Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
14-10-2024 09:30
General
-
Target
Quote.exe
-
Size
1.6MB
-
MD5
73da95db4e2d451af39f2e3d0d102836
-
SHA1
9d387a0f9f90686439406f1cc96a0eb3511a88b4
-
SHA256
f8e8e8ee70d44b81dcb14b4e94163846c315c2d45ecb5a3888fd6db8a2e20714
-
SHA512
a83f9aad5aa9b853b3674d628de1aab7d714191627c64779243954e5643c1f1565fdf4943e4ed3bed1f85046cf1b8eb86c3d0e5db3d4e81397db24f8076a7f57
-
SSDEEP
24576:ffmMv6Ckr7Mny5QLYXROlErRU3BobqTxRLGutJ3lzpHax8CS1/rW+9tMeOW0SYoq:f3v+7/5QLYkuYoGTxp6xe/rWuM89I
Malware Config
Extracted
remcos
RemoteHost
www.projectusf.com:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
gfh
-
mouse_option
false
-
mutex
Rmc-J91LMC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD54cd67f0e5a07e841c1f5af29e51153fb
SHA14cf22fb35227697eb874e0f23f88b5286e31542e
SHA2569823bc4f75905348ce300ee18d5c8204648053a0b45b97beb2beb61729efb314
SHA5120b108e810ad0a528614f4617948d1d7707f5e0fe66ffed0939c86f1e6d132622c0db3b70a607bf592c88d038d566ad9a31c78713c88a681a15e5b4ee051e3146
-
Filesize
1.6MB
MD573da95db4e2d451af39f2e3d0d102836
SHA19d387a0f9f90686439406f1cc96a0eb3511a88b4
SHA256f8e8e8ee70d44b81dcb14b4e94163846c315c2d45ecb5a3888fd6db8a2e20714
SHA512a83f9aad5aa9b853b3674d628de1aab7d714191627c64779243954e5643c1f1565fdf4943e4ed3bed1f85046cf1b8eb86c3d0e5db3d4e81397db24f8076a7f57
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB