File name:

scandoc.exe

Full analysis: https://app.any.run/tasks/d19bb27b-6758-40ea-ae2a-3e8358dccc01
Verdict: Malicious activity
Threats:

Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis.

Malware Trends Tracker     >>>
Analysis date: November 30, 2023, 16:11:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
remcos
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

3F38596CC3A4D9D6020D3CEBFF1A8F6C

SHA1:

7449C7578BE539C1ACBE51F23B690641B08EA336

SHA256:

FF0A84220D028052A841312CD81BAA525D19F7E4B0CE94DBBAF6634A776D3814

SSDEEP:

98304:MQvuHm9z8IAVbeHxVnfjEf0WROxmm2LsckViUSYuWz9cgqUM/8g/uBldwtbuLjtt:M9fv5HINjaLDsbSxTy/MJ0gMtb1ek

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • scandoc.exe (PID: 2748)

    • REMCOS has been detected (YARA)

      • 8161.exe (PID: 2916)

    • Changes the autorun value in the registry

      • 8161.exe (PID: 2916)

  • SUSPICIOUS

    • Application launched itself

      • scandoc.exe (PID: 2876)
      • 8161.exe (PID: 2496)

    • Drops 7-zip archiver for unpacking

      • scandoc.exe (PID: 2748)

    • Reads the Internet Settings

      • scandoc.exe (PID: 2748)

    • Starts itself from another location

      • scandoc.exe (PID: 2748)

    • Connects to FTP

      • 8161.exe (PID: 2916)

  • INFO

    • Checks supported languages

      • scandoc.exe (PID: 2876)
      • scandoc.exe (PID: 2748)
      • 8161.exe (PID: 2496)
      • 8161.exe (PID: 2916)

    • Reads the computer name

      • scandoc.exe (PID: 2876)
      • scandoc.exe (PID: 2748)
      • 8161.exe (PID: 2496)
      • 8161.exe (PID: 2916)

    • Reads the machine GUID from the registry

      • scandoc.exe (PID: 2876)
      • 8161.exe (PID: 2496)

    • Reads Environment values

      • scandoc.exe (PID: 2748)
      • 8161.exe (PID: 2916)

    • Creates files in the program directory

      • scandoc.exe (PID: 2748)

    • Reads product name

      • scandoc.exe (PID: 2748)
      • 8161.exe (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(2916) 8161.exe
C2 (35)95.214.26.199:80
95.214.26.199:465
95.214.26.199:21:095.214.26.199:8080
95.214.26.190:80
95.214.26.18:80
95.214.26.25:80
95.214.26.60:80
95.214.26.79:80
95.214.26.90:80
95.214.26.99:80
101.99.92.102:80
101.99.92.102:8080
101.99.92.102:465
101.99.92.101:465
101.99.92.103:465
101.99.92.19:465
101.99.92.19:80
101.99.92.19:8080
101.99.92.212:8080
101.99.92.218:8080
101.99.92.218:80
185.65.105.190:80
185.65.105.191:80
185.65.105.192:80
185.65.105.193:80
185.65.105.193:8080
185.65.105.194:8080
185.65.105.195:8080
185.65.105.196:8080
185.65.105.196:80
185.65.105.197:80
185.65.105.197:465
185.65.105.198:465
185.65.105.199:465
185.65.105.15:465
BotnetRMC
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_file8161.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameDv8161-E2WPIJ
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirDavinci
Keylog_dirremcos
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:29 13:48:25+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 12439040
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0xbdec84
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 22.1.0.0
ProductVersionNumber: 22.1.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7-Zip Installer
FileVersion: 22.01
InternalName: 7zipInstall
LegalCopyright: Copyright (c) 1999-2022 Igor Pavlov
OriginalFileName: 7zipInstall.exe
ProductName: 7-Zip
ProductVersion: 22.01
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start scandoc.exe no specs scandoc.exe no specs 8161.exe no specs #REMCOS 8161.exe

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\ProgramData\Davinci\8161.exe" C:\ProgramData\Davinci\8161.exescandoc.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\programdata\davinci\8161.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2748"C:\Users\admin\AppData\Local\Temp\scandoc.exe"C:\Users\admin\AppData\Local\Temp\scandoc.exescandoc.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\temp\scandoc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2876"C:\Users\admin\AppData\Local\Temp\scandoc.exe" C:\Users\admin\AppData\Local\Temp\scandoc.exeexplorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\users\admin\appdata\local\temp\scandoc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2916"C:\ProgramData\Davinci\8161.exe"C:\ProgramData\Davinci\8161.exe
8161.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\programdata\davinci\8161.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Remcos
(PID) Process(2916) 8161.exe
C2 (35)95.214.26.199:80
95.214.26.199:465
95.214.26.199:21:095.214.26.199:8080
95.214.26.190:80
95.214.26.18:80
95.214.26.25:80
95.214.26.60:80
95.214.26.79:80
95.214.26.90:80
95.214.26.99:80
101.99.92.102:80
101.99.92.102:8080
101.99.92.102:465
101.99.92.101:465
101.99.92.103:465
101.99.92.19:465
101.99.92.19:80
101.99.92.19:8080
101.99.92.212:8080
101.99.92.218:8080
101.99.92.218:80
185.65.105.190:80
185.65.105.191:80
185.65.105.192:80
185.65.105.193:80
185.65.105.193:8080
185.65.105.194:8080
185.65.105.195:8080
185.65.105.196:8080
185.65.105.196:80
185.65.105.197:80
185.65.105.197:465
185.65.105.198:465
185.65.105.199:465
185.65.105.15:465
BotnetRMC
Options
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_file8161.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameDv8161-E2WPIJ
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirDavinci
Keylog_dirremcos
Total events
388
Read events
379
Write events
9
Delete events
0

Modification events

(PID) Process:(2748) scandoc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2748) scandoc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2748) scandoc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2748) scandoc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2916) 8161.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Dv8161-E2WPIJ
Value:
"C:\ProgramData\Davinci\8161.exe"
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2748scandoc.exeC:\ProgramData\Davinci\8161.exeexecutable
MD5:3F38596CC3A4D9D6020D3CEBFF1A8F6C
SHA256:FF0A84220D028052A841312CD81BAA525D19F7E4B0CE94DBBAF6634A776D3814
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
2916
8161.exe
95.214.26.199:80
Enes Koken
US
malicious
2916
8161.exe
95.214.26.199:465
Enes Koken
US
malicious
2916
8161.exe
95.214.26.199:21
Enes Koken
US
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
scandoc.exe