Overview

overview

10

Static

static

3

deae18121e...ed.exe

windows7-x64

10

deae18121e...ed.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe

  • Size

    1.1MB

  • MD5

    08ac08e7223680fbe534d31ae219e649

  • SHA1

    7d003910e435153f65c2726f8d3fe2669606fcbf

  • SHA256

    deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded

  • SHA512

    75b30cb6b060cd39b3bb4e8b16f8735a11eb1b577807fd574e84b11a39a34fe82ee819fbc9307b9b19e3d14f8ce609036e99b315fe89319befb39b023d3b3b7f

  • SSDEEP

    24576:BPd+pxd29086WHK9M9yBj2ESIMkM6ZI6d:BPspx4bFHhENMkM6G

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.241.208.87:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7DRXD9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe
    "C:\Users\Admin\AppData\Local\Temp\deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NaYpuoGDsghFyf.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NaYpuoGDsghFyf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2572
    • C:\Users\Admin\AppData\Local\Temp\deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe
      "C:\Users\Admin\AppData\Local\Temp\deae18121ea6827386098ac1d40d14952f55c7555558d516ff769b4e89655ded.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp
    Filesize

    1KB

    MD5

    390d49cb2d1f843e30022b90797acc2d

    SHA1

    fd6fb8ab92573caecca028d33c9906c3b671cb2a

    SHA256

    0b11936b995997760f5f2f4168fe8bd512e11810f4759c9e1c469c30fe7ac4a0

    SHA512

    efa9709822796072fce7f7acf8b3d62e9709e5b38cff083aa76585a03bb9bc3075ccc3c85181eb02d36dd8916289dfb2c5bfa2760399e50121c2e5f3c83cff79

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    26accb3400cdf5a5862a2ef91ec5382d

    SHA1

    b62c950d901d93e1f51a9712be389e5d14eef60d

    SHA256

    9808a2bcd0963b838e1a18ab61e1b7a9adc5f487bcc8ef3503750ebd9f8a274d

    SHA512

    d2ac04ac55797809d4a2e6301f58f4444e5f1d5fcf391a5fac9add98f6989c992ad7991a9e9e334e6bd566f086c41b3a371992066f74985ab921a2711239bf5a

    Download Submit

  • memory/2160-0-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2160-1-0x00000000000D0000-0x00000000001EA000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2160-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2160-3-0x00000000007C0000-0x00000000007E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2160-4-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2160-5-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2160-6-0x000000000A8D0000-0x000000000A994000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2160-34-0x0000000074410000-0x0000000074AFE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2196-29-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-37-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-33-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2196-21-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-27-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-25-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-23-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-20-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-35-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-36-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-32-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-38-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-39-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-40-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-41-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-42-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-43-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-44-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-45-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2196-46-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download