Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:49
Static task
static1
Behavioral task
behavioral1
Sample
c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe
Resource
win10v2004-20241007-en
General
-
Target
c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe
-
Size
1.1MB
-
MD5
f47ede3af9a6ca374a0a54a4194dd7d2
-
SHA1
523f74e5de756049cf0445ee135879678c93c80a
-
SHA256
c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5
-
SHA512
e74d3fb2654a816188a7a4273f25022dfd1f4764b92861c1d72cc61343899a3195a10256f9c86e4dfd404e1fa141a7cc2daf4e2a9aeadf8100fe47d7a0722267
-
SSDEEP
24576:PK777777777777dFYVE6/Lf0BfGqv0xs7qdZmTgwOK545tq:y7777777777774feG1CqXmUIW5
Malware Config
Extracted
remcos
srvchostrix
winvohost.ddns.net:11024
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-U0TX4T
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Remcos family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2752 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31 PID 2092 wrote to memory of 2752 2092 c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe"C:\Users\Admin\AppData\Local\Temp\c793394ea0bd214459520e1403e523cf59936ddfe5a1a60ad59e0457143725e5.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5875ca204f77f2a28801a550d8753b95b
SHA14844997d6bb1a979c48286d042efe70dcfa9554f
SHA256140ea9ea11d1e69696885aea6de966c079e4edf5281f314cfc165964a204cf37
SHA512b1068a7f0dc8795ad67b575ea4e6b33a4a7cc8505a04495df8a04d9da2ea00b591b26aab638f1341d4f0c5f2f6dae914452d222c2115a498d7951b7d84cc5252