Overview

overview

10

Static

static

1

4fda049f94...d3.msi

windows7-x64

10

4fda049f94...d3.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2025, 04:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi

  • Size

    3.0MB

  • MD5

    5d8dc4f7c58f4681dee4ee9f6ecc3498

  • SHA1

    3eb23e362ecba770d842e99dd6bf386f1b6c0b47

  • SHA256

    4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3

  • SHA512

    765fa345c0fb369795e54e0506b6a8caebbffce1c7cbdf061520d9ece9a15b840fec967de692314e42b30ef29df1612dc12e70f19b1b87d6cbabc473b4f9558e

  • SSDEEP

    49152:1W7g8r6F5mCmR+ZuBRQPcM6rUa1eH8CvQbFpsPNAbJU2DKcDahV3dZj:Zo6Au/6rUorpjbJTOcWTdZ

Score
10/10
hijackloaderremcosv2discoveryloaderpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    qsdazeazd-EL00KX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Hijackloader family
    hijackloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4328
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2109E194D970048E95E4F604A8565BF5
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1936
    • C:\Users\Admin\AppData\Local\EHttpSrv.exe
      "C:\Users\Admin\AppData\Local\EHttpSrv.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Users\Admin\AppData\Local\EHttpSrv.exe
          C:\Users\Admin\AppData\Local\EHttpSrv.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4700

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=02913FA809EE69680FE62A2F08556877; domain=.bing.com; expires=Fri, 27-Feb-2026 04:17:04 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F2E5EBCDDD7D40A8A51BC4B313D89720 Ref B: LON04EDGE0909 Ref C: 2025-02-02T04:17:04Z
    date: Sun, 02 Feb 2025 04:17:03 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=02913FA809EE69680FE62A2F08556877
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=G4LlatvCun5QmaqsnxwluKcOtk0xNamXAe9nFxfdRCQ; domain=.bing.com; expires=Fri, 27-Feb-2026 04:17:04 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 4FB2C7A832EB41BDA100F4323DD2018C Ref B: LON04EDGE0909 Ref C: 2025-02-02T04:17:04Z
    date: Sun, 02 Feb 2025 04:17:03 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=
    Remote address:
    150.171.27.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=02913FA809EE69680FE62A2F08556877; MSPTC=G4LlatvCun5QmaqsnxwluKcOtk0xNamXAe9nFxfdRCQ
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: A24D4DF6634342CCAE0BB2F2CAF7B43C Ref B: LON04EDGE0909 Ref C: 2025-02-02T04:17:04Z
    date: Sun, 02 Feb 2025 04:17:03 GMT
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.27.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=
    tls, http2
    2.0kB
     9.4kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=9afd97fc0c4c4431a0640c31a4cdf7a3&localId=w:0E6DBFDF-A422-D12B-C993-83A8853F7845&deviceId=6966578605783440&anid=

    HTTP Response

    204
  • 185.157.162.126:1995
    EHttpSrv.exe
    260 B
     5
  • 185.157.162.126:1995
    EHttpSrv.exe
    260 B
     5
  • 185.157.162.126:1995
    EHttpSrv.exe
    260 B
     5
  • 185.157.162.126:1995
    EHttpSrv.exe
    260 B
     5
  • 185.157.162.126:1995
    EHttpSrv.exe
    208 B
     4
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     148 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.27.10
    150.171.28.10

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57d583.rbs
    Filesize

    2KB

    MD5

    684aa26fb43a5b8a9f73ec493512c151

    SHA1

    bcc253fb0a9e3f0a22f7709c94567482fc4d9759

    SHA256

    24d03eefe3d7804f4219f54bb7110378a43a07927ea7bd71df651c90d6020ea8

    SHA512

    7a8a1fb0dbc8c9a083cc7d57bf0ec8ac087e933a095519940949f94f642f70f0d2eaa582d3dd2a168a4ead3ca8f01d0d4ffad5c07e79dfa364d750b22e7096b8

    Download Submit

  • C:\Users\Admin\AppData\Local\EHttpSrv.exe
    Filesize

    20KB

    MD5

    9329ba45c8b97485926a171e34c2abb8

    SHA1

    20118bc0432b4e8b3660a4b038b20ca28f721e5c

    SHA256

    effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

    SHA512

    0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

    Download Submit

  • C:\Users\Admin\AppData\Local\MFC80U.DLL
    Filesize

    1.0MB

    MD5

    686b224b4987c22b153fbb545fee9657

    SHA1

    684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

    SHA256

    a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

    SHA512

    44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7d3c9289
    Filesize

    1.0MB

    MD5

    49d8e4d89b2bc211302726fb807e61b5

    SHA1

    36959e839d8b79b17f058241198f4b5b2f77cfad

    SHA256

    709725e32b50205283a741dd8b67af8574d9569f5ece351e7761891326a10365

    SHA512

    02ada95d5cf0dcf544a7bfb6a49fdbc059a490ec9187c21cfcce65fb49000a0f6a374b80b3868e93fe1bf1d8af023169d12cde9f6e497ef3945a6d01c4a2a555

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI7d428.LOG
    Filesize

    21KB

    MD5

    afa7574ab28ffd8e4f05c60cf86a5056

    SHA1

    023e516b21df7af03f0315df8c1afaa69b6847e8

    SHA256

    d6abe3005bec898a5a3a6bb445963c4ecfa478dc70a997b61fc52bc274024bed

    SHA512

    6e1cae4be34f7e2ee331f6a6daee7d6bbfbd863247fef9d70988be96ebb16495eb7faf808b85d3d802ca72d21c7d14749134112d181d07fbb5b67ca827022cb4

    Download Submit

  • C:\Users\Admin\AppData\Local\audiogram.tif
    Filesize

    877KB

    MD5

    5124236fd955464317fbb1f344a1d2f2

    SHA1

    fe3a91e252f1dc3c3b4980ade7157369ea6f5097

    SHA256

    ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

    SHA512

    2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

    Download Submit

  • C:\Users\Admin\AppData\Local\http_dll.dll
    Filesize

    883KB

    MD5

    4366cd6c5d795811822b9ccc3df3eab4

    SHA1

    30f6050729b4c08b7657454cb79dd5a3d463c606

    SHA256

    55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da

    SHA512

    4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

    Download Submit

  • C:\Windows\Installer\MSID5CE.tmp
    Filesize

    557KB

    MD5

    2c9c51ac508570303c6d46c0571ea3a1

    SHA1

    e3e0fe08fa11a43c8bca533f212bdf0704c726d5

    SHA256

    ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

    SHA512

    df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

    Download Submit

  • memory/1172-54-0x00007FFEDDFF0000-0x00007FFEDE1E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1172-56-0x0000000074320000-0x000000007449B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4472-45-0x0000000074320000-0x000000007449B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4472-51-0x0000000074320000-0x000000007449B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4700-58-0x00000000730C0000-0x0000000074314000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4700-60-0x00007FFEDDFF0000-0x00007FFEDE1E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4700-61-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-64-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-65-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-67-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-68-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-69-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-70-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-71-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-72-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-73-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-74-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4700-75-0x0000000000410000-0x0000000000494000-memory.dmp

    Filesize

    528KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.