Overview

overview

10

Static

static

10

client.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    28/03/2025, 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    36KB

  • MD5

    69bf3d36d5193bb124d170eb64a2441e

  • SHA1

    bd0039aa644471536150c7c1a190c9435d94451b

  • SHA256

    066b88bfc0a17afe6757121d957d132998c7207e68e5049fdb993ba37b406173

  • SHA512

    165be49ec0dea10891934b32a6c4b5e3493f40953f9ced0805fa6e67b82b734f639dc18697326dcb61d76c4e1fcc6b2ffcc2b5a1edca5e7d59154393eed57c3f

  • SSDEEP

    768:X5PHyCjmhFdWfLubuZ1kvIaEekM226r1:X5PHfjGPAKbLVv6r

Score
10/10
remcoshostdefense_evasiondiscoverypersistencerattrojanupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

ddffg-52874.portmap.host:52874

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    COM Surrogate

  • copy_folder

    AppDataX

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    remcos_xouefyyxav

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    WindowsNotification

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    defense_evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.exe
    "C:\Users\Admin\AppData\Local\Temp\client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:888
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\AppDataX\COM Surrogate"
    1⤵
      PID:3392
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\AppDataX\COM Surrogate"
      1⤵
        PID:4440
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4956
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2264
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1908

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        4
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        2
        T1547.004

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        4
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Winlogon Helper DLL

        2
        T1547.004

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        6
        T1112

        Virtualization/Sandbox Evasion

        1
        T1497

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        3
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Virtualization/Sandbox Evasion

        1
        T1497

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\install.bat
          Filesize

          156B

          MD5

          50c0b31e5a48c20107a9084653ac3b0f

          SHA1

          6570c017fda57c3944a9cb056f9f40fd8ff51413

          SHA256

          105a378784a99e7c13c7f358c26b1bdcd52070cf688d112040ee6b96e44d4a42

          SHA512

          5b043f21b62945c5bd50f39d9c821df071b203b826586909ad2a030bea28c0f8ea69a1f92a2160baa49c51e6092112cf8ae624a129b96750efce035ed55d158c

          Download Submit

        • memory/2264-22-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-11-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-10-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-12-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-21-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-20-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-19-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-18-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-17-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2264-16-0x0000018CF85C0000-0x0000018CF85C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4044-8-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/4044-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download