Overview

overview

10

Static

static

3

PaymentIss...v8.exe

windows7-x64

10

PaymentIss...v8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2025, 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PaymentIssueINV-202578_PmtRef_47734v8.exe

  • Size

    620KB

  • MD5

    c61384f6fa6286ff89e1f446cc25adb3

  • SHA1

    3bf45b971bd7dc54c1eaa9f2c55d58c64ca7913e

  • SHA256

    5c8ef3cc03f446dfd1a1438dc45c81f3cd16679e04a19d85b9318692429a8239

  • SHA512

    576ec78e6b5f05912ee448f493c51332198f37166646abef36ca77880816c2ba7850ee57ca844b276e393804f5307bc4198805b9d6748e29dd747b8288ea86d7

  • SSDEEP

    12288:uNvQ534LijMVuiZQ7hPGXC6TR4kliDxv:uNYhLv3NGXRR4Rdv

Score
10/10
remcosgooglegroupaccountdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

googlegroupaccount

C2

107.174.65.146:1194

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    googlegroupaccount.exe

  • copy_folder

    googlegroupaccount

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %Temp%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1MDOQC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PaymentIssueINV-202578_PmtRef_47734v8.exe
    "C:\Users\Admin\AppData\Local\Temp\PaymentIssueINV-202578_PmtRef_47734v8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\AppData\Local\Temp\PaymentIssueINV-202578_PmtRef_47734v8.exe
      "C:\Users\Admin\AppData\Local\Temp\PaymentIssueINV-202578_PmtRef_47734v8.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Users\Admin\AppData\Local\Temp\googlegroupaccount\googlegroupaccount.exe
        "C:\Users\Admin\AppData\Local\Temp\googlegroupaccount\googlegroupaccount.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Users\Admin\AppData\Local\Temp\googlegroupaccount\googlegroupaccount.exe
          "C:\Users\Admin\AppData\Local\Temp\googlegroupaccount\googlegroupaccount.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4788
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEZCQ0MyNUQtNTE4QS00OThCLTkwNUYtRDdGOThBNzEzOTY0fSIgdXNlcmlkPSJ7OTEyMENERTQtNDlDNC00MUY0LUJBRTctMjM1REVCRUY4NTUzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzM5MDIxN0EtQkQxQy00RERDLUI0RjAtNDQyMjFBREEyMUEzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDEyNTg4NzIzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    87b9a61c1db4d01fe3f8d5d36d73183a

    SHA1

    284590ec7cdbc0341c7a719a9a332ee915ec95b8

    SHA256

    a323f7d87e0c8d0438d0bb485d608af682c015644d7b539cc7eb31b59e3af532

    SHA512

    62107e200068f1ba6e2a9fc489c08e4e106669706215e70c205274e931e2165c2e12b60cc091b94fad88c4bfd3a05c0f01359f92c5d321c6e2fc08e5a917b5e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\googlegroupaccount\googlegroupaccount.exe
    Filesize

    620KB

    MD5

    c61384f6fa6286ff89e1f446cc25adb3

    SHA1

    3bf45b971bd7dc54c1eaa9f2c55d58c64ca7913e

    SHA256

    5c8ef3cc03f446dfd1a1438dc45c81f3cd16679e04a19d85b9318692429a8239

    SHA512

    576ec78e6b5f05912ee448f493c51332198f37166646abef36ca77880816c2ba7850ee57ca844b276e393804f5307bc4198805b9d6748e29dd747b8288ea86d7

    Download Submit

  • memory/768-6-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/768-5-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/768-3-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/768-9-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/768-20-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2932-21-0x000000007480E000-0x000000007480F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2932-22-0x0000000074800000-0x0000000074FB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2932-33-0x0000000074800000-0x0000000074FB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4608-7-0x0000000074710000-0x0000000074EC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4608-0-0x000000007471E000-0x000000007471F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4608-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4608-1-0x0000000000F10000-0x0000000000FB2000-memory.dmp

    Filesize

    648KB

    Download

  • memory/4608-44-0x0000000074710000-0x0000000074EC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4788-35-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-48-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-28-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-34-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-36-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-37-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-39-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-40-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-42-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-27-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-46-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-31-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-49-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-26-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-56-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-57-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-64-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-65-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-73-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-74-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-82-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4788-81-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download