Analysis
-
max time kernel
232s -
max time network
248s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
28-09-2024 20:30
General
-
Target
Remcos v5.1.3 Light.exe
-
Size
38.4MB
-
MD5
1a787dacd4ac908241f677303af69d6f
-
SHA1
fa57edb0b2e21e8a55602cb96809efcfcfee65c1
-
SHA256
4098c759068a197e9b5236af09fc8344da2d0d8d8a3fd4c17824160b1afea5a0
-
SHA512
a6d0a770e9c425fa9f28a99e81a4f630c362692b9c4c623963871b2de992f5e10c035e1d23e1e8dbcd729777fa630801bf4998f7d83d245d353470353d71b650
-
SSDEEP
786432:WIXQNSBAVi1Bs2DuYr3jxkQNk58issVWhJDS3IWgrAfUPE+szJFjU:WIXQgAVi1eQ3jnm8ihADnrAuE3HA
Malware Config
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remcos v5.1.3 Light.exe"C:\Users\Admin\AppData\Local\Temp\Remcos v5.1.3 Light.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a09758,0x7fef6a09768,0x7fef6a097782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2152 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=992 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3996 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3416 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3424 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2208 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3496 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 --field-trial-handle=1292,i,17624436935554059346,1797566202431008479,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\remcos_a.exe"C:\Users\Admin\Desktop\remcos_a.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 2002⤵
- Program crash
-
-
C:\Users\Admin\Desktop\remcos_a.exe"C:\Users\Admin\Desktop\remcos_a.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 2002⤵
- Program crash
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD55faf349c82beb05bbde1ff1dc3aec1df
SHA1a3ee11cdade5da26f29fbd2a0aa33d5fb3f2c479
SHA256c4a9d2273f3a7a8e39921db3ceeceea260a31466c0e91cb9ad822c53eadbe496
SHA51298d36276c3480c760b94d99748b317f947e292b5b8dd564bcf3d29be685d5676e21142bd97482639155de708acc08aa1ee95b8a7383357dd67414aa7551b7454
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
361B
MD53138ec28dc91c6fb42b2a6c15f02b4a3
SHA111facaf66f91a24b87f24129e36950c5ed79c104
SHA25669703baf659d2794966ee4f9541fb394901875425a5816bcf29c82d88e596794
SHA51211f2768c17d648377bbd247d6ccaa1149cf80e86ac48df2f3aab2cfdd3c1dc279b26ccce6fb837f4015622ed6f50dc4d5f9063e55c1b32b9fbe281d2af78aa0c
-
Filesize
5KB
MD5d8b80653407b772ab8b15dfba045958d
SHA162682001da9add2dfe4ae8ff544384202595e0d3
SHA25673efc2eb72dcce31708f24d80e1d4e211efd5448c4dcd89f1f63643b646fa46b
SHA5122812bfce2bfec10608ec9e0b98afbe96ccf1c2593e8f1293e902824e59cb6c13341ca2f6eb75c0f8dd52af26c38454d5b32cb30ba7248577dc272c9a291e71c7
-
Filesize
6KB
MD5325af5dbadc0fa84723355cc46d13f46
SHA163a58f6184e6b41e24541c23f1e0627f1ada2cde
SHA256b290867a507086b99dccbb1b6957642d13363c0929cdc64afafd7eb2e677d98b
SHA512668ffb2c7849d324d864b8e1bf33d187b3a84abe2d1ab5ee7b927695aa979542f578e8714fc4f0fcd5f536c1a359f438a4ee272271c472d0b0c593cc7d35fe01
-
Filesize
6KB
MD56f63d1cd1bf623920bdffa0c18c3b684
SHA19d24fd9bbe846eaed75436dea7d604197e19ceed
SHA2561de4fb3e2b87a8e164ac02c3dbf4329c1994e61897fa4e992087adb01f18f044
SHA512c3625e06ed57b183b5558015e2a692d7ccb2352b4491e1e775ac0e4d73f34a5bcca6d37e4236847da9925d89cb7828a48b8e7f782f880c1964bbb8004c88e4d5
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
398B
MD587b2d9f287e386304071ab0367b2f162
SHA1e1cc7002d96913fa2d9bda2fe23a136fbf6dba43
SHA256d50671403045ef77352966fdc83b71505b42a89efb791a0e9a27b3fc1033da86
SHA512f154757d2cf08a9321fa00b7a6eb8728d20e12d3370d9b647e58757bf7d797950ac453da712718e181e4628b38adfb91bd3544c671f11c02bfce344196a9f4ce
-
Filesize
52B
MD5dca2d32862d2ebf0898cf7ec52236857
SHA153f7b4bc516a86e07f3987f13902124b883d5f0d
SHA2566a9d5617021b27db458a4e61248d12a1231d36ec319a2ff793a7d703f679936b
SHA5128b54c9f0c7ea90e00feeff797f98164402d7e7163313e8d873dfd449c05c453eacf68baea3e574c101104a3837da966be16e0ea9bdbb24b152385643913b6a67
-
Filesize
73B
MD51b3e506805675892022bde3eae257e8e
SHA1633743fa461c166d0e5f9bde0a963b6fc45b14a5
SHA256fe07c59702ab1e3e1a85e86ceb6e284257b2e56facffc02c7ffe63d1ddb5a3db
SHA512fcadd018d0e427fa0ce769942d767356a2f18448265213a979b8bd99ae30944720d15c6f0c463a462927777ea028328f36aa32bf1e3105ab0e829425f2c5fef2
-
Filesize
1KB
MD5c16d287afb5de93230c1d227ea46e916
SHA1bdd32b7089725627e291c3a6936a99cbd7805ee1
SHA256a5c58be5dd574400622fe42269a59b44c23b403c5ea32b102de6ba5821d5f5f2
SHA512a0b8c49172ca54dd6b2db072c94652697d077b82d553854332a8befc9b36a85ce42d4e31c3ae97413e7436179cb0282f8691ccc02bf9ce1086d88325caf9a3f8
-
Filesize
428KB
MD5db6fb88fbbcc89cd8914367351b876ec
SHA1cb1eb714d5cc7086ebf5cf3cc832103bf6794983
SHA256ca6d466c2d7949486b741f095229702ff701d36f69deea68f41bd1bede305a75
SHA51210e38f803fd5eab2a874203ed5cb5dfe0c8f4b23f066b4a2a0aeac16830807d67ef674ab426b6949a3cd492206236bb98185362e2ce44b69fb0d3b19f9b30725
-
Filesize
1.3MB
MD5fa5def992198121d4bb5ff3bde39fdc9
SHA1f684152c245cc708fbaf4d1c0472d783b26c5b18
SHA2565264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305
SHA5124589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba
-
Filesize
330KB
MD52117e31688aef8ecf267978265bfcdcd
SHA1e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc
SHA2560a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f
SHA512dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
97.6MB
-
Filesize
97.6MB
-
Filesize
97.6MB
-
Filesize
97.6MB
-
Filesize
97.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
97.6MB