Overview

overview

10

Static

static

5

6013773995...52.exe

windows7-x64

10

6013773995...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2025, 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52.exe

  • Size

    1.1MB

  • MD5

    8e49c2e11af1336db053d5062821f5d2

  • SHA1

    a4fc1aa3b2d5baf46f042e3eeec5856f20331d9d

  • SHA256

    601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52

  • SHA512

    d73b796ebd5492bf2acbf606c2a1c7d9eb84b3e4210eb4d47d5186d6161838d6630dc9e167605f9250776f68401a3fb33863944fb217b488d13be4cbdbfe41f2

  • SSDEEP

    24576:1u6J33O0c+JY5UZ+XC0kGso6FakCsU4yYhK3x9uZ3WYv:Xu0c++OCvkGs9Fak4BYv

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.2.0 Pro

Botnet

RemoteHost

C2

185.217.1.142:3337

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    3

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VBI2IL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52.exe
    "C:\Users\Admin\AppData\Local\Temp\601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Local\Temp\601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52.exe
      "C:\Users\Admin\AppData\Local\Temp\601377399514b0f9957478695dbcd465134026d666affabea442eaac1f607a52.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4872
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2616
  • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3284
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1588
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEE1MEM1QzYtMUM4OC00RkI3LTlDM0QtNkVFNzY5N0Q1QTI2fSIgdXNlcmlkPSJ7MjNBQUE3OEYtRjEzNy00QkFGLUJEM0YtOTUzNjVCODRBQUMzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NDhBRkM0QzEtOTY2Mi00NDcwLUI3QkYtRDNEMzJERkU2M0YyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjQ2Mzg3ODUzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:836
  • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2072
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn cttunesvr /tr "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe" /sc minute /mo 1 /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4592
  • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
      "C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    658B

    MD5

    96e663b3e7cb096261e94b510acbc260

    SHA1

    aea0c6f48fe1c66822aafbb7edd092698bc1fbc5

    SHA256

    5c005242253b72020696863fed9e52e8a53b6dc79f25dd32e696da94e8f080a1

    SHA512

    55338b08650a530fd1d9d109f5470472444634cc9920a73372f89240984053e807acada9a93ed272567e0eba41298a0cc4b695e672e4ed915aa28747f080ad08

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    564B

    MD5

    e221e7bd7e33aef4a5264f798818142e

    SHA1

    3545dbcc35de80c8f15da0daceab80acd0f1ae22

    SHA256

    f37e43a3504c163fa4a82bacc92ceb8cccd37d1020fbba95cc954f316ce49516

    SHA512

    04775d0fa21526bbbaa2deea13af1d5fab6183ea3a2809073539293da78e20f1cf4b9a4afdeafb1b4e8ce17a5be40f44364808ab73c174c98bce53ad8a1807d8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\adprovider\Dxpserver.exe
    Filesize

    1.1MB

    MD5

    2ed14ae66692c5d8bac5bc926ded2a10

    SHA1

    01080e2a6f7dfa6fbd16c7e6111d7e68d1d20202

    SHA256

    be4e51d08479de8cb47c4bba534f4e7f83bf4dd2daa7955efec51ded50d32544

    SHA512

    8846f00e18c216ce00939823f4ba3176329dd5a86146bb13f19fa7947c0cdf8ae8460e9d210f1a2c633614d0d7ea958f253d9da16cd2d1b4907efb054a332d00

    Download Submit

  • memory/688-24-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2192-1-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2192-8-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2992-39-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4008-0-0x00000000017D0000-0x00000000017D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-56-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download