Overview

overview

10

Static

static

3

01-ACTUACI...RA.exe

windows7-x64

1

01-ACTUACI...RA.exe

windows10-2004-x64

10

7z2409-x64.exe

windows7-x64

7

7z2409-x64.exe

windows10-2004-x64

7

CiscoSpark...er.dll

windows7-x64

1

CiscoSpark...er.dll

windows10-2004-x64

10

VERSION.dll

windows7-x64

1

VERSION.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2025 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CiscoSparkLauncher.dll

  • Size

    2.6MB

  • MD5

    e2e01305e938ea378a88658d81c0917f

  • SHA1

    6b3dc7e13347f6fadadc2dbac7d3a3927d9e2aa6

  • SHA256

    29c3c48f4dc84e7179881bc3767546878b2db89d418372f687edbd4a72ef0989

  • SHA512

    5620ea58d2a7da0fe5d352ea1fe82e76ed84c31b2ae97b28a3ab3b25268f21c0a8eef8ca7baa05ab0f2c80a8125fc7e2441065eda11259b1f636be7b3d6c202d

  • SSDEEP

    49152:aGtlqOIU6iJVwASOcO81WPz3qjFr6t1Dt+w+PpmtsHcFhKgwzfQHdPWkpRs6:m+18rcDINHAhKQH8S

Score
10/10
remcosenviameplatadiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

EnviamePlata

C2

enviameplata.kozow.com:800

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    enviame

  • mouse_option

    false

  • mutex

    EVP-5U91NI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\CiscoSparkLauncher.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "nmIA6" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "nmIA6" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5096
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\enviame\logs.dat
    Filesize

    144B

    MD5

    46b14fb40b7ef94091bb6b41eadd89b9

    SHA1

    11f99d2c9cec3af62572bc0a8166d5c757b8e608

    SHA256

    efc637d686063c69fd7709c91e9f2dfa5cbc891dfefd113d9b097b181a345ca3

    SHA512

    e115b9a4c70b8af1842abfc9953d86a76f6b665b16bfc33c6aca6943e191d1549dd47f52117b559a0ff31610f046681c58033bb35080be0d1bced4df5942df5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    481KB

    MD5

    1a8d61771647104c2f06edcbc06925ab

    SHA1

    09eed71174ac599848e48cc5d4480462333ddd4d

    SHA256

    c4e0fd98d56d31ea0acb0a63008c9971199e14b8b8227ef8fa2db923fe78830d

    SHA512

    d416f41e4ed729da0b3094333bb6564eb695ab1ed5e59aebbd4ab1142cae9541a56ce77ef350f5fc71aed232250ce411ed6c3a3cf2b0c877e2bb7863dc21eefe

    Download Submit

  • memory/2012-0-0x0000000000400000-0x0000000000A1F000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2012-19-0x0000000068840000-0x0000000068F2C000-memory.dmp

    Filesize

    6.9MB

    Download