Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/10/2024, 08:27
General
-
Target
militaryrespondpro/militaryrespondpro.exe
-
Size
7.5MB
-
MD5
74538bcd359192ab8a3f3f1bf4e84adb
-
SHA1
a20254ff13d8c9eda8569c8b9ce94328c4f8b924
-
SHA256
0bb66047b9a8fc0ad9312c27166c507b82be23e28441be00b0e09b010068bdb6
-
SHA512
47ef3fd2ddb6f0befdbfe2525b6062c8c4408cb0602cd0e1085b441fd9a94ec6a8884595bba9f2faa63a15e2db232d11f192aab2777ea0a7b72034abc589134d
-
SSDEEP
196608:lSPQZgEkukO0V2ODNDwcv4RMcpBrcA0M5XgkOClcfWJTl:lSqDo12XMcBrclnkOCln
Malware Config
Extracted
remcos
build
193.29.13.204:5850
-
audio_folder
??????????? ??????
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
sys.dat
-
keylog_flag
false
-
keylog_folder
syslogs
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
34534534534ffffsdfd-IPKJ16
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
?????????
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\militaryrespondpro\militaryrespondpro.exe"C:\Users\Admin\AppData\Local\Temp\militaryrespondpro\militaryrespondpro.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\militaryrespond.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\militaryrespond.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\militaryrespond.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\militaryrespond.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD5e53cdd984882793c93d3e9a9822b4a10
SHA12767df7cea3b973476902cc74ccee829e5a4cbd9
SHA25637e7b15bd9b8ace5fd0e0a61b942748c772c8892d4ea1a4b4769ee72a9021636
SHA51284ebc1ac7ebb77c74c0d6d473482f1150128d817541ff771c466e0857894fb6839ed4b94bd7b4cdf11772e11556fa8311080ddbac84b0d588f5ef91b708c679d
-
Filesize
144B
MD5e0d3db91d571d6892d9c3a44fad10d25
SHA1bdd7b2ab1e5b3aef38d74ba8df0c123439b4acb3
SHA2563d59a01b3bacc23a8be192f1247e4380b653a61b483e0647d8afc35f40917ddc
SHA5127f6a95ea9cd55c43cbb9b5a960c5430bc6e09275651611e8357d4ffe05b6f34cfc9ad45000df718e8fcd90e285bcbc7ed59424e1d3a5269c7c0ed33a96e53c5c
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
4KB
-
Filesize
7.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
5.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
7.7MB
-
Filesize
608KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
336KB
-
Filesize
7.7MB