Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe
Resource
win10v2004-20241007-en
General
-
Target
724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe
-
Size
1.1MB
-
MD5
fc1b25a4b630e5080fd4004eb3929f50
-
SHA1
62bb01b654398961a3f2079346eef8c33b874d37
-
SHA256
724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724
-
SHA512
dd6d543c4687a398abdd8aa73f795ecda60a6222132e675f6c3b4cb4d2ca25d42b0e5a3f46f7e98fb8285a4bb44b4891f018c51bed0360784f89ced0417e5e2c
-
SSDEEP
24576:TjlIhSPd+p4mW33YHtYGPfU+Yl10PzhnVY5zbwfSxlN:Tjl+SPsp4KHtbPf4uxVYBT
Malware Config
Extracted
remcos
RemoteHost
192.210.150.17:56887
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OPLFYE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3136 set thread context of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96 PID 3136 wrote to memory of 2524 3136 724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe"C:\Users\Admin\AppData\Local\Temp\724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe"C:\Users\Admin\AppData\Local\Temp\724ac28c0e0981a385e4bec55724bc13f9528053ff32ec166c881ca409894724.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2524
-