Analysis
-
max time kernel
60s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe
Resource
win10v2004-20250313-en
General
-
Target
d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe
-
Size
1.1MB
-
MD5
7b8bf7f2c6e9b98839bbdafe0690a353
-
SHA1
e9f8dc02084674dd9f4d5ebb22f5f3ee5c040d04
-
SHA256
d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308
-
SHA512
b5cad596eae2e12058f805e021adf15eab04377f811fa06ce7b0ee87a5594f22fcf97b3be1003615ef98770bdc4e471e54b33b7c8e5bcd99d206cac02d0e56b1
-
SSDEEP
24576:eaTgKwZ14X27uUL3VM0kd+rkhfMsjgkAj2JE06J5N0F6:LTgdZOcuUL3xAx/8b2S7Z0A
Malware Config
Extracted
remcos
2.2.2 Pro
chinemerem
remcoss.onmypc.org:3765
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
r-8ET8H0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Executes dropped EXE 1 IoCs
pid Process 2716 AboutSettingsHandlers.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2120-21-0x0000000000200000-0x0000000000389000-memory.dmp autoit_exe behavioral1/memory/2120-26-0x0000000000200000-0x0000000000389000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2120 set thread context of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1700 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 1700 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 30 PID 2120 wrote to memory of 2768 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 32 PID 2120 wrote to memory of 2768 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 32 PID 2120 wrote to memory of 2768 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 32 PID 2120 wrote to memory of 2768 2120 d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe 32 PID 2732 wrote to memory of 2716 2732 taskeng.exe 35 PID 2732 wrote to memory of 2716 2732 taskeng.exe 35 PID 2732 wrote to memory of 2716 2732 taskeng.exe 35 PID 2732 wrote to memory of 2716 2732 taskeng.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe"C:\Users\Admin\AppData\Local\Temp\d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe"C:\Users\Admin\AppData\Local\Temp\d25efc17afb97e52ac1270b93b161fb427dde56e3e4eafbda37ce5c2356e9308.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemSettingsAdminFlows /tr "C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E8245C6-98A6-478F-A408-C31BC675EE8F} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exeC:\Users\Admin\AppData\Roaming\UIMgrBroker\AboutSettingsHandlers.exe2⤵
- Executes dropped EXE
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5fd9141cb5fe5e8df15a842e2e6789973
SHA18a365fc7b9b0deef26f3f33d8861a3c372d60c5f
SHA256c57d17e509fa3987203d028e9ac0ba13956fdb47796f57bf771b9ecdce4195ef
SHA5124d295892d6908d27aa5d06832df0a935eabea5b4a63ae54e0818aa59fee565509a1e0c83b17cc4dafda2860354be2899649f0cf610b6c65dc8a4ab10412e4169
-
Filesize
79B
MD56c13854a584495f16924c790b144ff37
SHA16a269a2817854505a374717e29468cf16d08a411
SHA2568fb44133707e03c736e74fe54131be93017dc3158f1b3c9515e8244010080108
SHA512ab2ca0891f84de76d8b202cebfedeb4d76aeb087212ab2a722bd8bee029f22263d76951baeed624cf3cfdba372754fa7224bb3378b416085279b1112a4cb214d