Analysis
-
max time kernel
148s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Resource
win7-20240903-en
General
-
Target
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
-
Size
981KB
-
MD5
5609198accfb2ccedb39e7755ed6a36c
-
SHA1
2bc0ee0e47c40a298038863338c4c07d7029d695
-
SHA256
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f
-
SHA512
f49ad0d40d40f9073a90cabd73065c4d2ab9de0f340dd109196161ad8bcbd2f73917c5232ec752241231df6ce069e5a0503c844f522a3e7c49daa3ed66a290d3
-
SSDEEP
24576:IAZCJVAeo/UMV0w7KpWXPL8YKSdtJ/JVw6:mPOd8WIYKSdt5
Malware Config
Extracted
remcos
Host
oyo.work.gd:3142
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
pdf
-
mouse_option
false
-
mutex
jkm-I9KENP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ios
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2068 set thread context of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3060 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30 PID 2068 wrote to memory of 3060 2068 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5000dee2561e80237f5356869c3a98d28
SHA1f380c5e8dc2134b78a0a20fa94daec14c8649004
SHA256122bcb5cd915baceb3254a5b789f717012109fa5def5efb8bd0c16aad0ad2d36
SHA5121c2e078ed4ad2505cdfd5cbb19cd35c5bf41d47da28e523a576298e575373c79740e9c3c9b7e8fe0cf2d14167dc1969863a6015ef923caa880ab72001dc757bc