

    56KB

    MD5

    be57919a8e6f5c3d638c08144dfff614

    SHA1

    a096881aaea02eecc45536e041050cf08917b433

    SHA256

    88b06124dd503e93614f8dc3fd011565c949e2a36ecb44c0a9de685465330167

    SHA512

    8c6154154f3ee2ed6d19b6527f89ae3279fc64b0489baf415b1779cbe2af12d4f4cac2fd67e2c57a825639f86e8b4a72ca2ead831fe93bc90141a013bb4bbcf5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\palladize
    Filesize

    64KB

    MD5

    747e94021b02202d57f46e4edfbd3455

    SHA1

    98e854546b0344e046448024966d4535fc3d5108

    SHA256

    8e1f959a3bc17073e652a047f71e1b47bb75383dcaa7d7bb2dab2b0be1079422

    SHA512

    c51b7ef5c69984221b302accfce5f5927485fe9d68397d0aea7e7afc04ed9d9c1abb9611150390f42ba618d04ae38179da80a681e2041a64b03053a7828cedd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\palladize
    Filesize

    483KB

    MD5

    f4461a02e25109973cdf62c9260edc73

    SHA1

    988eaf6cf392bc92f09c514a99db3b44bd9d0450

    SHA256

    35317bf8ab08c12751490059e9af81b8226b013401e9906ad109e49c1924d13f

    SHA512

    f6d86a3f8702d89acc1c4cb63fbd81d03a8f86d8f43ce1a244343b59b6121416420c421e10830675dd970d97064ab2b7b422b60fe2658b263daf12f2932707dc

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\dddddd.exe
    Filesize

    1.2MB

    MD5

    354b34a3694e2b4d54ba3bca624aa3c3

    SHA1

    660ee183f7f7a17eace0556c8883a2c361424cb0

    SHA256

    52e5414e2e8aabecfc1c38926a3d863e1ee26bef5dc8453fc0568d9f263cf384

    SHA512

    f78bbbd45ee9dc147394f79c0aed2c8104c42116b72c653586ac0855d0c075e3b17571bc62e33ba055bcc91197f6e2a491e97ad35eab8f425bbf713a5e0b5870

    Download Submit

  • memory/888-47-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-45-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-46-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-60-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-49-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-50-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-52-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-44-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-54-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-55-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-56-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-57-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-58-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/888-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4876-11-0x0000000003DD0000-0x0000000003DD4000-memory.dmp

    Filesize

    16KB

    Download