Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-09-2024 05:42
General
-
Target
6a65415e83cd790d8a9b5d4d4b89c2f19ec65491939fca932c156fa111d47401.msi
-
Size
4.0MB
-
MD5
e4375d55caf5b5a9866b40eaa0eac622
-
SHA1
af6b2527a004543059bc5f1a1a3e5b52b29d7367
-
SHA256
6a65415e83cd790d8a9b5d4d4b89c2f19ec65491939fca932c156fa111d47401
-
SHA512
52ba75139eab10ba6a9661757ea819e5e9d1609389c074ff606c7d401be1042099cdc06a8bd02ddab63a6143b24a3fee5cdb063d771334d0075bf7228dfd5ae1
-
SSDEEP
98304:Op8or/QxzNWNEBIBDMPbZdZBttLBxeWMlhCXcZLCujaOwPlbuVjr:ZmQJAN4IZIF1tttx2gXcZdaOkl4/
Malware Config
Extracted
remcos
BACKUP_PIP
heavytank21gh.com:4422
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
info.dat
-
keylog_flag
false
-
keylog_folder
tmpdata
-
mouse_option
false
-
mutex
aujifbh8123-1M56R1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a65415e83cd790d8a9b5d4d4b89c2f19ec65491939fca932c156fa111d47401.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8AABE44A92814A8C5AE5262FB56C7BD2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-774ff447-c01e-4866-9c80-90f00e5bd898\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MW-774ff447-c01e-4866-9c80-90f00e5bd898\files\basics.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c xcopy /s "C:\Users\Admin\AppData\Local\Temp\MW-774ff447-c01e-4866-9c80-90f00e5bd898\files" /d C:\Users\Admin\AppData\Roaming\microsoft4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /s "C:\Users\Admin\AppData\Local\Temp\MW-774ff447-c01e-4866-9c80-90f00e5bd898\files" /d C:\Users\Admin\AppData\Roaming\microsoft5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\DPMHelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\DPMHelper.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\streamService_beta\DPMHelper.exeC:\Users\Admin\AppData\Local\streamService_beta\DPMHelper.exe5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-774ff447-c01e-4866-9c80-90f00e5bd898\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD505bd1336e768e3371bc022f6d646c7d8
SHA12e9339221211347691f8b79b41ca31b7bdd8c677
SHA2561ecb4f2f76367703a542d917bab6eb32083c6f77e87cc94c00b26ee6d107dc97
SHA512cffe60e318e99c8dee1c0ce314932f07a79594fe68116e64a9fe526b685c14515d5b76b9b397ad612f00c51cd502e107ec27442cbfd93ab64d60c656cb014960
-
Filesize
1.2MB
MD5d8b63cc4d7d9ea942bdf540279610c76
SHA1e09ec5332809eabcd2b3c06def7c35403fdbe665
SHA2563010b91d1c82f6f4d34b9dfd1ebd73c6dadaace161d11cb9a316e45a0a102654
SHA512a1be170add00188bdcf97ee5156a991396b9526a4591070754611b7484f39f8febb5ac677832f0dc545590ae4f4dac5334b72b14642d0197f9e405e43a6ab90d
-
Filesize
3.7MB
MD5afe47e7c9e3846b69303fce54d9c08fc
SHA1fff4819cd283c4413ebab21310369e7285af2870
SHA2569bc9688887112bc048f4dd95a34174dbd11adb717dfb1ae40891c3459404d3e3
SHA51238a19e625c7914bdd127ba6c3b14f0a77d10763c18d135fe5fe7e056f0dab137cd124d94e18fd765dd01982df4fba28de5b594f068e7edf708ab0c0a3746e2e4
-
Filesize
103B
MD584a7194e4cc9413ed0dbf64107c5f7b0
SHA130e608bcd3e4922a3024cde661c8cbce16ff442f
SHA2565baf90c1464d136af6dd81963cecf5bc1e489d0a2ff3b9831f4c36a937e4358c
SHA51200d3630577338d949d49189d527d55828bcdf47933a6600d01daef3434eb5d59fa113db6dc25abfc18467db970e3f09add6dcbe43e98651df6d09e9f345d1282
-
Filesize
2.0MB
MD53c06138c0e9b9706281dea5b5037bfbb
SHA1608a2ee6adf4c3ccfb3ea25edf393f5745cb7b57
SHA25682f93f71f45c1d2ea20697d01d3f5ae50761942a956384e217ba898efa63ec47
SHA512bf1f360f99f0f38ef66d97d42ba689936b22c38e092533e14723974ab2f2b9ffac61446400f3379f97c7edd982c6cec62400670682855ef5482d3bcf6c567131
-
Filesize
1.1MB
MD51681f93e11a7ed23612a55bcef7f1023
SHA19b378bbdb287ebd7596944bce36b6156caa9ff7d
SHA2567ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef
SHA512726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93
-
Filesize
428B
MD50091161150b7ce75b6a95b85c9e51350
SHA1a1c545dc8788a53e58d6ff5f5b093ed5a5d79dd1
SHA256f7074be9895ae862c19e91eca37f73b49657607d0be2d28f411d4ef350a2bdc5
SHA51232081f19e14279723fa12f78482040bac77e7776f4c4346ba71c769715f0e7b9e520e519f137e0fa6e8e1fe5cf454dcd1183683cc2d8cefab2c594af64feb990
-
Filesize
1KB
MD5db878963c79a0affb405b88f58a433a7
SHA16524d17826151a6f7ab059b9275ceda250725ec7
SHA25624aae53cb7f926424cf6d4303cc41b4488415fd3dfc086c899a026bf56a1b9a3
SHA5122decf26c8141028510453c875dce0c4be1959a55b60cfdc16552e86ff076a709c80a22399872c2548ecd1f110f7eae8569c0b33a62119ffa586102b6f40af104
-
Filesize
1KB
MD5a83e75eb5e48f3d015fed40cac24382e
SHA11421607ab8a3c5422c60867adb167e5212ea2d52
SHA2562c937ac3261fce0d886d92a74bcd4f57ec1008ff8213cfe50f8369a0407098b1
SHA512816ed781d3c8e494bbed20b1f230beb2e54e8e83bde0120a02693417747c24b3a759138af1995c596fe1705c52a8a5c2d1201ae84478316f22cedfdf7fa06444
-
Filesize
1KB
MD5106da96c1b5514260f8c1df19bb33858
SHA13c6bdd173ec180c1dd3723ba3452232525eb08e5
SHA25605fbccb9738c4c356a4562d61ff36d119a96f6ea39925f17c8fb09dd7fc554c3
SHA512c2d1cb594df674fbb71fa995ce85e2db63a4c683c6586ff69c77ddce74e714380d178d163c10788f490fb7cb5cb585e54f1e88726d819c9d5fb1efdef1de4deb
-
Filesize
210KB
MD5e03a0056e75d3a5707ba199bc2ea701f
SHA1bf40ab316e65eb17a58e70a3f0ca8426f44f5bef
SHA2567826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb
SHA512b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a
-
Filesize
1.9MB
MD513a2734bb2249010514386ebc856b8da
SHA18f6e3b30f30a5bba9bc6baaf8f440e085a6a568a
SHA256713c21d009000d504d9bcf3ce95d50e74d3933083783de144db0a16e2425ebcc
SHA5122f108436fc1a03591802ff6b8c6ac1de1c0388b2a2a6f8839c10b5f0ec06b66775f261da4ace05fa367eb46b5be533949c092e113fe1270adedb9cb8c34ba2dd
-
Filesize
2.3MB
MD55d52ef45b6e5bf144307a84c2af1581b
SHA1414a899ec327d4a9daa53983544245b209f25142
SHA25626a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
Filesize
63KB
MD5d80c131cfac41ebffcb37141a81bb8a5
SHA1b7e9e91a1bf6ea800803d4c867978e2f053a53ee
SHA256d417b480d60126d193007db9a017755014d41643d0c00d121674a993ece8cc39
SHA5129946e71e465ac5c750447fb90be695463547ea2e44bdb060433bc5ef74f306883282adb9141139fbfb4b8079f959f650622cecd890fc9403455c8a6547228895
-
Filesize
436KB
MD598e59596edd9b888d906c5409e515803
SHA1b79d73967a2df21d00740bc77ccebda061b44ab6
SHA256a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0
SHA512ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42
-
Filesize
944KB
MD55f111e4eb86d25ba882bba36ac24bfab
SHA16fd27994a0e0d1f689699ee4c47044084cc2ba64
SHA2561d85daa12a96bf69947394e184ae2619355819d2a53bdf480cb1d0549d9c58b9
SHA512ab1b15e963f6d7bfa9768292727f90750d0e9b06ae8f5faa09b272f8990262ce5bc916322a84b367a53648c2c21f53d9fbbfa9c503327812707fcd78da8f7e8e
-
Filesize
222KB
MD53cb8f7606940c9b51c45ebaeb84af728
SHA17f33a8b5f8f7210bd93b330c5e27a1e70b22f57b
SHA2562feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053
SHA5127559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
23.7MB
MD56808e35f810ae578e9148c359468f00a
SHA134f4f309846fb3672cb69fc57151957ea5e8a8f6
SHA2560e3dfb4fe522dafa197ff4b5561d86be7f5703b3cbd81e678941c198c0fc451d
SHA5126a2e8e887059c9524f1fd7c3b5aab80851c39d1248f8c0f6d0b7fd411f67bb4edc257b1a4a8439a7736b080570be7e45d14731c397f5c473318ee9a194d39ab1
-
Filesize
6KB
MD5a2018f6f8a442179f333530f8cc68c0e
SHA1812b7bb49f9467ca07b2584b9dee8e54e74c9668
SHA256198ce2b12eb1b9e5e91d2cb7bea9e62c48bba94eb3ce7b2d94b3f51ed70443f7
SHA512759498fe11c7398bb9f700291d7da89cdc984386df6aace6299af65259e31fd0ba64bde7ffd9ddf8c7478c0e555d408742c01f2dbd9ff471105caec73f4f9c7d
-
Filesize
2.0MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
440KB
-
Filesize
1.9MB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
2.6MB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
228KB
-
Filesize
2.0MB
-
Filesize
1.9MB
-
Filesize
1.1MB
-
Filesize
440KB
-
Filesize
252KB
