Analysis
-
max time kernel
31s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
SalaryIncrement_pdf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
General
-
Target
SalaryIncrement_pdf.exe
-
Size
873KB
-
MD5
82661a36b40f6141d10a5561fe037475
-
SHA1
8e87b0db80746d9accd610448df36211c0623ff4
-
SHA256
7d467f539d901aff827ae34f26fcadb232318cde5a1e76fb2283664e968fbb18
-
SHA512
90a173f4749ac4a00d49641629801830d5e60d33aff5404315407885777c703e2b690a0b83f776e9e546ed447b7829ed27e3c3e79dd9ca43e70b79af3b0ffb2c
-
SSDEEP
24576:9NJ+8FbCssFhmUUo551pLVlu3nbKYWJfScJ81uO:7pZCPFco551pLy3b0J81p
Malware Config
Extracted
remcos
RemoteHost
196.251.86.105:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MJDICZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation SalaryIncrement_pdf.exe -
Executes dropped EXE 3 IoCs
pid Process 5376 remcos.exe 5796 remcos.exe 2104 remcos.exe -
Loads dropped DLL 4 IoCs
pid Process 1884 SalaryIncrement_pdf.exe 1884 SalaryIncrement_pdf.exe 5796 remcos.exe 5796 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" SalaryIncrement_pdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" SalaryIncrement_pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 28 drive.google.com 29 drive.google.com -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gouramis\Avischikane.ini SalaryIncrement_pdf.exe File opened for modification C:\Windows\SysWOW64\Gouramis\Avischikane.ini remcos.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4768 SalaryIncrement_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1884 SalaryIncrement_pdf.exe 4768 SalaryIncrement_pdf.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\poiser.gif remcos.exe File opened for modification C:\Program Files (x86)\Common Files\poiser.gif SalaryIncrement_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SalaryIncrement_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SalaryIncrement_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1884 SalaryIncrement_pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1884 wrote to memory of 4768 1884 SalaryIncrement_pdf.exe 96 PID 1884 wrote to memory of 4768 1884 SalaryIncrement_pdf.exe 96 PID 1884 wrote to memory of 4768 1884 SalaryIncrement_pdf.exe 96 PID 1884 wrote to memory of 4768 1884 SalaryIncrement_pdf.exe 96 PID 3696 wrote to memory of 5376 3696 cmd.exe 102 PID 3696 wrote to memory of 5376 3696 cmd.exe 102 PID 3696 wrote to memory of 5376 3696 cmd.exe 102 PID 4768 wrote to memory of 5796 4768 SalaryIncrement_pdf.exe 103 PID 4768 wrote to memory of 5796 4768 SalaryIncrement_pdf.exe 103 PID 4768 wrote to memory of 5796 4768 SalaryIncrement_pdf.exe 103 PID 3976 wrote to memory of 2104 3976 cmd.exe 104 PID 3976 wrote to memory of 2104 3976 cmd.exe 104 PID 3976 wrote to memory of 2104 3976 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"C:\Users\Admin\AppData\Local\Temp\SalaryIncrement_pdf.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5796 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"4⤵PID:1216
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
873KB
MD582661a36b40f6141d10a5561fe037475
SHA18e87b0db80746d9accd610448df36211c0623ff4
SHA2567d467f539d901aff827ae34f26fcadb232318cde5a1e76fb2283664e968fbb18
SHA51290a173f4749ac4a00d49641629801830d5e60d33aff5404315407885777c703e2b690a0b83f776e9e546ed447b7829ed27e3c3e79dd9ca43e70b79af3b0ffb2c
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
320KB
MD5a308bba90d04ab5e09665d258fb0842d
SHA1d407c2c981e1209b6fda8a4dde52c5cfd038f933
SHA25674c4d88822cddd6ed7b5e44d8fc1109245526d0d68bf28b1812217197cc2f2ff
SHA5124314f8d101c08c63eeb543358eae8297dfbff8379f2decc049fa1975ffc969c958d4cbd8156f770b9760ba356c6a397e7fa1f882efa38ff0e2f2a274a56983ad
-
Filesize
16KB
MD5d7f21c78cb22ab07631b2e94e05075ca
SHA11998dd45a4c3e3a07666fc0919c12b438d410841
SHA25609412b0e1ede1de932f738a172d095795f25a8b84d5c5fab16d10026a099133c
SHA512c1de5500d123a1fbd8cce8f4e592e28444a711f8ba2474f3bf36e46e10927884463437fd114cd09c0b38ee75bc7f7917d7bb87deb907d82e66b623368cdbddcb
-
Filesize
256KB
MD5c7653b5fa1787c1c91fbf8dc049445ce
SHA13bfe841d2eae36ab681d7b352c4074c9962d8f6b
SHA2562b3c83ebb0e9aedbefe97979aa09750fe9505c85827c1167890c402f9e33edbf
SHA5120344de1eee2ae4b2e79261003b6e9b681094a7fb9d86f84d0ea570f562e1599b62fed8a383cc78e1ab32d8ed03ebd718e21d67496714f0c7862973576336fa17
-
Filesize
31KB
MD5538595b17124823fbb48f6e527dc4497
SHA1ce30029d7e72d841c4648f2e4db039b80cd9ce0d
SHA2566990f44988cfa65b65f474a2c4926e8ad13801a8261cad3bb847599358db2a6d
SHA51215432dee6cd5e3b8070a554f3ecd8e2051b3e7543c761ff18a623003c540e0715d817aba88bf96e39a5d588e73bb6b81575213b291ad86ae2bec73bc88047bc1
-
Filesize
3.4MB
MD5c61ec410e3c009da9aaa3674909aabf8
SHA1fea2d5f964c8ba801306553f0115d670b1bfa47f
SHA256fd6ffccda7089c8c7beb563e11acbe2d9d52934dbdeccadcc616a36bc0ad2b49
SHA512a54482bec2b979e2bfc1d97b4422b7f7c1b2349a835299a117dc2827b56f2dde1c7b842970e89e58e5a26f58338350ff79ea3853630e1e3c6c0ff83313b36920
-
Filesize
5.6MB
MD5461a71fc1acffa01db981ff40f7f4b31
SHA118bb78bc1efafd0b9e1314330ca7e18da1025da4
SHA2565b98f76cac953b3f660f8ef9d8cec1b6e7134bacbff9d941e8b493600c203ecc
SHA512f3cec0bf800c0f9bf2903f7cab3cabea8e9d511a2fd098e07ee9905aaec102e2c765f29be432452bf189f90979f7ffcb3beede92ec79c952ef46cec9a01b781c
-
Filesize
368B
MD5d1865736000f53f0426efbf40d5edd8f
SHA1992cf5f55a56291bd89cc75edfa7559f2e23324f
SHA25617a84aa454d65aa7bcac8545c172603675e685467511ecb827f3149ad61ed833
SHA51265d98038da69605a816fcf5904aa8be3393716865cc83876ded5183aeb5b83dff198fbc8ddd808d180e5c463386ec40d7968f5a1cc91c6eb78a80ea9dac3aa45
-
Filesize
411B
MD59ca57304c1f02cd7ffd951810a74c06f
SHA1088a3488b1a47b2578b794d2fc319bbf652f628e
SHA2566ff658868a61c2e19d8ed975229e9e11d7838d591796d19ae94c79d896fa98c0
SHA512f849231c9675f419a86fcee1832b67c0a35b4ffdd420c22c75dfd6c7bc7e97dcfedf6cbb5da8f1c2628cf0343e192efe3ab57045ebf6bb876e3e84180da83c6a
-
Filesize
482B
MD504a5360dd971cc855a6f24035f7648ec
SHA1aeeb5390271b12c57637c1227fc24c3f5230965d
SHA256b0bf66cd048799c566b70c54cc49033ff0890b6785adebbb0f2aa139f64f35f5
SHA512afcb28bd6b6131a7befb7b6f50878405644741376b9470f028b08b389d5f8655b5b5594f31343b26ae3cf12ca12a53e4e1b9d4dfe56d14eef5cec81236714026
-
Filesize
446B
MD502efb3a843d4be36c77133300fab400b
SHA117883c131e1ae337b035a386c03dccb37e9c3703
SHA256833ae85c0aeb8fe73e155005059e8787055a0f8a4e150fc20e419de4d2606bf3
SHA51271ae4b6aba7084ea5a9b72cb13c40f4c910d86b5c0445a0a5f66eec007799eb8afcac1d4bd0a6f4e5d28f5415357730e5fc1af18b849d838f9542d61ca4164cd
-
Filesize
140KB
MD53f6cfcfb512294dfd2242e316b40baca
SHA150fd3643533d362dc05a87ede65d1d42cd748047
SHA2565914a58a48e9d7ca4a08b758ff578a062c0df3490e6592c990067948dba5d962
SHA512f1cf9fadb8e5d794bc36d7edc1714de38959332a316bf04123aa04fc35b1d0e7c001c672cd69822f40b08fe1e75cd1e04a0028b46c320d41871d88f083fb4a5b
-
Filesize
4.3MB
MD545aece085cfd612d758207e70fe85bf3
SHA104ea3f4da8b905dea09b2dbce7e1896274356a95
SHA25666c57f60f6d8b47ff6c2304d27aaf36871e6ec2cd7b9447a68d49f5877209e95
SHA5126403c60a8e31ea4f2302e5e31fd684a0ced2603bc842435a01668c818359ba7bee8c5d9da50966b573ee26e8d0f1ade66f5fd497cfe83207f4743a4b99a3340d
-
Filesize
275B
MD5236973c3d91fc4168eab111c4c911c64
SHA1efdd0099b53a1beda2f2a4513c3dde76cbf0ff1d
SHA256cbbcbb7dcab87cd832157dd558c5fdd62e9e79f3f0eddbef984e58dedb8f9539
SHA51226c3ec8e6471acc2900be7d58bcef4c4b5c344623fab65075dff023cd26d642c15f6f6b457c3980e2d5decd42034fb89324dc5710188a937c6d0a9c37f18439f