Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
Resource
win7-20240903-en
General
-
Target
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe
-
Size
981KB
-
MD5
5609198accfb2ccedb39e7755ed6a36c
-
SHA1
2bc0ee0e47c40a298038863338c4c07d7029d695
-
SHA256
06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f
-
SHA512
f49ad0d40d40f9073a90cabd73065c4d2ab9de0f340dd109196161ad8bcbd2f73917c5232ec752241231df6ce069e5a0503c844f522a3e7c49daa3ed66a290d3
-
SSDEEP
24576:IAZCJVAeo/UMV0w7KpWXPL8YKSdtJ/JVw6:mPOd8WIYKSdt5
Malware Config
Extracted
remcos
Host
oyo.work.gd:3142
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
pdf
-
mouse_option
false
-
mutex
jkm-I9KENP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ios
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2188 set thread context of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2896 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2956 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 96 PID 2188 wrote to memory of 2956 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 96 PID 2188 wrote to memory of 2956 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 96 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97 PID 2188 wrote to memory of 2896 2188 06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"2⤵PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"C:\Users\Admin\AppData\Local\Temp\06d30761437ffb30ac9ac077bb3761b5e4c077f3b74f8ed3b7372e104dccf83f.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51a81ecd7ffd8d42a3979cd0efa3c5b6b
SHA1b67035b395ba03d4013de2f582b8ab77f3588ac6
SHA256f2e9020741e9dce39169363135ef758696de6757e45bfdb4bf4a115637dfd995
SHA512573b9ef02e6dd7277a9fc32846ef57b96841be79f1c3573bb8579fb6748deb36ff7fb93637d03e919c3cdd5835d64cfacc78d4ee5a9f4aeb5dc267d0c47fc23e