Analysis
-
max time kernel
1s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 10:20
General
-
Target
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
-
Size
1.7MB
-
MD5
7c26877fcd894cc1355f2a31a551243c
-
SHA1
80104216da4cd3449eabf0e0de2bb3a5b2de85ca
-
SHA256
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
-
SHA512
a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
SSDEEP
49152:BpRhaYJ+2/8yJ5OA4COg9lyp31X01clj+u1GTsF:BpDJ+2pgA4+6p31is+u1G4
Malware Config
Extracted
remcos
4.9.4 Pro
zip
rm.anonbaba.net:3393
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RNN6CM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Modifies file permissions 1 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 101D68DC2C127C67FD2558A2170228FC2⤵
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1f986b52-ce7f-4bc9-91a6-82de893a67b4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\MW-1f986b52-ce7f-4bc9-91a6-82de893a67b4\files\task.exe"C:\Users\Admin\AppData\Local\Temp\MW-1f986b52-ce7f-4bc9-91a6-82de893a67b4\files\task.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\apps.bat" "4⤵
-
C:\Users\Admin\task.exe"task.exe"5⤵
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe6⤵
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\punaawlbmbmzucqywwzilqchzylxw"6⤵
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\swttaowuijeefimcfhubwcwyzevyywyo"6⤵
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\cqyl"6⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 9484⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-1f986b52-ce7f-4bc9-91a6-82de893a67b4\files"3⤵
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1f986b52-ce7f-4bc9-91a6-82de893a67b4\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2344 -ip 23441⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5719182e07998ae9226d45680aa1fe178
SHA18f8b03c110c129cb3a35841ed959de7a7266ffec
SHA2568f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe
SHA5122df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3
-
Filesize
727B
MD528002d2c9820d1c41fd7bf3810cb8c85
SHA1acc03c1d657705616dd654086fc54e9fcaef37b8
SHA25684c9e00d5bdf6491a2320989d6c3b66814823d4b0905682b8386e33f7dae8974
SHA5129765b7e3fc6c69cad64ffc49dd3b2f72e593c1be7f0f549b1e8b5ded5f73da0540216e44195c0b057cc1aecce552180d68c007b2abf72a28c695eb70512c46ba
-
Filesize
727B
MD54f2f44acff5c280ecd26b5e7144aff24
SHA1d542052f27cf058cd2bd7d74e75deb8a009bb334
SHA256c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030
SHA51233d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45
-
Filesize
400B
MD55e29561d776aa27a2b52dd8470ce89e1
SHA16dec8a5d9f8acb859e82bc5b8355dde4291f5e7e
SHA256d697b27e8e4b5dda659c9c114a8f52bd0e28ba0b0b9d76e29264618db08a3cd7
SHA51217aa4446f7de94dcffc1627b65fc51f7a752aa629c379f55525b1c1ed926f0e9b176ccce15688daaa5b5c133935be1b60bfa6b57850d9f230f1e96736e938cda
-
Filesize
408B
MD52d940719a1b9e0219a64d986dc86e438
SHA177c4e9c153c2d6bcf9c6d456f39f9b00ad15666c
SHA25693ad876a645cbe481d17b6ced384d2cfc7cffa0fcd4f8dd1d426c0d3e266c66a
SHA51264863132f0dcf8d1e614221e64d9286dd4c72cfd1e3e7a018a96d22677d1d9c46e02eaca39c8390a8f65389dccc9083ea45a865f9e075560dd84f50674d9cc8d
-
Filesize
412B
MD59670ee48899d607f84eebbec61e23f72
SHA14fad2dc4dfaadcfeb644e6d1a93e50b126cf9dbf
SHA256c96ff28efaae9724650694497a0c208bb213da61db24e7191d553041fef49d64
SHA512a08ff7b6bb843859f06423309afe3f85b8b5002beeb424527a3c1e6f42d9ad37e8e6ab62e10eb98c70ca07af87ad4791d7d8976cf6af0e5cd786f1946139c353
-
Filesize
1.4MB
MD5240f5d10d0fdc6e3a73b6793e0ea260f
SHA1b6b7549b2c1a98fe88dea9f9fb462cb203647dbc
SHA2565afa0071f63b662d93ab35e8a9a6a44b8ad439c62160388690e5e5793cb2b2d4
SHA512faa0654a4359a90338905bcf627cb75d10d277ce8e2aafc07eca75ea887f54750b118042dd1e25e45c02706791ea5f5741202309928140789c319988e05f5029
-
Filesize
601KB
MD58522cf224cb875847762353c89d2dce2
SHA14947ef0a7b3da4972106a6a97fff8c03f9db6799
SHA2563dc24e9a42d9230f4c0db64bf11b9df544066c80c49b2aa66ce9a01ddb8c4088
SHA5128933f0add139fd10f452ad18bcc400ab288aebe5bf764da66eb332b9b97dc56f7aaab66fd396b0ca1bf3c29a1487255b562a97fdeffaacc142347a95cd503350
-
Filesize
741KB
MD58d9b3ca29d78cda545cf0a3131536f17
SHA1d823975e67320244f3f02a59e5d29b53e16a828b
SHA25697978ec89a58611cdeeffc623805c91966bf1d861395082804efe05302daf7cd
SHA512287799d662bf3f113aab8009503afe7306f489b7fdad69ceffb190c9757412e00f6d3eedf5d5254d90319b27577d9567dc4b67860dc0148e249c042575f4dc0d
-
Filesize
603KB
MD5fc284eee599385a7ae9f098d123e983f
SHA1acaa1c92d85afd92184d49592aed3aeab6ad2ded
SHA25616414419a8248a4a55c05859c467d1fafc298694f3f71916261fe2e08ebf4abd
SHA512c2538a98de60aeddb72cb14513ecce3493f04e94135182af658d3fc6425ad890560945efb02c956b11aa10606c95e7cb286e73c0d27e71f2b17d3494506e7123
-
Filesize
39KB
MD5f1b14f71252de9ac763dbfbfbfc8c2dc
SHA1dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
SHA256796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
SHA512636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
-
Filesize
1.2MB
MD56406cce810c8aaa887ca6b8e004776d2
SHA11698d3d12341f3824e14f4dae75300eea9670797
SHA256fbfde6f43c30f454b07dbd2fdcd83685ae0016227f5489c13ccb510a0cff00a6
SHA5123cd6f24c1892abd1b12a02dac5ab53e2afe1c68bc366d1ddb26df1e56312da7ff5caca255e78cb61e3fcbbed21cd03fb8909c61302af4dbcdda7ad37eac73ffa
-
Filesize
1KB
MD5bc336144f9d36c7b55d91ce3a892e301
SHA1abc662227954e27bb8d3af16bccffc0be73106fd
SHA2565d85eec78accbba376a0847a7037a8d8f5ade5ad4413e8d7213835b3415919bc
SHA512b8ba3a162b929ae22199ed383c8616557cd6641a7e91ee56395d6673a15252f5b87eb1cb541cf37577f11621e06b2214f1e7a03aaa7073a189b5dbae0726cac2
-
Filesize
4KB
MD579f35c7500a5cc739c1974804710441f
SHA124fdf1fa45049fc1a83925c45357bc3058bad060
SHA256897101ed9da25ab0f10e8ad1aeb8dabc3282ccfdb6d3171dbac758117b8731f4
SHA51203281e8abecff4e7d1f563596a4fd2513e016b7fbf011a455141460f9448d00b4a4666d2036cb448a8ac9a6feebeb51b366289ffa2ee5524a062fe8869aec61e
-
Filesize
70B
MD5f8abf91d350d39ff1a48934b88624291
SHA188ef29fd18441c628a43925a8b32535d39e07979
SHA2565b4e3e3f739b1ae3cd907a0abe9d5aaf51455551f69f9da57e668f749584efd6
SHA5123c572c7415fbc8ee5f976ac9b6cce43c901174777c859e9461451676bd5158e940e0bd173d83d980958295cb9daacc489f0d596d98e93f71cb81d2603f037876
-
Filesize
471KB
MD51cb29ef9003e93f65b93ce8b8b7c24dd
SHA19be4aa7ab2e4c71dc70d03af435330c6bfb5c470
SHA2569be5145baeb34d733af9a7fa55139a4917ef080d777ac8ec7f5e8b42620605e6
SHA512259efb3fe2842908dcf4e4950da40dbdc6803ddf0dd5ba6716486cb715f356068a94e066ceefd4ed42d949787d6fc9190483c799add5d08620e16b4bc00bba3c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
1.7MB
MD57c26877fcd894cc1355f2a31a551243c
SHA180104216da4cd3449eabf0e0de2bb3a5b2de85ca
SHA256ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
SHA512a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
Filesize
22.9MB
MD57d6c3139cccaa62130f7b2170fe991c1
SHA1314638d61561e3d5a43843c70793a6d0c6d4012a
SHA256867834bdbd9dc494d72455952847a765351691295878dd8ec1da87ebfc5c0de2
SHA512bd71f1236d6ac780b8ac95280dd7693ab68f771c88fe226345f49507696ade5f6a393b3fd5ebb260149355aafec2a0a7e20238fc4ec1e5e8e44b7273bdf6c81f
-
Filesize
6KB
MD55053949cc773a7e09ba4d97593746cc7
SHA1ac679d09889eb8374cba2664b79b2b491295666c
SHA2564518172c138aee0fea4ecf94fab41408f7ce0ae7a9fb74e31acfa206399fddf2
SHA512fdfa2d576098d968e3aede9e5c24825bf83115b5c43bb02da70c362ac432b294e0b9a237071cc1a4cfe492a1c7915c2230b4b4c17cd591dad0fd5a8d801fac02
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
2.0MB
-
Filesize
2.1MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
504KB
-
Filesize
624KB
-
Filesize
736KB
-
Filesize
2.1MB
-
Filesize
516KB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
516KB
-
Filesize
4.0MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
504KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB