Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29/09/2024, 01:01
General
-
Target
0984e42839cc75fe48ca906427500500697573111e8d773273e9834f1d545b12.msi
-
Size
4.0MB
-
MD5
cd09dc91948dee9022ab3d5f4be68ff5
-
SHA1
3efbfcda662ae28e2d2efb78447625b40321e889
-
SHA256
0984e42839cc75fe48ca906427500500697573111e8d773273e9834f1d545b12
-
SHA512
23997e1983d3c82664344ff25102b5adedf290b2246a2e0f98bbd8db22eb684aca50df4c76b382815f2a7cd9bb896b75ea5a441225ef36a00df5b7b955466806
-
SSDEEP
49152:kpRh65S/++y9Scu52FCLd5IW5FSL6QPh7AOxr6cWmxq0DgPIFIMO/aOL/hgXMYJP:kpCV96gCTMXxrLlxq0cPVZi2kMYJo2
Malware Config
Extracted
remcos
BACKUP_PIP
heavytank21gh.com:4422
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
info.dat
-
keylog_flag
false
-
keylog_folder
tmpdata
-
mouse_option
false
-
mutex
aujifbh8123-1M56R1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0984e42839cc75fe48ca906427500500697573111e8d773273e9834f1d545b12.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D792A3F0E6ED34C438E3C6377FB0E4A22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4bb4954a-e158-449f-a06f-4d5403e39ece\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MW-4bb4954a-e158-449f-a06f-4d5403e39ece\files\AsmBasic.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c xcopy /s "C:\Users\Admin\AppData\Local\Temp\MW-4bb4954a-e158-449f-a06f-4d5403e39ece\files" /d C:\Users\Admin\AppData\Roaming\microsoft4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /s "C:\Users\Admin\AppData\Local\Temp\MW-4bb4954a-e158-449f-a06f-4d5403e39ece\files" /d C:\Users\Admin\AppData\Roaming\microsoft5⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\DPMHelper.exeC:\Users\Admin\AppData\Roaming\Microsoft\DPMHelper.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\streamService_beta\DPMHelper.exeC:\Users\Admin\AppData\Local\streamService_beta\DPMHelper.exe5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4bb4954a-e158-449f-a06f-4d5403e39ece\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59f2ab45f7587611e63259cf0f106eef6
SHA1777b4623a44cf6daf8078b94b219d8474c7f4d47
SHA25626f5f242bbca9378d90ae7e06b88390c2458c08ebcef6e6fc1b72f494b812f07
SHA5126765a263c768697e54025a0173d8d4a4788ee28fdf93a0cfbfa91ffedd8b169cc674a5502cc239db37f54c758fdb88a64a12f6a10bf5a51108e53a17043f6eaf
-
Filesize
3.7MB
MD58dbedeff4ffdd64aefed6aa0df5a0160
SHA1c17ac807b0199c807a50bb81176ef11e5a3c90b1
SHA256c5d62ccb11c31414e1eceb2d5b8e2a7b2bd47eee8b4e2da3c58c2deaa90ae3d5
SHA512ba45ab9a4ba6bcf4f2a5cf343e4206a53dbceb6bf3aa0dab2abdc205b4fb31a5613a403035c26727fa5be4b107fd4460472c11764045e7c147896ed988044816
-
Filesize
92B
MD51913912c73e6a4617365fe6c34b6b45b
SHA18e5d80bf5b935bf084b2b7a287afcf722e105e11
SHA256f6667770a1df12ae0780ff6b55188dbd95d465d093867824343e858dd66168ae
SHA512daf4a913d237b82872bbd55e96db8dafac60a4a85c5eb225100b321d6c11810e1c22e03ed4b30e0e0fe257191c97e3d74b764a7780f3e3061f167e2010a538aa
-
Filesize
2.3MB
MD55d52ef45b6e5bf144307a84c2af1581b
SHA1414a899ec327d4a9daa53983544245b209f25142
SHA25626a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
Filesize
2.0MB
MD53c06138c0e9b9706281dea5b5037bfbb
SHA1608a2ee6adf4c3ccfb3ea25edf393f5745cb7b57
SHA25682f93f71f45c1d2ea20697d01d3f5ae50761942a956384e217ba898efa63ec47
SHA512bf1f360f99f0f38ef66d97d42ba689936b22c38e092533e14723974ab2f2b9ffac61446400f3379f97c7edd982c6cec62400670682855ef5482d3bcf6c567131
-
Filesize
210KB
MD5e03a0056e75d3a5707ba199bc2ea701f
SHA1bf40ab316e65eb17a58e70a3f0ca8426f44f5bef
SHA2567826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb
SHA512b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a
-
Filesize
222KB
MD53cb8f7606940c9b51c45ebaeb84af728
SHA17f33a8b5f8f7210bd93b330c5e27a1e70b22f57b
SHA2562feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053
SHA5127559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f
-
Filesize
392B
MD5b8ad92a7759b41da4f74767249361d19
SHA1bbede1bba7c389a26a805469cba748e20bb10489
SHA25601be65ad70ff95974364d138f34e346b1ac2c4446fa9156f9ee604b686f4550d
SHA5123f29b18d3e9c7e56be25d1f549dcdc239091540cb592affb8fe74fc2e1f23af0036dce1688c87a74f4d4a78ce3360ca12489869677f1fb51304423256cf4489c
-
Filesize
1KB
MD5438a36f4ae3239af0f14ffd08df21212
SHA16e0961616ecb757aee1684cf64ac774a43f2f8a6
SHA2561ccae6dbba0c4d3b103038643b6eb0572389a4f35d4019967db8e4751d0cfaa2
SHA512e60bf5ee9e6650c5e276613b6350821c096abefdbe6f713264975c3688d5ea2dc89172c187c4c1952b8122632dfb8ddbf26e7b669146d0e8c0e15ff5146574d8
-
Filesize
1KB
MD55aedc8919866dc629b8968e929855668
SHA1f11db8cd5c843aaaf82ef07abd8aeb9287c0a748
SHA2568100e5f5fd6ab3feadde7b846a262f7a9350e0d238f079cd24fd27cba8de0767
SHA512be868d0be4aee97623b6e0b700b1762d08f832236d36d9f0b7ecae2295486df321bfbe3c2d1b6b40814e0129fa26a56135b514ec5e4930e52c377afea92ae570
-
Filesize
1KB
MD55c70a74afa2171e6a3f203c093bc125c
SHA12b1a3cdf8983e0316e61a3338fc69cc631f1a02b
SHA2567022fda078d0b427cd3ee8d0d44b289a3a39a882ac8db90bbaeafbef8966223b
SHA512f7d30a5b0b214e7e724adaeafeeb3cec693ef378b96b36289be273ca8e79ef1da0b443bb716188ae0431744de955e0cd9ab376c76edc357f414f0dfb20ea4605
-
Filesize
1.2MB
MD51278dec111041b6e4aadf285c6e840c4
SHA1f18c1632fdf6ce922131b658b5d89905d5d21359
SHA2562a334c730667b7bd97e013e9ce350032ef60e239cce3cd3cdc83ce0313273fe1
SHA512f80c27973fb42f91fe589138d6b8d2fa48c711b393fb65b7344d511adc7c07347b57a3bcb5cca0cef800753aa250fa9d523eebc0aa300783378175b7c93e4d04
-
Filesize
436KB
MD598e59596edd9b888d906c5409e515803
SHA1b79d73967a2df21d00740bc77ccebda061b44ab6
SHA256a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0
SHA512ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42
-
Filesize
1.1MB
MD51681f93e11a7ed23612a55bcef7f1023
SHA19b378bbdb287ebd7596944bce36b6156caa9ff7d
SHA2567ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef
SHA512726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93
-
Filesize
1.9MB
MD513a2734bb2249010514386ebc856b8da
SHA18f6e3b30f30a5bba9bc6baaf8f440e085a6a568a
SHA256713c21d009000d504d9bcf3ce95d50e74d3933083783de144db0a16e2425ebcc
SHA5122f108436fc1a03591802ff6b8c6ac1de1c0388b2a2a6f8839c10b5f0ec06b66775f261da4ace05fa367eb46b5be533949c092e113fe1270adedb9cb8c34ba2dd
-
Filesize
63KB
MD5d80c131cfac41ebffcb37141a81bb8a5
SHA1b7e9e91a1bf6ea800803d4c867978e2f053a53ee
SHA256d417b480d60126d193007db9a017755014d41643d0c00d121674a993ece8cc39
SHA5129946e71e465ac5c750447fb90be695463547ea2e44bdb060433bc5ef74f306883282adb9141139fbfb4b8079f959f650622cecd890fc9403455c8a6547228895
-
Filesize
944KB
MD55f111e4eb86d25ba882bba36ac24bfab
SHA16fd27994a0e0d1f689699ee4c47044084cc2ba64
SHA2561d85daa12a96bf69947394e184ae2619355819d2a53bdf480cb1d0549d9c58b9
SHA512ab1b15e963f6d7bfa9768292727f90750d0e9b06ae8f5faa09b272f8990262ce5bc916322a84b367a53648c2c21f53d9fbbfa9c503327812707fcd78da8f7e8e
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
23.7MB
MD541aca22ceaab5f9c0bfc0f033670f841
SHA1dc9ab489f45c5016ee67f565449f2b980c93e365
SHA2568a3378c1f578fa7fbd0b2f3c4c9432fe9849e48a80ef0aab91fae8361152a3fd
SHA5123c713140df405423e798fa241a7023f36285437d0c2cf93dde494d24f3c5aa68dad30cfce7893c4ae729c9b04ca766dab9ae878820312fec652cb6efd7a5e1e4
-
Filesize
6KB
MD54a3cbc08fc07dbd752f908b812a5fdcd
SHA162fa41d026c7827b0f033527d9b80d616ab0bbb9
SHA256e5a52c51836b3f3adb0d0e8102656ee306ee93b02e0cbf075af492d62323f201
SHA512467b52dc7ff8f89c2a04ef6698de9375a856fe84d248b680acb8bb9d8a67e0ba459b703af4467fed7e607fe6c108dd4a9131a0047fd667d8c980d3772e5163ba
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
440KB
-
Filesize
1.1MB
-
Filesize
1.9MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
2.0MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
2.6MB
-
Filesize
1.1MB
-
Filesize
440KB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
228KB
-
Filesize
252KB
-
Filesize
2.0MB
