Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-01-2025 06:59
General
-
Target
02685371fedd6882df6bb6c55923098a25dd500b474d2c5162e9bb541dd78869N.exe
-
Size
140KB
-
MD5
6dc84ad7ef1ac736530211cc881fd2a0
-
SHA1
5778b7fbeab9b188c22c6975e723ec5e67a69411
-
SHA256
02685371fedd6882df6bb6c55923098a25dd500b474d2c5162e9bb541dd78869
-
SHA512
c4a769014f46856e9846690bd86753ef1ab74bef02ac1513db5f229bab8b6809020bc0d9ca8abef1d90349b55d295667058ce4261b00bb015e4dadca9d9be6fa
-
SSDEEP
3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVST:xP6/M+WLckOBhVmIYq
Malware Config
Extracted
remcos
1.7 Pro
Host
systemcontrol.ddns.net:45000
systemcontrol2.ddns.net:45000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
OfficeUpgrade.exe
-
copy_folder
OfficeUpgrade
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
Upgrader.dat
-
keylog_flag
false
-
keylog_folder
Upgrader
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
req_khauflaoyr
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
OfficeUpgrade
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\02685371fedd6882df6bb6c55923098a25dd500b474d2c5162e9bb541dd78869N.exe"C:\Users\Admin\AppData\Local\Temp\02685371fedd6882df6bb6c55923098a25dd500b474d2c5162e9bb541dd78869N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"C:\Users\Admin\AppData\Roaming\raj4dkhhiap\wn2ra4ohzdr.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5298a6d99074ab012b2649d8b085dcf2e
SHA153c1a7408058e127b9073a4b78422ae1a1282862
SHA2564c419a1f8a34ebb02ee9b3da420ae74bd06d4682b5a827eb3eda1e3cb058aeed
SHA5128cabee9e97b55a413d89a420920e611831698bc46490efaa138aa7dab5c560fd4665738982d33c5da458be74828974dbb7a12f558e7cc6278f2d1799b905be93
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
128KB
-
Filesize
160KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB