Analysis
-
max time kernel
20s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2025, 00:49
Static task
static1
Behavioral task
behavioral1
Sample
MARCH PAY SLIP_PDF.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
General
-
Target
MARCH PAY SLIP_PDF.exe
-
Size
893KB
-
MD5
ac92b521eda00eb291dda0534f497b1f
-
SHA1
3fa2aa0bcd5481fc748bfc22cf03bed57f7a8b39
-
SHA256
84cbc04ddb1c58b28691436783451a95a21752eae4b59bd964f5e3320c4e866e
-
SHA512
e374ad43b713fe46819e1421aeb16f7040870f236ed54053a25bd1ee7d9eddd1cf8c9d72682a04ba60e8bf47b7b7302f101498c49e8c82be5b3ddf99180a0f89
-
SSDEEP
24576:6YineNXPiXtlnnKGfG4rAF5NecpSHTljnMD6vXU:HGgPc/65Nj8H5jMD4E
Malware Config
Extracted
remcos
RemoteHost
196.251.86.105:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-MJDICZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Remcos family
-
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1928-176-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft behavioral1/memory/4280-186-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/4120-185-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1928-177-0x0000000000400000-0x000000000047D000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/4280-186-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1928-176-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView behavioral1/memory/1928-177-0x0000000000400000-0x000000000047D000-memory.dmp WebBrowserPassView -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation MARCH PAY SLIP_PDF.exe -
Executes dropped EXE 3 IoCs
pid Process 4880 remcos.exe 5184 remcos.exe 3960 remcos.exe -
Loads dropped DLL 4 IoCs
pid Process 1200 MARCH PAY SLIP_PDF.exe 1200 MARCH PAY SLIP_PDF.exe 4880 remcos.exe 4880 remcos.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" MARCH PAY SLIP_PDF.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-MJDICZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" MARCH PAY SLIP_PDF.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 31 drive.google.com 32 drive.google.com 62 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4976 MARCH PAY SLIP_PDF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1200 MARCH PAY SLIP_PDF.exe 4976 MARCH PAY SLIP_PDF.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\resources\remediers\acrogamous.ini MARCH PAY SLIP_PDF.exe File opened for modification C:\Windows\resources\remediers\acrogamous.ini remcos.exe File opened for modification C:\Windows\resources\remediers\acrogamous.ini remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MARCH PAY SLIP_PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MARCH PAY SLIP_PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language remcos.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1200 MARCH PAY SLIP_PDF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1200 wrote to memory of 4976 1200 MARCH PAY SLIP_PDF.exe 93 PID 1200 wrote to memory of 4976 1200 MARCH PAY SLIP_PDF.exe 93 PID 1200 wrote to memory of 4976 1200 MARCH PAY SLIP_PDF.exe 93 PID 1200 wrote to memory of 4976 1200 MARCH PAY SLIP_PDF.exe 93 PID 3776 wrote to memory of 4880 3776 cmd.exe 100 PID 3776 wrote to memory of 4880 3776 cmd.exe 100 PID 3776 wrote to memory of 4880 3776 cmd.exe 100 PID 3748 wrote to memory of 5184 3748 cmd.exe 101 PID 3748 wrote to memory of 5184 3748 cmd.exe 101 PID 3748 wrote to memory of 5184 3748 cmd.exe 101 PID 4976 wrote to memory of 3960 4976 MARCH PAY SLIP_PDF.exe 102 PID 4976 wrote to memory of 3960 4976 MARCH PAY SLIP_PDF.exe 102 PID 4976 wrote to memory of 3960 4976 MARCH PAY SLIP_PDF.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\MARCH PAY SLIP_PDF.exe"C:\Users\Admin\AppData\Local\Temp\MARCH PAY SLIP_PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\MARCH PAY SLIP_PDF.exe"C:\Users\Admin\AppData\Local\Temp\MARCH PAY SLIP_PDF.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4880 -
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe3⤵PID:6004
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\kehzprwxgskfofbfxekbuliyebvrtvchz"4⤵PID:1928
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\vyvrq"4⤵PID:4280
-
-
C:\Windows\SysWOW64\recover.exeC:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\fsakrcssh"4⤵PID:4120
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:5700
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:5424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\Remcos\remcos.exe"1⤵PID:5652
-
C:\ProgramData\Remcos\remcos.exeC:\ProgramData\Remcos\remcos.exe2⤵PID:4268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD5ac92b521eda00eb291dda0534f497b1f
SHA13fa2aa0bcd5481fc748bfc22cf03bed57f7a8b39
SHA25684cbc04ddb1c58b28691436783451a95a21752eae4b59bd964f5e3320c4e866e
SHA512e374ad43b713fe46819e1421aeb16f7040870f236ed54053a25bd1ee7d9eddd1cf8c9d72682a04ba60e8bf47b7b7302f101498c49e8c82be5b3ddf99180a0f89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD53f9cf23ccdbd9896fcc0cb03ecc689ca
SHA1106d62e0b1ce7dfbab6724ffb9a8b930ebd806b6
SHA256718c029ee51e5e9f86b5c1941086b1bf7a3eb8348faa803e9ab30039176d7ff0
SHA51249aba75557a6239fec71b2ae988baf74f25d4ce6b50462eb6018cf9ddac1acf336de143b67a6bf21dbf50da576c5e00793853b1d897adab02e917809530cd1d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C
Filesize472B
MD5aef6287d4bde6714ce1bfbb54e9a6713
SHA19c01405e5c8236c5bc515717b3222db42575d615
SHA256a619c379c9c20747dc3f31c6c37fc09021fb70e6f1f9cb4a6b29dc9fb3176593
SHA512b16f6a744eff62a1bd95ab7cb90e8ff432d5ef5549d0e993183d8de3428cea9d79e6e1ecaa8d542e5c5d213ad385b8128b2f633c13a69c851ab0ee6a7c223e0f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_14926B8298A57E2D3C526CDC93311069
Filesize471B
MD59c3700b7859ff4087b8fbbbd2fe79f39
SHA18f1ee0630c80b433d119a5e6dbf7533b2af88954
SHA2568da55df16b66ba40161a2e3cd517c2be6dfecf0a1a6d94fb6bc67dd38e0e2539
SHA512291187c63f8a3ae379717deaf9bf702cc382ddf27fa893ed92f5295fe314a2322b721cc1c6f1ac061fdbee4830d65b1da69f2155b38054edf37e94ccdbbb77f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ff7f70ec6cbef9ce665323b6ee40d889
SHA122b763bdedb9d4b13154248b947b3511baa0b145
SHA256af5cab22b644bba9d5f4cca421cc99a0c796f36c3f7e02ba9eb74e251ee0fef7
SHA51241f0bf109ddd5026608baf1dc0badb82b1ff43737d9e9161a1ce7f653bee0f68c684c7eda457fbf3d26e786f1d178d1fd0082c2439789d3a1473d5cf001fc03f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_83F29ED1D5F129EB605BF640EBE52C8C
Filesize402B
MD5defb9346356a07d7d7e0d76fd00f22f5
SHA12931d4b3f29afd2e164ad75527a73e8bd33dcc51
SHA2561da6f65ef22f53fa8351fac6b2c1f119b16266b780bbe8aecf132d845932c2bd
SHA512ec3ed0ab8be096c98b76703e9e7f9f6e4ab76552708bcdc6643027b820c3897b64b3f858e3ffb67586771001fc0c37d94d02ae563bdd53459a019e52d95410eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_14926B8298A57E2D3C526CDC93311069
Filesize402B
MD5c9b6496da6eddfc78682aff24c5ad493
SHA14250e18c39000830094ae7bb61093e79b647ca96
SHA25684de3a0f33350b58850cc35b16a043a35451e132e070f8a638f08ab600db2eb4
SHA512737bbaaac84777d44e197d56f0f4efd810032926efa140faeaaf71088ab0fe076db1226fcc3f1b3e4573fdae996e1b1b7fa4f9ccf0511decb74460faaa9682a2
-
Filesize
4KB
MD5183a484857c42abff35dc9debdbee6dd
SHA17abea0ad337f4bfe11f70ed6ec55e8d19918bed7
SHA25657366816fad3797dd06c762ebe5b569f13e518f1b95d200395ced430d46a3507
SHA5129f4b1d43338e7dc29de5bbc97b5f83475e69bdcda035493a2f10ce49b93ba51c082774799eed4840a28264023d0918fd496763a4c7bf153d97bb6ed524f97406
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
241B
MD5332557d4882406795332b1828ee1e295
SHA1560b8b6e96b5f137e1b49c846e2b9f11b1ea7b5b
SHA256c39f2442c24506ff034b53c4b74987938252f924129c0d81880f440494c53854
SHA5121925658974f1e56b45901f74776763a424ca4d8427b942624ddc4f429c2967b207762842cfdff796c2f28f65a52c8e4c2b918a972bb837fd4098da42ce4aa945
-
Filesize
824B
MD57c2251eaf838790f5f13f5b29562ca21
SHA1e58fd2aa500c7579d2322264a36c61434dc5df3b
SHA25672927168d253c69470378cc6a869a9322ce59c43d5e7c08f9998a63c5777f475
SHA512c5199a866e1b3593e09e5ad69200dd0b74b767596e2edceac16a3e48a047bdaef04fffeb7047e8a4ec1960eff6b4fd16b17bfd13b620bd0158b5a68d21697daf
-
Filesize
481B
MD515adb78023108e5304ab366f6de65ed8
SHA1ba85dbca21212792b28de4e9a66ef54acf637441
SHA2565170e091aa2ffb8e4304e174c4cd0e9f397d357d5cf0d9c0471eb29965c20ab8
SHA512a885fe9cb1c5ce284682ff46b9d3ef46db75f977ecc6823826d8b94512f517857d35d847402ca58a9581594f36f907c0a8dd09a3148696b3a6dd58e2c9a176ad
-
Filesize
4.5MB
MD5ceb67b6101139270134b8a7d6bebb14b
SHA11cbbdcefb20e0247f013b67566931fb15d56550b
SHA2562d83dc965778ef7f217017e96ab8f6547484efbbad80e1cda0ccc98aa756a3ee
SHA512396bb6a0b127341537f16d8149057f2f485e0e6ecf6e60ca5535e8b977b65c387e848879c010ca51ca08965a19156dc45afffc43ef108d1dff6b5bf831315c51
-
Filesize
1.8MB
MD5280c940547895f82278ba8b491e0ca3b
SHA1de09b3999636cca42be716952d97547e72bd5890
SHA2561d7a813a18eec9478655b63429c790814f78cd64cce71752aea3362f0a55a531
SHA512d28c4de5d7c7a90973f23aa2e1e828a329909f8eb06172b5a71360716f4175344ee0af9c544ec1813290eff0cf1e8e298aaf29b91121edd667b49090b02451af
-
Filesize
96KB
MD5d0cb91951f1236d53cb1d8a576900bad
SHA1ea65339f7f3760c23a522cc9afb564559902733f
SHA256d0cbed3b8e608ddbea5d78befa23aa77f988cf3947069ff6b7d37a118ee73889
SHA512e257c2ae7776fedb6e61018c34152af708385659fb9c771f6bf978d54cba833a1e5a28f71fafac73685bb786bf4da98bfac284c863c56b2b5cafad1d197755b2
-
Filesize
5.0MB
MD5413b591e9885e895f1d5e94773ef0867
SHA14a848b2a5f59d96b3d41ccadb83331e4c22c85ef
SHA256c51e2d1237b398a16ec5248ce0ef977ad53d423bd4d077d8f38740cb1f01be81
SHA512602a5fda2ed4dd97f45c4bf694690a216a01e8e1a3cb640d5f2973f40230a7ec4a842bafcd0578f475cbecc2026af623e58a6fd9ebcadad9367b5cb804487164
-
Filesize
723B
MD5521d3e04c0ada487398e9f6aeb2e6816
SHA1cecb639806ecda68d61a8a109d271f0477529f9f
SHA256f09817127dcf211117a78f613a75e45547d4d968dba6fdf0e3c0979d8f71cb56
SHA51231e389fd52817e24c3eaefec747cf0dcd5520c36faaa7cf8199e7f7134d71674e242632d52899a708adf50b839f01859d45914d17e0e84f69cfb633a5ea5fe91
-
Filesize
274B
MD5774b4f6e7a479b6587b32839d401315a
SHA1d6ff8e3ef70c9e1508a1580141473429accac683
SHA256c42c517f14225917950dd31e50b41d27964fb253b0df5feb9656b3fb2c74d0bc
SHA51284a69e795c3db4aa60a85e89876dc028d6133951b1ecd92958501c3655549f6a0e1acd844799dda5f74c0e97aab920cf04a28179f1e9e992c7d8feadaafb058a
-
Filesize
570B
MD5421d918a12dc45d2e7422c01b1bf95d2
SHA13404289e70a2d1e8835b907a3d649ee6b017de53
SHA25647d310e73e8abeb226c323039d2d53a0b461a2e32ca9576b6301a1b5b2692ea5
SHA5126fdb1fab4e72949d0ab6ef8142daaad1f655206dcd6d3b93d060d269815e5151c5253f1c2352a1c0a8895e120b8f2fafb0d2440cb870165f319c7beb2b41ce26
-
Filesize
1.0MB
MD54448acd2075939cc171657c23d4b1e95
SHA1a6091ea16760786e89c8884555a70b01a4cae71a
SHA256293603f6df16d20d6f8fc3d2f87151c06c8fd7fcdbc1c412b3ebfc28d59a5362
SHA512566328d3f5651182ba12c882e00a13f1dc140d0e5a192e216f220befbfaad124721aade41a5db584884b9c61d9f1e3704fd7ea480612d003694677244e0110bb
-
Filesize
74B
MD51f48026df6e9e4aebc2867cb2a07a07d
SHA18098b69100ff43d1df93d7d42fead7a6aebe7638
SHA256994252c8960cf2a4008c57bb64c39a18937638230293db1ca2cbc7bc63fc8ba5
SHA5124edb34ee05c85efa311df528adc8954273fdfd6ad563aea480befee9e100e79f9492de3f26fd69ebd4bc510096866092dc24213835281d91bf8a9c536a725149
-
Filesize
327KB
MD57fda9d4b16e6427d57d5b16b96d26fc1
SHA1ad0ba985fc97642e7dc0dea2eff34f894ee826fe
SHA256a2e69ecb57f28bc65e3df031d620bdf0a506a31bc4fa44fa16c023d0103e34a7
SHA51248486bab8d4f3a25070e8c8c1f2bf7c95e0e34061c969d619b73d26f109f86cca9d5422b7de085bd903a29520116a9d52a15ed2faae14a1fc2365f5a58f461e7