Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07/02/2025, 15:02
General
-
Target
b58a7d4bb391ebe2243a86ea92641445e98a4da3e51abf3d2c905fb8ac0dd9dd.exe
-
Size
1.1MB
-
MD5
1a9f017e35766201caca66b99c8700eb
-
SHA1
c276dd064641b832dfdf4886267526c827251467
-
SHA256
b58a7d4bb391ebe2243a86ea92641445e98a4da3e51abf3d2c905fb8ac0dd9dd
-
SHA512
ebe846e24f247bda738c4c6b31e1328210becc9233262ed25955e3dc627a0a251851add60db743c9eb507fb9c337fc69308e64117313f833da0e921a5f51e734
-
SSDEEP
24576:tqv1KmEM2KM1NJL09EkhupPKRmtgAV189rYYDk4CvM:4v1KmEXKM1jGhwKstpVy9cYApvM
Malware Config
Extracted
remcos
CocoHost
87.120.115.189:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Y1QVDD
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b58a7d4bb391ebe2243a86ea92641445e98a4da3e51abf3d2c905fb8ac0dd9dd.exe"C:\Users\Admin\AppData\Local\Temp\b58a7d4bb391ebe2243a86ea92641445e98a4da3e51abf3d2c905fb8ac0dd9dd.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b58a7d4bb391ebe2243a86ea92641445e98a4da3e51abf3d2c905fb8ac0dd9dd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\peyoVuqfV.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\peyoVuqfV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.04⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
579B
MD5f55da450a5fb287e1e0f0dcc965756ca
SHA17e04de896a3e666d00e687d33ffad93be83d349e
SHA25631ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA51219bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630
-
Filesize
252B
MD5c9e8b8c74bb8f1380959e0e82f90eab6
SHA1a56eb7d11e58cbda643ea2a6818080944b8c7f92
SHA2562d1f1388b634ffaf53f06282b5387d79548b6547f61e8217d163dd64317a0e42
SHA512ad845a0093a859caa34ac2a11266cfb381cb917a9b43fbfd724a1f9243c7f42d0424d506f6a66ec8822b9ebebe9376a0e72d266340bf20b6ae84c0787f3d40eb
-
Filesize
342B
MD54a6f79992fe5c7b584bf4a71bffe4080
SHA1f75728b0cb3a20a7823ef5e7e1f6a6a8d3532efb
SHA25618ca66e2ca32ada49ef2de6f036185b7ed0a2f3180d42137d0c080d045def298
SHA51294430d79f853d92cf95e40341034646341aeacbd9744181acd49ef1be781b0708296e0736bf7011c6ff6f0ea40689fb5a027f1443b2caa685a4e88200c84f391
-
Filesize
342B
MD5ad7ae6a72ccdd239528f8a0ef1568ba4
SHA198ab4886b740530d4853b4d476a00bb58b8e8a17
SHA2561fc3c458291874df3d7be0b32a598419d93a1dbdcf50912c202111f2219fcb57
SHA512dcd0d6f8b87e5f3ced36d5c10808823e3cd462be3c917ae80c18abccde701176827801995c458bf680596b7f3dee63fc6678cfefa13f38e57a9026d558364e3b
-
Filesize
342B
MD5e780a2776d783ed6895baab6e7fccea2
SHA153e745646eea801d2852d0b5b727e07ff2dc475b
SHA256d77003e48845f9f52b98e7cd343b58948af427c69e714533e9100e076b156d85
SHA5128052aa593a6abfe45c4a6176d9b51084d5be5a70b3cea8bdd50985a1532a38579d18949ad881e500e652e3390a0a7423a602aead6355dcb200c9743d3a560bd4
-
Filesize
342B
MD577b6ae6782af42d12606430140ba8f2f
SHA13cc68ac9a60192e89d4cad50a5b975c4fd57e7c3
SHA256ae26f28845479a005f43ebc1af89057a844ba1b6cdcddadee458df11762d284b
SHA5120233168521748c1f16e921755895ba5170ab1fb40a2785db5208c92e069529b46f9abffa4dbf8e86bcf8bb02e704a2df4b251c4359dbeecd96971ac01c15e326
-
Filesize
342B
MD566a34e556a5a62daacfb23fa2c2aa20c
SHA1f9d5d3831d1a14d9aaa5ab461e49c20a06f12c81
SHA25613c3afdc383ff6ca409185b321f776ffb57de1ff65a6ac9bec03323aafd4c0c4
SHA5127c3dfb363d9b56356b9e4c8893e95b726f91b9ea974dcaafb292d2bad9ec305f14be3eca3867db049baa1fe97c205758cccab0b218e8b9e05072a00afaca8893
-
Filesize
342B
MD5ee1736f4c22581b04df0fbf462b2fc5f
SHA17d26b67b41dc9659419516fb88b39f30b95b809c
SHA2560d9334d0e2d1f44a7462af0973a32d065200bcf35d6a493afcb45bbf8f67aa7e
SHA51235609584136ad734e0554b84685f564ac5cfcaa4226837a8d3bf6cd1ab4b3e5e451c78e56c9f5cdf254995003f2b54fad8ea9d4b75ec3d35f41bc976c02a4be7
-
Filesize
342B
MD561c65c71e568e08b673b75d33a50a8c4
SHA1b3dccf5a616825504f3c3452b9689c8b95ebb888
SHA256db530d7919580ebb60eeea684be178247d4b4667b1842fc16f4ed9c12f18ab0f
SHA51251bfe5440681f3bffe41f4cb619934c8bca32ab74314c653711e7e9b3ea214eff2c356e7ba5c85837ce6ef9b54167b120ec7c5b85b38b5de86c890bda50bf07e
-
Filesize
342B
MD57a44e1651d4de4080031ffead12bcf55
SHA12acaa369d0aea99b6ab9fd7ced1507a8e7fc099a
SHA256f77345d3811d44e4ca3c785a001332c68c96507b782cdb6f661e602970609c5d
SHA512c7712d97d149f39f1185f5c63569d3d0d28b3c841964356ad013eea1756bc7298f1048601889f52e22690a320e2665e11a6ff43a9223e493c36a7a791e901c40
-
Filesize
342B
MD51f9c7e71b54e2fccbac7cff34e30c68c
SHA1fe183168c411a85ae118543ad2ff15933c6a55a4
SHA256b59ed4789c3bf897c632e957a90f328ab6a731f2e60d24b9e1a7cb54bf45420d
SHA512345decf6575292464d355d632afe2a9f37aa783f7f4f501aa0ff87e6c30644ee7c986aa2c1e356e46108e4079ae1b9ed9bd47cab51a54bedcb2013190033b037
-
Filesize
342B
MD560da3357a8f87cf9c3d7cedf26926adc
SHA15131e618e34fffbc310fffd0daeaa86a42145a5e
SHA2560d2c79cd2fc4ff656c4dd57b29a17fd0ee7554f4bcca56074c12af1f92c5418a
SHA512d502567fa49eeb7350ce2f1e1a3c8e84afde3e90b8deb58ab1bd347be604efc086d1d621591471512b11f54a06cc7fc33bcd132673826b8465c0e8750830968e
-
Filesize
342B
MD52eeffffd693ad48f5bf6a8b6cd17031c
SHA1445c7a8699cd31b752a3ba393609b1059e482271
SHA256f2e687a305dd67bb929574313ae165e9579cbdd5b9b9511d119d4e050bbbf040
SHA51261aec6f01d470f0e9b4125ad10981335e66bc0be0f5795b35b665926023287cd84f2e396a679b69e23d1404c2af67b5897191838818ea36b7593b7970115be2f
-
Filesize
342B
MD5d61bbb57bdae551967fe17a95ad374b4
SHA168e9e0d98601d74fe89700f2b3867928b1b81fb1
SHA25663e3a340186e86e08657393396ea8322263a6476f8d1587110850128feec55a8
SHA512080f70b72dcb6f19c0c109dfcf348a3702265d0438a7637d5e9346d2b2f39abea999ebf6ff87b0ee9ee76a1756b31751bb301d2669c58ff9c5c54ec45ab57a2d
-
Filesize
342B
MD585dbfc3c0286b3f443581abe66e03a1a
SHA19fd636857be272ab71e70c0b41f773f96aca32ec
SHA25673bf2dc9c31423d3861e71f175710213edca5942def109495dcd485f448f54bf
SHA512f724d70a8aa84ab254f320660833ff3119cdb56042758de4c4d6927ccc29695c49f0c4586540ed355618b0d21ac4637f0d8688d3333a15fe6ec2678fa3d5e335
-
Filesize
342B
MD543e04514aef509374501be1642882352
SHA13b0c14570e06f93c91b48698ca4f4fe4451af33a
SHA2569b49af505670206b24ae4dd67db41b8fd09b9bc705b62ff8fa2df98c5092d920
SHA51233810d076fabfdb656c905f7041c9bfc5a742e183e35564680d6bd49df4f624076ed5627165fc128ad7fcb97cdf01b71a168888cb7ee91dfa67d12eea9314342
-
Filesize
342B
MD555e8a89999f1c42baa568af8a18419d4
SHA152a68b6d119425664c61cfa681af810bd0ad4860
SHA2562c1ceb08ee9f562d9299d38058727d9f8e321f297f77c3ba5d710d24c4847cea
SHA512693fee76772291b6e7abbffc1a4172bee49d576e555f6300c9aafc1ea40bc6f51448d61fee3bad0853fc0bf511fb495fc645b85a9ecfd33632c87c33f4888f33
-
Filesize
342B
MD5c7ff8768908cd6bc741e30a3d428d4c0
SHA1b41084b2f59bdc16b6d8ca6b652a3549789432c6
SHA2568ad4259314ec208167fce79cdb323dfc4c124ef947d8d28a7004995d3b5fe6e2
SHA512419ecb42365b49e0915064c7ca42da1522e0825412e808d0974544e4e93dbdba0b719a1a77cbb87a45714f02b4a7e11235a221a9b0e72282c0bdbe1709ca7154
-
Filesize
342B
MD562ffd9170ce9876b0572f7adfc303554
SHA1dd404a94afadbccdfa109ab2036aef3508153952
SHA256b74c10564ff9ec40ec8d6578094bb70f6327d2c04aad0b9a37793b023b14f796
SHA512da330e315964c92680b304531a00c7d2577391190e73442b58e0f912c1f1b88530e2c10dc41d3812ffa1cdf0a38bbdebfc65f724c057bd677ffe981e1c07f0e5
-
Filesize
342B
MD5fe349e1390b84bc2f0a24894af1ceb44
SHA1b4e88ea5f6037c924ac9261df851be9b5d033e8d
SHA256a481f4fb838d1ff305d11da93465d617cad1661810377dc570575aa858f6bba3
SHA51276cccc87f8a48892dd8ce501e25e49deb024ef7f6c3a18e55fcb359608b2ea21e88ddaa150ef88e614989411393fd681ffb30fd115ed0534e2cd81f590005fab
-
Filesize
342B
MD589411cd1d7d79f3b0bda9f88c05dfe0a
SHA1bc53eee0dcefa2ceed382751a6804f732169b735
SHA25698bbef10023bcdee2ffca31d193badb7e7cc6f82ce72231b0f46087f1d02db04
SHA512dcd7188a6a2e761cd1f595c54ee2b8d0861771c0ae3f0c80dccb2ca8f6896a3413b434e0fb19017ab9e81102c727fa2fff9f2b001ae28d3cbbce0078927a8943
-
Filesize
342B
MD5013396653f9176d7be873348bb10c0b9
SHA1460d5a8f755bd3f2b9d1bfcacbe1c3070439cd85
SHA2560894a833785c063ed60af09881cb660a96149994db0d776d412b7c3e194e9f45
SHA51233bafd50e2bcecc432c6aecf2569642798d086901509712fc24cb99ad294b9a7c81409d3e42e48f9953c8fd10decbcca2c3d7e6d0c065bd3a0321294c10a4c6e
-
Filesize
342B
MD5d524d63e9060f982c705e536ca7efffe
SHA1a9197cc0479419916ff534a05d400ff270993316
SHA256570f1c84a1415b575d6689d0938be30f63bdf9012f1bfb62ffc5bacc9a7acd5a
SHA512860512dc1cb0da1adaf2717315702323468a75c12451c35495bb8ecc499364564693b1f03bf0a94eb001bcb0f00237a63268792be069534df5f75ed8d04fe836
-
Filesize
342B
MD5b709534ab3f79e5d92738a71ad033116
SHA16b8e07286ce11456700986ebdf86fec7ba950d30
SHA2566bc28e64056207f12c4393e32517dee607b3cf3edf23672789284737e5977d06
SHA5124ab9f573989d9a7b9700718b5ca2a20291aa37b58129fe987eb8f5789aa46032756aed3e877f6d1027dd4b9b46af73a77750b841d53dd1b0e9b2dc28cb088bdb
-
Filesize
342B
MD53572710b0d56772494a6bdd2cf07b260
SHA17c2ec4dfad0d3e6d953f3379192514c908f49142
SHA256025a7104479e3faa26e83949ede09fc66c2ed7e5ce76449ed5fed63970d1d82f
SHA512ab042792627dfaccd9e4a9d30c8569cfd07cd5d75f235a86e01500a2a85eb0a25436bb7bc420d2bdd037dd5937558f477774bbe4b0833c6ff773c452ccf330c5
-
Filesize
342B
MD5c66910e93881aa80d3cf3cf496a423ac
SHA1109dc5295eefc36ff0f633e7168e9b79b156d11d
SHA256edf8037b845884b66b6ab84471000b9a16bce2d95cb6041ce23f8d4dc9450ebf
SHA512c72d0937e5064f6cbaa8af7b5e38a16986253901183c8e8cce12762113850e141382e40e59127d8074885bb1b45aa6a8821770f589dd88d428696ff8f788747c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1KB
MD528d7d3b981c0c40f58fcc375b2427948
SHA1805bf8e3b5a6c6195a8040883126e7ce9fcd9287
SHA25671b3b05e0fd999f2c054fb9a9ae4a692f602477bfd1425753ff906a225800bc9
SHA5124ca6900f248b8bb32eaf83373f1f9685982c0f320349f98ba703fc2cfee5dc988685a1fceb6a899e07074ccf6447784cd42c9bdbc6ffbcb3419ce96a064c3a1b
-
Filesize
7KB
MD52268886e5509784c61be751fe6acbbd3
SHA1ef600a8f5ee32f2cf7602069cb6f64d122680d12
SHA256f93b7f51d4538ce00d555a3e4565380b81e9319f42b3d8a2bd132ca887bedad2
SHA5127be424571c9c83a04b7c803dbd5628d48cc7f4f65acd3f0a475b4d7d6be8d1d8a30e91c2f700fc8c1e4deeeca4d7f5762ebf16fdb25f6d3e7270e6e126568e8c
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
784KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB