Overview

overview

10

Static

static

1

62f928.msi

windows7-x64

10

62f928.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62f928.msi

  • Size

    2.8MB

  • MD5

    a2a7ff35bd33480418bd39e0832d0875

  • SHA1

    8cd2ec2310b1240ffa9944631c409e658cea03a7

  • SHA256

    46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

  • SHA512

    20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

  • SSDEEP

    49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

Score
10/10
remcosteddydiscoverypersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

Teddy

C2

adminitpal.com:8080

adminitpal.com:443
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    5

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    putty

  • mouse_option

    false

  • mutex

    tRvr-YKFHJK

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Putty

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;chrome;edge;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\62f928.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2236
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Regma\ManyCam.exe
      "C:\Users\Admin\AppData\Local\Regma\ManyCam.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
        C:\Users\Admin\AppData\Roaming\SyncvalidKil3\ManyCam.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
            C:\Users\Admin\AppData\Local\Temp\Demowordpad.exe
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1576
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1912
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003EC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76e034.rbs
    Filesize

    8KB

    MD5

    478db699b013b9dc641485d5e6a82bd7

    SHA1

    ba0a871c238596806670127c2f27edc7f6147db8

    SHA256

    78911262c5e6a3f975fc9dd2c7c9310a8eda229b072cdcc95b7b860bbccbc07d

    SHA512

    5b21a4a62cf1934f0de0db3fa4fba5a84295a7cace9e1cb18ed0662c2e9430ad1a0127e548508c681fe3b949208bfad22494c5d2bb46710a481fbd3b31d8e96d

    Download Submit

  • C:\ProgramData\putty\logs.dat
    Filesize

    184B

    MD5

    25166068324bfc5de0a6a87ab0a411bd

    SHA1

    6c7a5dc5fbbcffe0415e13e47e67da6e00853599

    SHA256

    7d98d0517af20bda835a8cfd2dd22c626d4e11ac17a32261d5fafaa2100916cd

    SHA512

    e10bd34f8fa6aeceadef6ee6118df9106e2e660c8b80f3225c59986b9167daf2b06b6621827fcce3ffe1d1c4ef92678cb83a092144ac50fd89952311ee9e9649

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\CrashRpt.dll
    Filesize

    121KB

    MD5

    b2d1f5e4a1f0e8d85f0a8aeb7b8148c7

    SHA1

    871078213fcc0ce143f518bd69caa3156b385415

    SHA256

    c28e0aec124902e948c554436c0ebbebba9fc91c906ce2cd887fada0c64e3386

    SHA512

    1f6d97e02cd684cf4f4554b0e819196bd2811e19b964a680332268bcbb6dee0e17b2b35b6e66f0fe5622dffb0a734f39f8e49637a38e4fe7f10d3b5182b30260

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\ManyCam.exe
    Filesize

    1.7MB

    MD5

    ba699791249c311883baa8ce3432703b

    SHA1

    f8734601f9397cb5ebb8872af03f5b0639c2eac6

    SHA256

    7c4eb51a737a81c163f95b50ec54518b82fcf91389d0560e855f3e26cec07282

    SHA512

    6a0386424c61fbf525625ebe53bb2193accd51c2be9a2527fd567d0a6e112b0d1a047d8f7266d706b726e9c41ea77496e1ede186a5e59f5311eeea829a302325

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\cv099.dll
    Filesize

    664KB

    MD5

    2a8b33fee2f84490d52a3a7c75254971

    SHA1

    16ce2b1632a17949b92ce32a6211296fee431dca

    SHA256

    faff6a0745e1720413a028f77583fff013c3f4682756dc717a0549f1be3fefc2

    SHA512

    8daf104582547d6b3a6d8698836e279d88ad9a870e9fdd66c319ecada3757a3997f411976461ed30a5d24436baa7504355b49d4acec2f7cdfe10e1e392e0f7fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\cxcore099.dll
    Filesize

    908KB

    MD5

    60ad2fc365dc3de0ce1fd191acc6a0b0

    SHA1

    8c85bf1b8734b150cf2afdfe64c1227dbef25393

    SHA256

    cf58a2f246d7d081986b44b14abc810c256c4f594738659e522476bcd7977d8c

    SHA512

    65b093547569a4c06028ec723be3d562102153741bd71a0dc6a16a2e96d56cb2101f5d1ebeddb235c570a12ec5834aa5f8529bf446dfc31f677d6150319bf65b

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\dbghelp.dll
    Filesize

    478KB

    MD5

    e458d88c71990f545ef941cd16080bad

    SHA1

    cd24ccec2493b64904cf3c139cd8d58d28d5993b

    SHA256

    5ec121730240548a85b7ef1f7e30d5fdbee153bb20dd92c2d44bf37395294ec0

    SHA512

    b1755e3db10b1d12d6eaffd1d91f5ca5e0f9f8ae1350675bc44ae7a4af4a48090a9828a8acbbc69c5813eac23e02576478113821cb2e04b6288e422f923b446f

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\highgui099.dll
    Filesize

    388KB

    MD5

    a354c42fcb37a50ecad8dde250f6119e

    SHA1

    0eb4ad5e90d28a4a8553d82cec53072279af1961

    SHA256

    89db6973f4ec5859792bcd8a50cd10db6b847613f2cea5adef740eec141673b2

    SHA512

    981c82f6334961c54c80009b14a0c2cd48067baf6d502560d508be86f5185374a422609c7fdc9a2cde9b98a7061efab7fd9b1f4f421436a9112833122bc35059

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\sobrt
    Filesize

    51KB

    MD5

    5ba0e4ef5bb61db3b1554a108118ed45

    SHA1

    1004db2678baa94e1a9f99e767673514b0122a21

    SHA256

    d26373617c8ef46daa7482688b17ae8153a633ea2fe75053282f0f4308903f57

    SHA512

    62b43ecc1dc6f5d58283b164278b01fe5fb00963d712d3d4ed5b97fcb22c7c46010142ffe65c2df74b80edd6e48754fddf446f23dc28787dc008e156d3f54b3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Regma\xtda
    Filesize

    1.1MB

    MD5

    7910d6147f32875538e6d887c32522ed

    SHA1

    50f9a0a38b87f48c655ab45de0e25637f070e12d

    SHA256

    45d1882a8df64a9fa624cd4538bb17161633ae66a5c4d0aea7d2f17a274a6416

    SHA512

    2de6830a7b9fcf8e6ed08c870bd531705f8094f79205761606b40655b75686205871aa92968b5e2568afd741f2a09363efbd296304c61beddce3ffd15e1de742

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\538f9ce
    Filesize

    1.6MB

    MD5

    3b7203c54881ec4c291ee5e2d75c251c

    SHA1

    87bdbef73c7483818c3d05ece8ec0dfd52c07f55

    SHA256

    0256c4dece046f6936d3bfd5ae4fe81f5d41f12d1181f690aa901946b60131f9

    SHA512

    b1bc4cdc2cc26b3a2fa2526abcccaa641bc9ec1c2a85abdf8b318fd1a1a42628158c962f54b6af062c59add266c07e248a31c3055fb48591786df683a0893bb6

    Download Submit

  • C:\Windows\Installer\f76e032.msi
    Filesize

    2.8MB

    MD5

    a2a7ff35bd33480418bd39e0832d0875

    SHA1

    8cd2ec2310b1240ffa9944631c409e658cea03a7

    SHA256

    46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

    SHA512

    20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

    Download Submit

  • \Users\Admin\AppData\Local\Regma\cximagecrt.dll
    Filesize

    487KB

    MD5

    c36f6e088c6457a43adb7edcd17803f3

    SHA1

    b25b9fb4c10b8421c8762c7e7b3747113d5702de

    SHA256

    8e1243454a29998cc7dc89caecfadc0d29e00e5776a8b5777633238b8cd66f72

    SHA512

    87cad4c3059bd7de02338922cf14e515af5cad663d473b19dd66a4c8befc8bce61c9c2b5a14671bc71951fdff345e4ca7a799250d622e2c9236ec03d74d4fe4e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Demowordpad.exe
    Filesize

    433KB

    MD5

    fea067901f48a5f1faf7ca3b373f1a8f

    SHA1

    e8abe0deb87de9fe3bb3a611234584e9a9b17cce

    SHA256

    bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

    SHA512

    07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

    Download Submit

  • memory/1576-176-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-182-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-201-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-198-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-195-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-192-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-189-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-185-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-179-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-163-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-159-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1576-155-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1576-154-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1576-157-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1812-146-0x0000000074710000-0x0000000074884000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1812-98-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1960-95-0x0000000074710000-0x0000000074884000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1960-94-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1960-93-0x0000000074710000-0x0000000074884000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1960-81-0x0000000000BB0000-0x0000000000C5D000-memory.dmp

    Filesize

    692KB

    Download

  • memory/1960-85-0x00000000001E0000-0x0000000000242000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2816-46-0x0000000000BB0000-0x0000000000C12000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2816-42-0x0000000000320000-0x00000000003CD000-memory.dmp

    Filesize

    692KB

    Download

  • memory/2816-36-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

    Filesize

    944KB

    Download

  • memory/2816-55-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2816-54-0x0000000074670000-0x00000000747E4000-memory.dmp

    Filesize

    1.5MB

    Download