Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 10:40
General
-
Target
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
-
Size
1.7MB
-
MD5
7c26877fcd894cc1355f2a31a551243c
-
SHA1
80104216da4cd3449eabf0e0de2bb3a5b2de85ca
-
SHA256
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
-
SHA512
a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
SSDEEP
49152:BpRhaYJ+2/8yJ5OA4COg9lyp31X01clj+u1GTsF:BpDJ+2pgA4+6p31is+u1G4
Malware Config
Extracted
remcos
4.9.4 Pro
zip
rm.anonbaba.net:3393
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RNN6CM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Detected Nirsoft tools 8 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Modifies file permissions 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 19A8AEE35B5E4E5EC3B116BDDFF765672⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-289d497b-8f8c-4a19-a25c-64726e03823b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MW-289d497b-8f8c-4a19-a25c-64726e03823b\files\task.exe"C:\Users\Admin\AppData\Local\Temp\MW-289d497b-8f8c-4a19-a25c-64726e03823b\files\task.exe"3⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\apps.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\task.exe"task.exe"5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\tahdjtlicxyjfniugfwlmzuxs"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\ddmojmvkpfqwqtegpqjnxmgnaziw"6⤵
- Accesses Microsoft Outlook accounts
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\oxshcegddnibsiskhaeoarbwjnafkqv"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 2844⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-289d497b-8f8c-4a19-a25c-64726e03823b\files"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-289d497b-8f8c-4a19-a25c-64726e03823b\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2084 -ip 20841⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5719182e07998ae9226d45680aa1fe178
SHA18f8b03c110c129cb3a35841ed959de7a7266ffec
SHA2568f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe
SHA5122df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3
-
Filesize
727B
MD528002d2c9820d1c41fd7bf3810cb8c85
SHA1acc03c1d657705616dd654086fc54e9fcaef37b8
SHA25684c9e00d5bdf6491a2320989d6c3b66814823d4b0905682b8386e33f7dae8974
SHA5129765b7e3fc6c69cad64ffc49dd3b2f72e593c1be7f0f549b1e8b5ded5f73da0540216e44195c0b057cc1aecce552180d68c007b2abf72a28c695eb70512c46ba
-
Filesize
727B
MD54f2f44acff5c280ecd26b5e7144aff24
SHA1d542052f27cf058cd2bd7d74e75deb8a009bb334
SHA256c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030
SHA51233d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45
-
Filesize
400B
MD5c41af1fbaa70f602f2797a8d5b2ab6b9
SHA1b60c822d46dd61bf594602a00e4fe7b0bf14795a
SHA256fa193e9abea2fcc7403da404adbfadef53f0f457a47a7302a90141b6e5bce06e
SHA512aa3ac6741bb301f026cc8b869d3c8bc3ad8ec9ec6c6162c8173f7bd9556dd9b8e4df9d2952148ffa7b78c24503c34edec308505e1903d1578bc1efe1dd53f759
-
Filesize
408B
MD5a5b81e2e8af618a097aa7f74302e78ae
SHA13bd6c7e819d4d433e1d184fd77f42799fcac8ff3
SHA256235c25b88a9eae0c701617fcbf0c97488b3d4e92dc440f20887dbf116a215ed3
SHA5128a4a664f2b9161a7d825fc4adce9b0eaed9849b979533e2f51d222ad28bd7a168a8ed2d0e92c48819037d2f70dfc6de356d717398fb7a3668ec46b6e3808fa50
-
Filesize
412B
MD50dac1ced88970b9646d9c1d67242f256
SHA186c87ce22509492e67d5bc85f529658845ec633e
SHA256d826e4462ef3539491be854f383a0e0488d691c05cca545357a0e9b7a5fd5fd4
SHA5126c8af9e1f32ea19cf47ea26561dac4f5489fb410fde108738eefb8691202afb8c674c8b25ada1ce68723a5e50a9a160f36b1500511160f131b8dc48f17b2cc7e
-
Filesize
1.4MB
MD5240f5d10d0fdc6e3a73b6793e0ea260f
SHA1b6b7549b2c1a98fe88dea9f9fb462cb203647dbc
SHA2565afa0071f63b662d93ab35e8a9a6a44b8ad439c62160388690e5e5793cb2b2d4
SHA512faa0654a4359a90338905bcf627cb75d10d277ce8e2aafc07eca75ea887f54750b118042dd1e25e45c02706791ea5f5741202309928140789c319988e05f5029
-
Filesize
601KB
MD58522cf224cb875847762353c89d2dce2
SHA14947ef0a7b3da4972106a6a97fff8c03f9db6799
SHA2563dc24e9a42d9230f4c0db64bf11b9df544066c80c49b2aa66ce9a01ddb8c4088
SHA5128933f0add139fd10f452ad18bcc400ab288aebe5bf764da66eb332b9b97dc56f7aaab66fd396b0ca1bf3c29a1487255b562a97fdeffaacc142347a95cd503350
-
Filesize
741KB
MD58d9b3ca29d78cda545cf0a3131536f17
SHA1d823975e67320244f3f02a59e5d29b53e16a828b
SHA25697978ec89a58611cdeeffc623805c91966bf1d861395082804efe05302daf7cd
SHA512287799d662bf3f113aab8009503afe7306f489b7fdad69ceffb190c9757412e00f6d3eedf5d5254d90319b27577d9567dc4b67860dc0148e249c042575f4dc0d
-
Filesize
603KB
MD5fc284eee599385a7ae9f098d123e983f
SHA1acaa1c92d85afd92184d49592aed3aeab6ad2ded
SHA25616414419a8248a4a55c05859c467d1fafc298694f3f71916261fe2e08ebf4abd
SHA512c2538a98de60aeddb72cb14513ecce3493f04e94135182af658d3fc6425ad890560945efb02c956b11aa10606c95e7cb286e73c0d27e71f2b17d3494506e7123
-
Filesize
39KB
MD5f1b14f71252de9ac763dbfbfbfc8c2dc
SHA1dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
SHA256796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
SHA512636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
-
Filesize
1.2MB
MD56406cce810c8aaa887ca6b8e004776d2
SHA11698d3d12341f3824e14f4dae75300eea9670797
SHA256fbfde6f43c30f454b07dbd2fdcd83685ae0016227f5489c13ccb510a0cff00a6
SHA5123cd6f24c1892abd1b12a02dac5ab53e2afe1c68bc366d1ddb26df1e56312da7ff5caca255e78cb61e3fcbbed21cd03fb8909c61302af4dbcdda7ad37eac73ffa
-
Filesize
1KB
MD52fc3add9670933fa01b4df0a9b08c58c
SHA1a9afdeba443c9273240e109f7d62150afe6a8b87
SHA256d27cd97feabe0c478f3080c691ef214fdde81d90116f0e2d82b9db9fb0d3067e
SHA5121d4f5a2c1bc02b8239cc2b0d147d4fa9363d2cbaaa02b851352183140736c27656b5412520901b92489a14fc7ee57d8a893ced88fa5878bb545ba914fb8884c9
-
Filesize
1KB
MD546c3384288138d3d091c1f7e8072560e
SHA1b4493205c8b3e2803356a1327a30b0c52eb8981c
SHA256ad355507267dee3ad315329bd13537c9fd4a72bfd557e9b4b2462e9a23ad9773
SHA512b29f778ab1e0a07d78ebedf420b377034d3597d4bce6bd3b14def65330df59882105c12c600ff3adb5cf687343e75c6e4bf454b188fabc12df563bd77539a41b
-
Filesize
4KB
MD57aca43b2800ceb18b3ed2326532545de
SHA1d4cf207ef85bd749d59c1cb27a09c167ee21523a
SHA2563d9f8622d97587fd84d3d0560a50ab38e5f894fe4b5bcaa34279643fdaaeb480
SHA5120e002e6b8d965c227d9b1aa7c0251619c787ec7717e59667e756e5815e3666a955ea397eb148a1ed6bb7d8045727e4efa656a103f14bc70a03b03f0c91283c2f
-
Filesize
70B
MD5f8abf91d350d39ff1a48934b88624291
SHA188ef29fd18441c628a43925a8b32535d39e07979
SHA2565b4e3e3f739b1ae3cd907a0abe9d5aaf51455551f69f9da57e668f749584efd6
SHA5123c572c7415fbc8ee5f976ac9b6cce43c901174777c859e9461451676bd5158e940e0bd173d83d980958295cb9daacc489f0d596d98e93f71cb81d2603f037876
-
Filesize
471KB
MD51cb29ef9003e93f65b93ce8b8b7c24dd
SHA19be4aa7ab2e4c71dc70d03af435330c6bfb5c470
SHA2569be5145baeb34d733af9a7fa55139a4917ef080d777ac8ec7f5e8b42620605e6
SHA512259efb3fe2842908dcf4e4950da40dbdc6803ddf0dd5ba6716486cb715f356068a94e066ceefd4ed42d949787d6fc9190483c799add5d08620e16b4bc00bba3c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
1.7MB
MD57c26877fcd894cc1355f2a31a551243c
SHA180104216da4cd3449eabf0e0de2bb3a5b2de85ca
SHA256ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
SHA512a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
Filesize
24.1MB
MD57f6d3efb8405285081c1d5521574dce0
SHA18492b3a862f277eecc2e4d976067c3fe643e4c9e
SHA256aaa87f22a91fe4660d7da0cc70c5f9a0ddcada8dacb8bbad2168faad562a18bd
SHA5123ea1d000999c9688d62564e67e98d44bce6d2b16f3d61f3b333ce918a01d9b28a7a0a7dd3f1108e20df770948a3b8174ac747ca6500aa1c33d8929e43854434b
-
Filesize
6KB
MD52fb31d9907b5fc006e80f94c19cba913
SHA1933edff671b106a3a445f3ea0c5c0808f38ac75f
SHA256cdd1a70edcd8b25cc93ba2ac47f815b25697af17a6d37045b22b92c9b0d13875
SHA512061a47b6fff5f71b418ec06500332283f3ea2294b6343e34def83293ff9249a1d22b432bf54156e5d7a8513adc9b7de74cf6a5234e5c09b77744451a02602923
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
624KB
-
Filesize
736KB
-
Filesize
516KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
516KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB