Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-12-2024 03:09
General
-
Target
2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe
-
Size
199KB
-
MD5
9915622262b1663ae9f851f664854000
-
SHA1
da9ae0706648eb10e1f5fbec1060f3eea8588ec6
-
SHA256
2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281
-
SHA512
d4a5583f1a531a292aece6f27f41b1abd37a31500f5def1459b5e801816bfddd1b1e6aea38f4682dd21a0e5e2ab17149d15b07242bd65fb8a6147e5247e5e61d
-
SSDEEP
3072:5NRCywDw1DiJkuQbojv4YQ/6Jfd9cV44zo7dkH6ChVLOWV49p6vfE2JvAEVXUOQn:5T4Dt+AxQnpe6HrLObovfTNAE2Ar+e2
Malware Config
Extracted
remcos
2.7.2 Pro
GRACE _ MARCY
103.153.77.83:4348
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
mozila.exe
-
copy_folder
mozila
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
mozila
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
mozila-VR8Q9A
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
mozila
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"C:\Users\Admin\AppData\Local\Temp\2f14fefdd76197ec0b0eed44f534230e1e2b39d655edf87dd8571ceb966bb281.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD5aee908793c1598c506a8d8ecc0ee4559
SHA1fab63884554b0b71e65e743b7a6e85b4ac147eea
SHA2563c0f5348f037a2eec849de21638a252ef7e8b8db8727e73388599541712832dd
SHA5128bbf2a981589d95095a0be5650009af1cfa281e3b088f67545a78ce98f2701664ec6519e6e00a2a7d6cd8465cc78ebca97ec0b33f5260ab4b652b77451734d74
-
Filesize
149KB
MD50c44ee25d7c510783d118d3f76d88b3b
SHA1ff537d185513d1a2daf91ca5679c79f3c8346e9a
SHA2560b54c2abb6bee336adc1866f128591a6e0d5fa0f90333f6a6b57205b41196e20
SHA512a13490eb75a842e15ae33cb167209e76dbfb7b1fe96530ca3bd41ff2a4318717b53a5e44bb1f0f2523f38888e142061019082ffb11bc633953a773b25e2fc587
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
132KB
-
Filesize
36KB
-
Filesize
36KB