Overview

overview

10

Static

static

10

37cf1e299c...b8.exe

windows7-x64

10

37cf1e299c...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37cf1e299ce987a99ecb7e1064a7460321af4f732edfe87c0ccd20405d200bb8.exe

  • Size

    92KB

  • MD5

    6b432fe0187a20895df23ec7d3d352bf

  • SHA1

    73e8715b770b762b442e27c21da750fa6127d00d

  • SHA256

    37cf1e299ce987a99ecb7e1064a7460321af4f732edfe87c0ccd20405d200bb8

  • SHA512

    809309530ea7cb6a63e4a9cd69ba044522e87514c32805304f2733cc691b2b18b87ccdca212da058a9045cad38da01ebfaa6a5e699b12ffb2d47202d45d3b5ef

  • SSDEEP

    1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP63rv:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+0

Score
10/10
remcosdefense_evasiondiscoveryrattrojan

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37cf1e299ce987a99ecb7e1064a7460321af4f732edfe87c0ccd20405d200bb8.exe
    "C:\Users\Admin\AppData\Local\Temp\37cf1e299ce987a99ecb7e1064a7460321af4f732edfe87c0ccd20405d200bb8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads