Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
02-02-2025 04:16
General
-
Target
4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi
-
Size
3.0MB
-
MD5
5d8dc4f7c58f4681dee4ee9f6ecc3498
-
SHA1
3eb23e362ecba770d842e99dd6bf386f1b6c0b47
-
SHA256
4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3
-
SHA512
765fa345c0fb369795e54e0506b6a8caebbffce1c7cbdf061520d9ece9a15b840fec967de692314e42b30ef29df1612dc12e70f19b1b87d6cbabc473b4f9558e
-
SSDEEP
49152:1W7g8r6F5mCmR+ZuBRQPcM6rUa1eH8CvQbFpsPNAbJU2DKcDahV3dZj:Zo6Au/6rUorpjbJTOcWTdZ
Malware Config
Extracted
remcos
v2
185.157.162.126:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
qsdazeazd-EL00KX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
-
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4fda049f94e2b9127b71cb11588cac6b379d4dddab47f6e2f028fdaaf79ad8d3.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2109E194D970048E95E4F604A8565BF52⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\EHttpSrv.exe"C:\Users\Admin\AppData\Local\EHttpSrv.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\EHttpSrv.exeC:\Users\Admin\AppData\Local\EHttpSrv.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5684aa26fb43a5b8a9f73ec493512c151
SHA1bcc253fb0a9e3f0a22f7709c94567482fc4d9759
SHA25624d03eefe3d7804f4219f54bb7110378a43a07927ea7bd71df651c90d6020ea8
SHA5127a8a1fb0dbc8c9a083cc7d57bf0ec8ac087e933a095519940949f94f642f70f0d2eaa582d3dd2a168a4ead3ca8f01d0d4ffad5c07e79dfa364d750b22e7096b8
-
Filesize
20KB
MD59329ba45c8b97485926a171e34c2abb8
SHA120118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA5120af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc
-
Filesize
1.0MB
MD5686b224b4987c22b153fbb545fee9657
SHA1684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA51244d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875
-
Filesize
1.0MB
MD549d8e4d89b2bc211302726fb807e61b5
SHA136959e839d8b79b17f058241198f4b5b2f77cfad
SHA256709725e32b50205283a741dd8b67af8574d9569f5ece351e7761891326a10365
SHA51202ada95d5cf0dcf544a7bfb6a49fdbc059a490ec9187c21cfcce65fb49000a0f6a374b80b3868e93fe1bf1d8af023169d12cde9f6e497ef3945a6d01c4a2a555
-
Filesize
21KB
MD5afa7574ab28ffd8e4f05c60cf86a5056
SHA1023e516b21df7af03f0315df8c1afaa69b6847e8
SHA256d6abe3005bec898a5a3a6bb445963c4ecfa478dc70a997b61fc52bc274024bed
SHA5126e1cae4be34f7e2ee331f6a6daee7d6bbfbd863247fef9d70988be96ebb16495eb7faf808b85d3d802ca72d21c7d14749134112d181d07fbb5b67ca827022cb4
-
Filesize
877KB
MD55124236fd955464317fbb1f344a1d2f2
SHA1fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA5122b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252
-
Filesize
883KB
MD54366cd6c5d795811822b9ccc3df3eab4
SHA130f6050729b4c08b7657454cb79dd5a3d463c606
SHA25655497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA5124a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
18.3MB
-
Filesize
2.0MB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB