Overview

overview

10

Static

static

5

ad330d352e...c8.exe

windows7-x64

10

ad330d352e...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 06:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8.exe

  • Size

    1.1MB

  • MD5

    a83caa63bf1324fa62a7086c111abaed

  • SHA1

    cff04913404d0f281dd2dd1f899590bb4ed8e863

  • SHA256

    ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8

  • SHA512

    85179476981878ddbaf98cdd541cb412ed1ef7c32e92b6aeb90b39b16502b6e77704a771f0182ca7f3fe1a82b26f8a630de584dacbe255a9e3ab3a24b6e4f2a4

  • SSDEEP

    24576:1u6J33O0c+JY5UZ+XC0kGso6FakCsU4yYhK3x9uZ3WYm:Xu0c++OCvkGs9Fak4BYm

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.2.0 Pro

Botnet

RemoteHost

C2

185.217.1.142:3337

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VBI2IL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8.exe
      "C:\Users\Admin\AppData\Local\Temp\ad330d352ec09c0bf40aa4b330f9b3382abe556f38efe722ec8acfd622161ac8.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2504
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2988
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6549DB32-6D78-411E-A197-C4E2DC728AAB} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
        "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2020
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:236
    • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
        "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1204
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2296

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    658B

    MD5

    28a35f4fa3d3b8c2558528574745e9c7

    SHA1

    ac9075f65109c01b2a3dbcfdfa06edf9e2adf7fc

    SHA256

    106e21ce76f2bd24131124e17fe58db4fcc89d2b2e1d8da3f3e1cb4665d942b3

    SHA512

    4c866d51b2169ed36f5c59032da463983a716dbe55760889b50587d0ba09e21dc24d1f08e7d25409d7c9ab4963a089dae49ee920cc6cba1a66668c14c1aee23d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    564B

    MD5

    e221e7bd7e33aef4a5264f798818142e

    SHA1

    3545dbcc35de80c8f15da0daceab80acd0f1ae22

    SHA256

    f37e43a3504c163fa4a82bacc92ceb8cccd37d1020fbba95cc954f316ce49516

    SHA512

    04775d0fa21526bbbaa2deea13af1d5fab6183ea3a2809073539293da78e20f1cf4b9a4afdeafb1b4e8ce17a5be40f44364808ab73c174c98bce53ad8a1807d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    Filesize

    1.1MB

    MD5

    ca3874c945e1c4aa09d02fb9d8a733c8

    SHA1

    59b6f02bd61b54ebe07468108234a735e7af2b56

    SHA256

    97943b72d681d88de5edcb552400e821e22b708bd3aadad8383bfd12cfb3f5cc

    SHA512

    dfbfbdbc17ffd3eb75d8d173a8de3323e8439366fef3f55f69c2a73525620efde269be9c88e2e33c6ff482fc8ad04d1acda423e47ac8479b6f1c7c02f386f1a9

    Download Submit

  • memory/1880-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1880-12-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1880-3-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1880-1-0x0000000000080000-0x00000000000A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1920-0-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-41-0x00000000000D0000-0x00000000000F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2960-46-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-49-0x00000000000D0000-0x00000000000F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3052-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3052-23-0x00000000001F0000-0x0000000000210000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3052-31-0x00000000001F0000-0x0000000000210000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.