Analysis
-
max time kernel
19s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 05:33
Static task
static1
Behavioral task
behavioral1
Sample
Payroll List_pdf.bat.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Payroll List_pdf.bat.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
General
-
Target
Payroll List_pdf.bat.exe
-
Size
852KB
-
MD5
55c905a0ec317664371b8ae3962d90cc
-
SHA1
1cc73aeb68495a320d14b23c720d47167989b214
-
SHA256
2edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a
-
SHA512
289368437de4ee377c7c63bf4ebcc4eb0cf1555b2dc780fa14638b06855322a9aa50527e02d3444f3886d6264bb0a2e3c384520721145c2570647f90ead16227
-
SSDEEP
12288:JUjfTWyZA97KB+qmoSMfuiJp9vj/Xd53WiLwfheEAql6oIkJ/0DrQ:JUjfTsKB+a/f3Z53tLMGtQkQ
Malware Config
Extracted
remcos
RemoteHost
196.251.86.105:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MJDICZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos family
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/7460-52970-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft behavioral2/memory/4664-53429-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1680-53347-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/7460-52986-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1680-53347-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/7460-52970-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView behavioral2/memory/7460-52986-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation Payroll List_pdf.bat.exe -
Executes dropped EXE 3 IoCs
pid Process 3580 remcos.exe 4872 remcos.exe 5116 remcos.exe -
Loads dropped DLL 4 IoCs
pid Process 6064 Payroll List_pdf.bat.exe 6064 Payroll List_pdf.bat.exe 5116 remcos.exe 5116 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" Payroll List_pdf.bat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" Payroll List_pdf.bat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 24 drive.google.com 25 drive.google.com 50 drive.google.com 62 drive.google.com -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe File opened for modification C:\Windows\SysWOW64\Disarticulating.ini remcos.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin Payroll List_pdf.bat.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe File opened for modification C:\Windows\SysWOW64\suppressionens.bin remcos.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg Payroll List_pdf.bat.exe File opened for modification C:\Windows\SysWOW64\Disarticulating.ini Payroll List_pdf.bat.exe File opened for modification C:\Windows\SysWOW64\quadrigae.jpg remcos.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4496 Payroll List_pdf.bat.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 6064 Payroll List_pdf.bat.exe 4496 Payroll List_pdf.bat.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini Payroll List_pdf.bat.exe File opened for modification C:\Program Files (x86)\dyppekogerens.ini remcos.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\resources\mechanicochemical.jpg Payroll List_pdf.bat.exe File opened for modification C:\Windows\resources\mechanicochemical.jpg remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payroll List_pdf.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payroll List_pdf.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 6064 Payroll List_pdf.bat.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 6064 wrote to memory of 4496 6064 Payroll List_pdf.bat.exe 92 PID 6064 wrote to memory of 4496 6064 Payroll List_pdf.bat.exe 92 PID 6064 wrote to memory of 4496 6064 Payroll List_pdf.bat.exe 92 PID 6064 wrote to memory of 4496 6064 Payroll List_pdf.bat.exe 92 PID 4496 wrote to memory of 3580 4496 Payroll List_pdf.bat.exe 100 PID 4496 wrote to memory of 3580 4496 Payroll List_pdf.bat.exe 100 PID 4496 wrote to memory of 3580 4496 Payroll List_pdf.bat.exe 100 PID 1348 wrote to memory of 4872 1348 cmd.exe 101 PID 1348 wrote to memory of 4872 1348 cmd.exe 101 PID 1348 wrote to memory of 4872 1348 cmd.exe 101 PID 544 wrote to memory of 5116 544 cmd.exe 102 PID 544 wrote to memory of 5116 544 cmd.exe 102 PID 544 wrote to memory of 5116 544 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:6064 -
C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payroll List_pdf.bat.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5116 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe3⤵PID:3856
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ozlzklfgbhjzspttvyrzstaj"4⤵PID:7460
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"4⤵PID:10524
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"4⤵PID:6272
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ytzjkdyzppbdcvpxejebvyuabnwi"4⤵PID:1680
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\aveclwjbdxtqfcdbvtzuglhjkcnrbum"4⤵PID:4664
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:7964
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:11100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:10976
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:7332
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe3⤵PID:2480
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD56644a29c4fcb5c51650383ac2625163a
SHA175de5a6b73cd9bc47af952ad60679535cf768b27
SHA2560d9e8205fb30192bec64aa7c4d7a0c9d98e469f6739aa321d3b85da16caa8abc
SHA5122e6a476b3045a543a322332b2eb9d261002c3a278dc408b9eb5af3e4b136fe1b783c3091ce5edaaa7f3c8d2bffab714408bb23ae2e135cd034e1ff02ef36302a
-
Filesize
852KB
MD555c905a0ec317664371b8ae3962d90cc
SHA11cc73aeb68495a320d14b23c720d47167989b214
SHA2562edffaa16ba62436a4744e31d76dfaba8748534e4d6c752ca5b11949c25a4a7a
SHA512289368437de4ee377c7c63bf4ebcc4eb0cf1555b2dc780fa14638b06855322a9aa50527e02d3444f3886d6264bb0a2e3c384520721145c2570647f90ead16227
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
Filesize
3.2MB
MD524c453c82258126ae46700880f6cceef
SHA1562fc29d0cd6a4853a5cf692d9d83839576f5aeb
SHA2561874c5957744cf91e2cd38898b6eb27d89d4f20d2d9cb96c6bff31e9d2518d16
SHA512e160eaf58106979143ff96d61a1f74808ce3bd75de510b60299ed83e2cad473267c548e835700bff7f6a5f5bff53ae1fa570cdccf5b18883b71db7aa0db27c69
-
Filesize
100KB
MD5178131e7517c1ef8da7cf2751854b15a
SHA1f75de16d91bbcd359faebf8a885fb4e2a3f6e42e
SHA2564f8ab7d231ba978db40606e97805c4664c219b9514c7d88910880220b9674689
SHA5124eb63188b09a03dd7d04c7565ec742a1a0d5a3a54ec598bccc125914289ead8cbf8ebdbac7f37bba30c68a3b1668079111f52ec4a260e823cdd01e06362616af
-
Filesize
64KB
MD556321564841467550c0dba296e868f66
SHA1967da7b3824940b430e9ba70bdcf2d15b948166f
SHA256b642b5fa635217cee69bde974e91ee6616807c071e233632d0baaf8d718d7758
SHA5129dbb98b4c9aafb66c76ea873bb53c1167f6b1ecc0db0a84a96152a8927f988782d170ef6d22668e62d3d1e839cc3484bc3fffec24f47f82ba4125246d6762fd8
-
Filesize
1.1MB
MD57d060d3ad332eff7eabf0915f50b3a8d
SHA19352a2b1e485ada11fc53c755549dc36f1ddf949
SHA256923908290b51a53a2be4ebd9935c675162bf60f82004a3a4eebd1da1652c998d
SHA5128dab095fec80d47c3e3f5b2b78dc5fc704c0993bd0da9a42b4b2a2c9dea36b72a93d1de67ad060a66b527d714fb4454b972ee95e7e623ef3cd9b006788c645b3
-
Filesize
192KB
MD5dc8142cafd51cff94b9aad734e2f36e4
SHA1bcd461f517630632aa3e1b864a5c9167c9db96cd
SHA256778696c3cb7b0ca3700a238eae31225c95df835ae371bc3af5b5c175bcaa5e2e
SHA5124df970e594f0899e73e931cde4a17b3fbd647615eeff97ac934913b1d4ab41af3a86ce8c1e2b7e44ad89c68261b9a093104f497991294e63d2100fc63f4376ab
-
Filesize
2.0MB
MD51690c9a03bb7c977ac57b32b709bf714
SHA188ba17befa4004f4601fe627c4b48d3055e3c6ed
SHA256296a1556b6bf8d00f8d7f00741f9a510a5123b05d738379fddc26357e29a3244
SHA5121efa2243c9bf866aba6e1d12e0c6c620a478eb82ae8bb52b1f679d9cde154b5dc2c278aeb702b773f624cd132c91c557c71be8f384b8301fa03adbf417613ec0
-
Filesize
504B
MD587e7fee841319934f8854a753077879b
SHA10e5e732e212d54e71808e5c1c921c4459b597193
SHA25682b873d4137f2d2a4aceedcc5ad6c9fef39460308cbbce54f37529cdfcc1ba57
SHA51205c2aa2d6468306132c806e585eb9ba9f09554c53638e596b97b952fff6b0324c4012a063e513437e881656aaab1043c530976acd1eb79e00ac4d6dbf1b1cd16
-
Filesize
331KB
MD5b835e1265e0cd50ac1b7b020652fb937
SHA15139fb07706955b38a7c2c3cca19d20762b1cf12
SHA256830e41fb9ef6c164cbbda6c51939cfd186479f25ab5c75539f410ee212b3dfc8
SHA512e44cb462704235662ab7986bd09de0ac19aa35ff712c47e59de8ff8e027e902573150779c5e8c07031e1f2ee4006debcbf77f9f32cfbf66334df12dab00ac4f5
-
Filesize
3.5MB
MD57a8f61bcccc6e42fac7f5e9b3810ba5c
SHA1927544bd328d3db39c96f7cca792758e446ac8ad
SHA256ba1b5576489f8324575def8bc86091ebdde33011b3bd4d09876393fdbcc9e30e
SHA512f0049f39044c21b863615252d0b70d17fb45483bc3a8eda0fb4ab353a6d416761a354705587aeee0dc66e802334babf1d364a1ac55e1f54486ae485f1ecd6622
-
Filesize
305B
MD5a4a2aa48417985844c196b3cd5e2b70d
SHA11dbddbd73130a1a5ea6f281c990bdc30801739d6
SHA25640fc272178b28026f17c2d506684a7c7c5ae3c3d35cc8aee1aaf0d3b8bdd8782
SHA512b26f890c7501a3f348a40c9365659cf57c10326d9a06d503468df5a5529237d06a2e314734e65238b318a7a74b85107fdd2aa339eb63f5368aed7b36208172cc
-
Filesize
320B
MD518f56af1efeb71430fbb3beef59cc50c
SHA10877c338f90045ca71257813b30a4e336d529f4b
SHA25666b83566825b4a557cc6b276321069c7bc9821963ec1c87d09b61a1c9357e1d0
SHA512e9f643d19a1ac2ecefb6c200c37794310e85647fc8382903000b367d1988f0a56800e2826488b723cba2c100be145cbddd20efd91bc8ef7e212e1b55cb701cdc
-
Filesize
555B
MD518a67a1fae480cd33bff380eac1b72a4
SHA18b84634c187fd6f31905c86cb7495d4d3f70e71e
SHA256370f70c21de89b48f34e89b71c96a0a32fab7b67437fa3918a4ce312ddd63a46
SHA51209588a194a267bc6a8246d1d836546e29de75083181803442fe29e1a18ca98be1439ea3a14e0ca745beb4798cf4670dca10905fe33aefb6a4ad7180e6bf154c8
-
Filesize
456B
MD5a2ff4b479c512364f2902c1849882995
SHA17337c45a5c9253682d5faa5a37bcbb5390f84774
SHA2562ed67e96c1cda469b2cf2c7b7ebecf35c21338c72208b6c28927216301d7449c
SHA5128eec2c09e0079dce130443c562c30e2eb2decd5e06ac9517414b1d256f8a8ee47572a73da32bff54c9d3114a171bb9a91fe3d8631171bc8d1ba35116ee7ea0be
-
Filesize
295B
MD509f74b91ee389deb1956fa911f819e9c
SHA1693f9f96af012962ff6d4645fe38e294c8c5316b
SHA25686e7165b8c377122d41f1833f6d2dd5c38031b2de6ff463d5b51969585f04998
SHA512c74cca6e1a151e4f73c998d13caa908d8e10ee8bcaaa68946f69cc7c156c5a92994e3b3d680f4c78ade9757e575c6e23af37a815dda7baac2be81bcf49af4c1f
-
Filesize
280B
MD568b713a216781101284300debf730cd6
SHA1b362ec481fe13a6054cd0cef698b4d316cfb7ebe
SHA25683a278a60e3aed10ddcff0ea52c7315df48ccd3119d39a0dd218ce1cde813691
SHA512ad24849ec1f621529f8e807de0610d03a23504f0d7eba759bc1a8cb473002c3016c8cfed7afcbdce3645c9a6f4e4fe2261f40fdbb35a44395404d74c03e8da0a
-
Filesize
638B
MD5a1aa57bb9f555c4a095d0c817435a82e
SHA1cd4933a29edf8f72af8f32586c2d1dfbc1ff575d
SHA2566219fb47744d71837d70c9bc31deb2ce8120c707a7888f50fcf558b0c6bc96e7
SHA512179122c07e04914b30e4da14dbc5182e2f7dfdaaa678645a2874ea8256f66aef30caaa199c65d4816b9e84f05279f37b7a8ce3cb99a82b3eaf59297039961885
-
Filesize
279B
MD55e6a6b65956a1f5e1f65b9419a4827d0
SHA153f85675dacfed6393c04438a533fccfdb105075
SHA256e86781a1f0b5d4ca96368bd63bc0807d942e1c41d8903d685659a56d2c7744aa
SHA512ba7a3dd0839177cb7723d61de8bd669d6126222e03475cefff4c4de3f3f24022c34bc1c470fe5983e5a3f07c920d6fe1010e2adecd658bd22105692528ea327d