Overview

overview

10

Static

static

7

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

module.dll

windows7-x64

1

module.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 22:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    1.0MB

  • MD5

    389e49fd591fbdbe272575573a922085

  • SHA1

    2145dacbed53f6b64ea96938cff8758531961c1a

  • SHA256

    24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264

  • SHA512

    74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4

  • SSDEEP

    24576:82+IxnXZC4MQdHAsU/O552srSCbBJwNQEwTtaMmVL:uIByQhK/Og6BKNQkdl

Score
10/10
remcosdiscoveryevasionpersistenceratvmprotect

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2428
      • C:\Windows\SysWOW64\remcos\sys.exe
        "C:\Windows\SysWOW64\remcos\sys.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    Filesize

    139B

    MD5

    843fadf88dbddfc1a2d3c21e989a8e5a

    SHA1

    c432ce68e04961580744b489daa452dc4d978a8d

    SHA256

    f3b8a0dabf78adbb6b6b3664877a4622fc3624b6a513879a00057767a86880b9

    SHA512

    e69b3334fe806ea17defb7eb6bfc4f8ca8186f12929cbbede3f563b900f38a2afcb2ef4045946b43c5e4cc682f24ddd158bfdfaf9f750cf00babd818fe7b090c

    Download Submit

  • C:\Windows\SysWOW64\remcos\sys.exe
    Filesize

    1.0MB

    MD5

    389e49fd591fbdbe272575573a922085

    SHA1

    2145dacbed53f6b64ea96938cff8758531961c1a

    SHA256

    24191589d733c928bce4654a950c0f6bd02b6675a78e47e22893e72d27067264

    SHA512

    74b957d349a3241143525a6085372b8131551de3c1df25b61dc4fbbb74a868234cb36c32db14a61ab6eb516258a85d551956c408e20c0523eaa7e8e1d2b19bd4

    Download Submit

  • memory/740-14-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/740-16-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1196-0-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1196-1-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1196-6-0x0000000076D40000-0x0000000076D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1196-9-0x0000000000400000-0x0000000000603000-memory.dmp

    Filesize

    2.0MB

    Download