Overview

overview

10

Static

static

1

5d8dc4f7c5...98.msi

windows7-x64

10

5d8dc4f7c5...98.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2025, 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d8dc4f7c58f4681dee4ee9f6ecc3498.msi

  • Size

    3.0MB

  • MD5

    5d8dc4f7c58f4681dee4ee9f6ecc3498

  • SHA1

    3eb23e362ecba770d842e99dd6bf386f1b6c0b47

  • SHA256

    4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3

  • SHA512

    765fa345c0fb369795e54e0506b6a8caebbffce1c7cbdf061520d9ece9a15b840fec967de692314e42b30ef29df1612dc12e70f19b1b87d6cbabc473b4f9558e

  • SSDEEP

    49152:1W7g8r6F5mCmR+ZuBRQPcM6rUa1eH8CvQbFpsPNAbJU2DKcDahV3dZj:Zo6Au/6rUorpjbJTOcWTdZ

Score
10/10
hijackloaderremcosv2discoveryloaderpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    qsdazeazd-EL00KX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Hijackloader family
    hijackloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5d8dc4f7c58f4681dee4ee9f6ecc3498.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3516
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BBCA0F3C975BC668ADCE9868E9231125
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1784
    • C:\Users\Admin\AppData\Local\EHttpSrv.exe
      "C:\Users\Admin\AppData\Local\EHttpSrv.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Users\Admin\AppData\Local\EHttpSrv.exe
          C:\Users\Admin\AppData\Local\EHttpSrv.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57dff3.rbs
    Filesize

    2KB

    MD5

    4798550e5f29339e4a4feecab6fb3e5b

    SHA1

    04a987dcb295e9efcc9ac995a585ed42c15884fb

    SHA256

    a0ac7afa8ce1d66836ceea9226245b085885dbc12881f256f9f71d743cba98ea

    SHA512

    800c7e933b4898d4b7981d6672e9ab321d3add5f7dbf32cf47e016b73b6db0aaeb7885864f1a169e86d6e631085e4b4e965cb6b2da6e4016ee9bf0878532b984

    Download Submit

  • C:\Users\Admin\AppData\Local\EHttpSrv.exe
    Filesize

    20KB

    MD5

    9329ba45c8b97485926a171e34c2abb8

    SHA1

    20118bc0432b4e8b3660a4b038b20ca28f721e5c

    SHA256

    effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

    SHA512

    0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

    Download Submit

  • C:\Users\Admin\AppData\Local\MFC80U.DLL
    Filesize

    1.0MB

    MD5

    686b224b4987c22b153fbb545fee9657

    SHA1

    684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

    SHA256

    a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

    SHA512

    44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8fd20712
    Filesize

    1.0MB

    MD5

    4fb28b4d020105d6b996fbb1385e07b3

    SHA1

    4b246624cc226f7098bb4f394a67420ec86f6bb8

    SHA256

    af39f215ec1b1860fdbede99eda741de94e00da7a5245f786a2a840c36ddd2f5

    SHA512

    d06e25d9ce30b5884aee2fabd2cd0a9f65e2a85d4f6ac60936f945d776710ff66046170bc8d882009aafb40782b2188d9cd80208d8347aa468aaadc7c5801a96

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI7de1b.LOG
    Filesize

    20KB

    MD5

    3ad731f59fd7ca6afd5203c34a67caef

    SHA1

    e6db9303c9ce7cc6166061085b8abdbe19be1f4d

    SHA256

    fb838c640ea79b36331121f98912604b03ce85f850d3c65f48e66401eb1630cf

    SHA512

    2de1259506436f93e5a22e64600bd13f064ba04d05a453dbd43764d954191ce2e5cc2ccf4aa38299388aac04383a36f4357dafdd276c30d75b8816e36fc172c9

    Download Submit

  • C:\Users\Admin\AppData\Local\audiogram.tif
    Filesize

    877KB

    MD5

    5124236fd955464317fbb1f344a1d2f2

    SHA1

    fe3a91e252f1dc3c3b4980ade7157369ea6f5097

    SHA256

    ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

    SHA512

    2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

    Download Submit

  • C:\Users\Admin\AppData\Local\http_dll.dll
    Filesize

    883KB

    MD5

    4366cd6c5d795811822b9ccc3df3eab4

    SHA1

    30f6050729b4c08b7657454cb79dd5a3d463c606

    SHA256

    55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da

    SHA512

    4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

    Download Submit

  • C:\Windows\Installer\MSIE05D.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • memory/3608-64-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-58-0x00000000727E0000-0x0000000073A34000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/3608-60-0x00007FF99A890000-0x00007FF99AA85000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3608-61-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-66-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-67-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-68-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-73-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3608-74-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3984-54-0x00007FF99A890000-0x00007FF99AA85000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3984-56-0x0000000073C20000-0x0000000073D9B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4292-51-0x0000000073C20000-0x0000000073D9B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4292-45-0x0000000073C20000-0x0000000073D9B000-memory.dmp

    Filesize

    1.5MB

    Download