| File name: | z.sc.exe |
| Full analysis: | https://app.any.run/tasks/e7fc6d81-eb40-4f16-beb1-02340a5f9817 |
| Verdict: | Malicious activity |
| Threats: | Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. |
| Analysis date: | January 05, 2024, 10:40:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | CFA95848A698D9D72DC4995BC30B788A |
| SHA1: | 439961B3EE0BF330FE12A41C2286F4ACC75350D8 |
| SHA256: | 22FCA2D98B643E284DF111B67B42ACA4C6D2351F71B4949B028ACE1C9A6ADA50 |
| SSDEEP: | 98304:LP/mp7t3T4+B/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvkm7P5i0IYQnZ9JvgQ9Im:G97 |
MALICIOUS
Uses Task Scheduler to run other applications
- z.sc.exe (PID: 2040)
Create files in the Startup directory
- cmd.exe (PID: 124)
REMCOS has been detected (YARA)
- z.sc.exe (PID: 2068)
SUSPICIOUS
No suspicious indicators.INFO
Drops the executable file immediately after the start
- z.sc.exe (PID: 2040)
Checks supported languages
- z.sc.exe (PID: 2040)
- z.sc.exe (PID: 2068)
Reads mouse settings
- z.sc.exe (PID: 2040)
Application launched itself
- z.sc.exe (PID: 2040)
Manual execution by a user
- cmd.exe (PID: 124)
Reads the computer name
- z.sc.exe (PID: 2040)
- z.sc.exe (PID: 2068)
Creates files or folders in the user directory
- z.sc.exe (PID: 2040)
Reads Environment values
- z.sc.exe (PID: 2068)
Reads product name
- z.sc.exe (PID: 2068)
Connects to unusual port
- z.sc.exe (PID: 2068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Remcos
(PID) Process(2068) z.sc.exe
C2 (1)80.66.75.51:2403
BotnetRemoteHost
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run0
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-7C9RIB
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:01:05 11:39:40+01:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 633856 |
| InitializedDataSize: | 1230336 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20577 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | cmd /c echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fantasy.url" & echo URL="C:\Users\admin\AppData\Local\H\lHBLAmdkRSYr.vbs" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fantasy.url" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1432 | schtasks.exe /create /tn "Buf" /tr "C:\Users\admin\AppData\Local\H\Fantasy.exe.com C:\Users\admin\AppData\Local\H\z" /sc minute /mo 3 /F | C:\Windows\System32\schtasks.exe | — | z.sc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2040 | "C:\Users\admin\AppData\Local\Temp\z.sc.exe" | C:\Users\admin\AppData\Local\Temp\z.sc.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2068 | C:\Users\admin\AppData\Local\Temp\z.sc.exe | C:\Users\admin\AppData\Local\Temp\z.sc.exe | z.sc.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
Remcos(PID) Process(2068) z.sc.exe C2 (1)80.66.75.51:2403 BotnetRemoteHost Options Connect_interval1 Install_flagFalse Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run0 Setup_path%LOCALAPPDATA% Copy_fileremcos.exe Startup_valueRemcos Hide_fileFalse Mutex_nameRmc-7C9RIB Keylog_flag0 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagFalse Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%ProgramFiles% Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos Max_keylog_file100000 | |||||||||||||||
Total events
317
Read events
317
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2040 | z.sc.exe | C:\Users\admin\AppData\Local\H\z | binary | |
MD5:30608054E9E355759EA333B6589DFB57 | SHA256:F791487056C47ABC4CEB5B69359AE5E425847EDC27728A0D95A01D8DE30C770B | |||
| 124 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fantasy.url | text | |
MD5:353795816AE5B37D44A9024159D27EA8 | SHA256:C0FC703B325B80CD526B0CF1AAA1A1BFEBBBFCB68A00B2493F690B950722E242 | |||
| 2040 | z.sc.exe | C:\Users\admin\AppData\Local\H\lHBLAmdkRSYr.vbs | text | |
MD5:8A451BBF1ECFCD02B5F10C47060BDBA9 | SHA256:2D96C54CB9798E9179C69A3344F46E89D953DF6FBBBA73C97CB3CC1DC67EDAC6 | |||
| 2040 | z.sc.exe | C:\Users\admin\AppData\Local\H\Fantasy.exe.com | executable | |
MD5:CFA95848A698D9D72DC4995BC30B788A | SHA256:22FCA2D98B643E284DF111B67B42ACA4C6D2351F71B4949B028ACE1C9A6ADA50 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
35
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2068 | z.sc.exe | 80.66.75.51:2403 | — | Kakharov Orinbassar Maratuly | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
uRtedzRkcvnByFYykLwRfVAAuy.uRtedzRkcvnByFYykLwRfVAAuy |
| unknown |