Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 03:22
General
-
Target
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi
-
Size
1.7MB
-
MD5
7c26877fcd894cc1355f2a31a551243c
-
SHA1
80104216da4cd3449eabf0e0de2bb3a5b2de85ca
-
SHA256
ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
-
SHA512
a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
SSDEEP
49152:BpRhaYJ+2/8yJ5OA4COg9lyp31X01clj+u1GTsF:BpDJ+2pgA4+6p31is+u1G4
Malware Config
Extracted
remcos
4.9.4 Pro
zip
rm.anonbaba.net:3393
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-RNN6CM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Modifies file permissions 1 TTPs 2 IoCs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Program crash 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 42E48A7C3D57E2D471DB6FD0BDB4BD802⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-24a51166-b283-40bd-8fd3-5e16ad5eb61b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\MW-24a51166-b283-40bd-8fd3-5e16ad5eb61b\files\task.exe"C:\Users\Admin\AppData\Local\Temp\MW-24a51166-b283-40bd-8fd3-5e16ad5eb61b\files\task.exe"3⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\apps.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\task.exe"task.exe"5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\bsuiijypyvjvek"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\emztibjimdbagypoqj"6⤵
- Accesses Microsoft Outlook accounts
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\task.exeC:\Users\Admin\task.exe /stext "C:\Users\Admin\AppData\Local\Temp\opfljmukalteredshujcp"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 9604⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-24a51166-b283-40bd-8fd3-5e16ad5eb61b\files"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-24a51166-b283-40bd-8fd3-5e16ad5eb61b\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 432 -ip 4321⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD5719182e07998ae9226d45680aa1fe178
SHA18f8b03c110c129cb3a35841ed959de7a7266ffec
SHA2568f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe
SHA5122df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3
-
Filesize
751B
MD520160bc3c7d11c08009f481fdd6e9aaa
SHA1eec31aa7573632ec555d1ae21086e2cc21d39c46
SHA256b847e2554ddb230d842476c8df308b899f4b9010e80d83bbf935f6ae1ca95552
SHA512561e8a98d137a13f91e1c162fb2ff8b0a642cf0121d1d2619194ad82235dcae6b4381a66f69eec7622682c9304c3816c0bacb86910061e204b2b05591afcb7cd
-
Filesize
727B
MD5c59fe2122c01472472b32153f9357db9
SHA1ffd45432839790442f659390e16b2b4f96c066c5
SHA256fbe269cbc7e81263ef32c8a3b320697dc8d0b9f90d72c13b7e74b482a640b71b
SHA51251ae31fd5603d1b6038a3ed1134143bfb757372b8daf06f471d7ca5e54c4fb2bb27c4b257149861e5e3e841070f7d1bc7488bf3f799ea39c7daa7ec62fe5eb31
-
Filesize
400B
MD53116e740d4b35f728991060d3a56a217
SHA194c1e1742fbcbcfefba8d2159d581195ecd37d47
SHA256c062c669408aac4b4693dedd1a3cf816ba9b2f4b802a61376ecc9b7b90a2dc58
SHA512fc21ae93c2338fbe0753d9a84453ddfd42e0142763e35640150fd17e481407914c2410fd093636dbd744d2d853f237620f1214152117dcbaafe69b118e913004
-
Filesize
408B
MD51067fd2fa30db5198f8f9ea799f96a0f
SHA192471611a7665554954b41c84ff78ed51b697222
SHA256e21cbe6f0ffa45b2801d3161bac63d124c262a500df89cd24bb8ed7233397cc4
SHA512244a0f4fdc32046fac36e0827aedb8383d20fb76f5ad9361b22a7ddfd8ea29873f86208e25ad29d37e333d5ceb522b35fbf40348d12d674e969e808d82c51288
-
Filesize
412B
MD59678486c6382c9e0b8cf855ccffb6846
SHA1a0151ce99c4325d0555cfe8d9e3ddbf763d99e3f
SHA256ab37daa012c00fc47623c5340ca0caa355ce9f2b14fb6e281e7c97c0c5190d42
SHA51276b6180dcd1e7f6a7d4c0621231adde7fd3bd24cc5f9af7945fc642f3a7e6a9a0673c1f2e1c019db45f8e822b65afba9306e3e1b5fa9f6a0faf20c1e0a76fc92
-
Filesize
1.4MB
MD5240f5d10d0fdc6e3a73b6793e0ea260f
SHA1b6b7549b2c1a98fe88dea9f9fb462cb203647dbc
SHA2565afa0071f63b662d93ab35e8a9a6a44b8ad439c62160388690e5e5793cb2b2d4
SHA512faa0654a4359a90338905bcf627cb75d10d277ce8e2aafc07eca75ea887f54750b118042dd1e25e45c02706791ea5f5741202309928140789c319988e05f5029
-
Filesize
601KB
MD58522cf224cb875847762353c89d2dce2
SHA14947ef0a7b3da4972106a6a97fff8c03f9db6799
SHA2563dc24e9a42d9230f4c0db64bf11b9df544066c80c49b2aa66ce9a01ddb8c4088
SHA5128933f0add139fd10f452ad18bcc400ab288aebe5bf764da66eb332b9b97dc56f7aaab66fd396b0ca1bf3c29a1487255b562a97fdeffaacc142347a95cd503350
-
Filesize
741KB
MD58d9b3ca29d78cda545cf0a3131536f17
SHA1d823975e67320244f3f02a59e5d29b53e16a828b
SHA25697978ec89a58611cdeeffc623805c91966bf1d861395082804efe05302daf7cd
SHA512287799d662bf3f113aab8009503afe7306f489b7fdad69ceffb190c9757412e00f6d3eedf5d5254d90319b27577d9567dc4b67860dc0148e249c042575f4dc0d
-
Filesize
603KB
MD5fc284eee599385a7ae9f098d123e983f
SHA1acaa1c92d85afd92184d49592aed3aeab6ad2ded
SHA25616414419a8248a4a55c05859c467d1fafc298694f3f71916261fe2e08ebf4abd
SHA512c2538a98de60aeddb72cb14513ecce3493f04e94135182af658d3fc6425ad890560945efb02c956b11aa10606c95e7cb286e73c0d27e71f2b17d3494506e7123
-
Filesize
39KB
MD5f1b14f71252de9ac763dbfbfbfc8c2dc
SHA1dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
SHA256796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
SHA512636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
-
Filesize
1.2MB
MD56406cce810c8aaa887ca6b8e004776d2
SHA11698d3d12341f3824e14f4dae75300eea9670797
SHA256fbfde6f43c30f454b07dbd2fdcd83685ae0016227f5489c13ccb510a0cff00a6
SHA5123cd6f24c1892abd1b12a02dac5ab53e2afe1c68bc366d1ddb26df1e56312da7ff5caca255e78cb61e3fcbbed21cd03fb8909c61302af4dbcdda7ad37eac73ffa
-
Filesize
1KB
MD5cc892773811ac6d1c6c8502afe2113b2
SHA1f5da4a764cce98192fc3b733a768399cf4deca66
SHA2569741e5c317feac4e0ea4a05c3dfd2f85e2d79326021de1555845df29bf78cc7a
SHA51283f2b4e98d1fde8f96762b03ce71e17445ccd90f4a37072fff891183e3e78074fda7719049b2a0a501c995a61e20c30c2c3094025ea4703bae7778828ce82f75
-
Filesize
1KB
MD5ac8e4e916f824782fa12a1ad67349fde
SHA1b8b2ccb6d7f668a7f7e9c14dda029a88b0e8e39f
SHA2560a3559446dcdc149da354261f41aed10d135acce1f179f12c19df212b5f838e1
SHA5122dcfa16142d36b07d6b93ef0439f4a0720ba33104e8d1e2e7edda8cab968a82cb1bea471a466778874aa78dcdb8598bf60b77acda9ed2ec253183cca23ab611e
-
Filesize
4KB
MD5bc25ccf39db8626dc249529bcc8c5639
SHA13e9cbdb20a0970a3c13719a2f289d210cdcc9e1d
SHA256b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904
SHA5129a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a
-
Filesize
70B
MD5f8abf91d350d39ff1a48934b88624291
SHA188ef29fd18441c628a43925a8b32535d39e07979
SHA2565b4e3e3f739b1ae3cd907a0abe9d5aaf51455551f69f9da57e668f749584efd6
SHA5123c572c7415fbc8ee5f976ac9b6cce43c901174777c859e9461451676bd5158e940e0bd173d83d980958295cb9daacc489f0d596d98e93f71cb81d2603f037876
-
Filesize
471KB
MD51cb29ef9003e93f65b93ce8b8b7c24dd
SHA19be4aa7ab2e4c71dc70d03af435330c6bfb5c470
SHA2569be5145baeb34d733af9a7fa55139a4917ef080d777ac8ec7f5e8b42620605e6
SHA512259efb3fe2842908dcf4e4950da40dbdc6803ddf0dd5ba6716486cb715f356068a94e066ceefd4ed42d949787d6fc9190483c799add5d08620e16b4bc00bba3c
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
1.7MB
MD57c26877fcd894cc1355f2a31a551243c
SHA180104216da4cd3449eabf0e0de2bb3a5b2de85ca
SHA256ff389718792f877fbdabe5cb02a1b3d5de5be988f9b5690250ffdf3409f04000
SHA512a57a961a3339b105f9d5653b69269ed7aab952a4e16600426edee80d628a9ac62a13b5ea642ffd9765fdada7b0db5c5a85a21bc88c125be122bf3c4e89d0cfb8
-
Filesize
24.1MB
MD5ef8187fd4d0f5061c9412fed9fbaf5f8
SHA1197416380db2c31be24760dbb1dbb393f9413c7d
SHA256aa6c26c9dce46533448b341cc3fb53a06c4ca20c1c0040776bb575d97cc31a78
SHA5124ddcc61b3e975eec1031e1cc5650237224873bb2646c190ba5bce930dd8f925dc8bcecbac63b12204214b940bdded18b04ef3bc08b4ec4cc165f626aedf59b90
-
Filesize
6KB
MD5f93ade2788310991df83ac253a22fcdf
SHA1735a1bf51887ada6d1bdeb4f97dfb3b979874b67
SHA2567c57c6f754a4db033573052524f1b77dc841d1f54029f78e8d913161fc5ae983
SHA512123822dfd32f804d17620d117d2d71e1305ce04009d1845642ce2d2e80990d2f4a07bbbdb7915bf427d4ad4b6b57212164a69cb995f762f615cfbd31225d91d1
-
Filesize
624KB
-
Filesize
736KB
-
Filesize
2.1MB
-
Filesize
40KB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
516KB
-
Filesize
2.1MB
-
Filesize
516KB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
100KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB