Overview

overview

10

Static

static

1

u.msi

windows7-x64

10

u.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    u.msi

  • Size

    5.7MB

  • MD5

    f16fddbeda16868ac7935725201c6321

  • SHA1

    6775c120e9607753c83a58006cc435149d2dba91

  • SHA256

    8ace9806930d834c52013f9c58246b45a44381be51c1c53c0e2a5da5adc29a05

  • SHA512

    8cff853d33004c0178b433058cdbf3e7c2dc45c9e00e6704839ff811ca0b8ff49561d44e140b4c311b5620e33f0c9be5ee86404dc6d4608eebf55c87d80dbce5

  • SSDEEP

    98304:WRMYywIk8aXRK6SYAEgrrm5OT24gNVOyj7eo76vS6q4we36MxisVYaA7F4t:ycPc86SvbmAMU1S6q49j0sVZA4t

Score
10/10
remcosenero 20 muchachadiscoverypersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

ENERO 20 MUCHACHA

C2

restaurantes.pizzafshaioin.info:5508

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    coimostoda

  • mouse_option

    false

  • mutex

    neocivasne-F0VOCL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 10 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\u.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2972
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding FD7FCCB8F1EEDEEB4ED95E979A3C3870 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81294E73-5B77-44BD-9522-BA290199E610}
        3⤵
        • Executes dropped EXE
        PID:4900
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E768584-8F48-4EE7-8B85-6CEB390230A7}
        3⤵
        • Executes dropped EXE
        PID:3860
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B72A9537-9EB8-4D52-8C83-2FBBDD10258A}
        3⤵
        • Executes dropped EXE
        PID:4444
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49B1AB04-A3F0-4B7E-95D5-A2A72CA79797}
        3⤵
        • Executes dropped EXE
        PID:3856
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C31D9442-E87B-4C19-A7BE-9CC4D1D0555E}
        3⤵
        • Executes dropped EXE
        PID:1780
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{162CB46C-C6D8-46AF-BD09-22D29FDF6DEC}
        3⤵
        • Executes dropped EXE
        PID:3540
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2308ED9A-BCF8-41D9-ACCA-5C82DCDFFCBB}
        3⤵
        • Executes dropped EXE
        PID:3328
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8C0238C-0456-4EA8-861D-51DD4E456BA7}
        3⤵
        • Executes dropped EXE
        PID:4824
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B58947B5-B617-40CF-8B93-92CBC080092E}
        3⤵
        • Executes dropped EXE
        PID:796
      • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
        C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D4F4C60B-CE84-43C3-8508-E7E5E3EDF79D}
        3⤵
        • Executes dropped EXE
        PID:4524
      • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
        C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
          C:\Users\Admin\AppData\Roaming\checkfirefox\steamerrorreporter.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Users\Admin\AppData\Local\Temp\toolcli.exe
              C:\Users\Admin\AppData\Local\Temp\toolcli.exe
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\coimostoda\logs.dat
    Filesize

    144B

    MD5

    0fc40fa3a6eac1d27b0f48aae837b5e4

    SHA1

    838fbe9122952b4bcdcf3bde7a0572a4a3b01240

    SHA256

    bbf22d8b7408c4eb28db4708c84fc65b6f364a8fb9e005875aa17af0843f0206

    SHA512

    87f3061fb1bdccd93ce07c2f5d8c9486392f7db1c315407a79c92487abe5af17728d877166ec12f6c230042e2a99a99dc059390da2aeb171d9a38ccaf53399c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1166a744
    Filesize

    1.6MB

    MD5

    2e4489da94d8084e562bdd413b59fc0a

    SHA1

    b746fd0859967ad7f7b74826bd5091b41f790f49

    SHA256

    8197d77df7662e2b26d1364545902fcf273dadaf7b3f4140a366a11a08630ea0

    SHA512

    7e30466045a9815ec9603c847bff4f2724d90c8f95b5f000433e120577088da392a13dc05ecbf89834825375619712a8486b3d03b9482f894231ad8540bd7a1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI881C.tmp
    Filesize

    171KB

    MD5

    a0e940a3d3c1523416675125e3b0c07e

    SHA1

    2e29eeba6da9a4023bc8071158feee3b0277fd1b

    SHA256

    b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f

    SHA512

    736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI8A5F.tmp
    Filesize

    2.5MB

    MD5

    d1ce6e4950f990b88117cd4ff1bf08c9

    SHA1

    0d15ffaea45f3bdd3f380321e679ee6e082cdfd0

    SHA256

    b7e914b990435e23a68bb741c2ef33c7e37aefd4d4167427641a83f2bbb773ee

    SHA512

    1a66f061793822bda9052c549aae5879726ee35a7de0943e1752f4801c5d1e47d99b87d2f74a7c818856f2a8e44db0603107d5becf9ae2d8ff776552f5fd77e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\toolcli.exe
    Filesize

    433KB

    MD5

    fea067901f48a5f1faf7ca3b373f1a8f

    SHA1

    e8abe0deb87de9fe3bb3a611234584e9a9b17cce

    SHA256

    bf24b2f3e3a3c60ed116791b99e5421a4de34ac9c6e2201d34ab487e448ce152

    SHA512

    07c83a2d3d5dd475bc8aa48eba9b03e8fb742dbbd7bd623ed05dc1086efed7dfd1c1b8f037ee2e81efba1de58ea3243d7c84ac8b484e808cd28765f9c7517023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISBEW64.exe
    Filesize

    178KB

    MD5

    40f3a092744e46f3531a40b917cca81e

    SHA1

    c73f62a44cb3a75933cecf1be73a48d0d623039b

    SHA256

    561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f

    SHA512

    1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\ISRT.dll
    Filesize

    426KB

    MD5

    8af02bf8e358e11caec4f2e7884b43cc

    SHA1

    16badc6c610eeb08de121ab268093dd36b56bf27

    SHA256

    58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e

    SHA512

    d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{55AA638B-A463-49C1-8EDF-0381296F5AD8}\_isres_0x0409.dll
    Filesize

    1.8MB

    MD5

    7de024bc275f9cdeaf66a865e6fd8e58

    SHA1

    5086e4a26f9b80699ea8d9f2a33cead28a1819c0

    SHA256

    bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152

    SHA512

    191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\roadhouse.zip
    Filesize

    53KB

    MD5

    b0390294d22d4775820b22226830ff32

    SHA1

    36359349e41242960fcc1886963fec7303a046fa

    SHA256

    fe74fbf9d036721b7b1a7ed2ce14b351cbff58d13b4d1b0ac2a47e9884a4e846

    SHA512

    da0d08fd4691f1d06ec9e538f14680182a373b1160ae9bf28c22e86c0e472f1647962a5dc036e998c2497e18028ad613f8294845734bec6db900b72b3295a80a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\scruple.ics
    Filesize

    1.1MB

    MD5

    9a8ca04113c9d851ac054c3454e055cc

    SHA1

    d3239cb8f59c532189414c425bbb8498b241a91c

    SHA256

    de0dfe1ffe33c85556900be396bfbd768d312c35ccdd90b875fee310a15cc8e6

    SHA512

    db6c43d01d55edad0c8a3a27ef2196e95515c744c12af2076bfb260c2c3da4795465ed2574f7b05269ab7f6fe2a35fb843de56cf3a67ba6b06c22012d895c5b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\steamerrorreporter.exe
    Filesize

    560KB

    MD5

    dc1681b98049f1df46dd10d7f4c26045

    SHA1

    4c7f5cf7c00b6139979f8aa41f46979666369224

    SHA256

    594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

    SHA512

    c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\tier0_s.dll
    Filesize

    330KB

    MD5

    2ef38c233e7aa6377c668b43d5c2caf9

    SHA1

    07442db44a4be4e7c8fb639979a4e3579337dc30

    SHA256

    1d6d62e7087cdbb9bed9898059b27e4f07151b5381404119ad7377cc89be9bbc

    SHA512

    38f9d132d3b5fa1ad9a450463f4f4809a6488c0435bc70265753412f92f1c3e8405d3a2007e7bb852e2aa3847ebc237e2eb44062c13d810ffaa84afaf2854533

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{574A0140-A8A8-4306-B627-22A7C2C73F43}\vstdlib_s.dll
    Filesize

    530KB

    MD5

    bf433279dfa1820d93ef9417fceaf306

    SHA1

    21dfda7d0ce11dba8f786c72d0a4db1dd3a82308

    SHA256

    3fa60435cba38c85310eeba1032bf1d305aeea2e4cf890c17966366d63d43963

    SHA512

    dd1823f68a25cb9d25d125267e9ea4fb0803ec0133b5fd183cf0d832ad1dceca53a8a7d4d79b94ce0b67ef3050334373ec80c211fa1ff8888c4a724d64a1b250

    Download Submit

  • memory/2956-56-0x0000000073BC0000-0x0000000073D3B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2956-57-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4180-99-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4180-120-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4180-111-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4180-105-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4180-102-0x0000000000400000-0x0000000000481000-memory.dmp

    Filesize

    516KB

    Download

  • memory/4180-98-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4400-33-0x0000000010000000-0x0000000010114000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4400-38-0x0000000003830000-0x00000000039F7000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4800-83-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4800-84-0x00000000756F0000-0x000000007586B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4800-82-0x00000000756F0000-0x000000007586B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4972-91-0x00000000756F0000-0x000000007586B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4972-88-0x00000000756F0000-0x000000007586B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4972-87-0x00007FFE8BC30000-0x00007FFE8BE25000-memory.dmp

    Filesize

    2.0MB

    Download