Overview

overview

10

Static

static

ACTION2021.scr

windows7_x64

10

ACTION2021.scr

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    06-01-2021 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACTION2021.scr

  • Size

    1.4MB

  • MD5

    c6ed7e791f0c36826d3c55e196dd7bd4

  • SHA1

    97e94a141b7d479fd14373f724ce3232c2b0c429

  • SHA256

    c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

  • SHA512

    17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

Score
10/10
remcosevasionpersistenceratspywaretrojan

Malware Config

Extracted

Family

remcos

C2

masters4733.sytes.net:8686

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 76 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr
    "C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr
      "C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"
      2⤵
        PID:1448
      • C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr
        "C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • Modifies registry key
            PID:1536
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\start\start.exe"
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:556
            • C:\Users\Admin\AppData\Roaming\start\start.exe
              C:\Users\Admin\AppData\Roaming\start\start.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:844
              • C:\Users\Admin\AppData\Roaming\start\start.exe
                "C:\Users\Admin\AppData\Roaming\start\start.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:344
                • C:\Windows\SysWOW64\cmd.exe
                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:560
                  • C:\Windows\SysWOW64\reg.exe
                    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                    8⤵
                    • Modifies registry key
                    PID:1332
                • C:\Users\Admin\AppData\Roaming\start\start.exe
                  C:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhcamtbcvyceyiwjqivyusqjl"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1088
                • C:\Users\Admin\AppData\Roaming\start\start.exe
                  C:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\ldvdnexxfomvlcgzqdctisgjcsaaoaic"
                  7⤵
                  • Executes dropped EXE
                  PID:1236
                • C:\Users\Admin\AppData\Roaming\start\start.exe
                  C:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbitmmmvjgurjokvhtqzfflaueqrv"
                  7⤵
                    PID:800

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        MD5

        a9df62f02c776af7a9eb2a1f9a4fb408

        SHA1

        e6f5add446a134ff353d10eff8ea26f30b7cd839

        SHA256

        196620c6cc4a5f5382d44d597229d72ac5fe42e1e4e9faa63527d414fedc8e86

        SHA512

        8c7d143dc9c623246148b8e7dd8e0487fb6988a12e9614b37c48246e501c88c946001edcdf019201c89b8fe5dd3604674dfd8d96c4ae1b706ac48c64c09dae07

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\yhcamtbcvyceyiwjqivyusqjl
        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit
      • C:\Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • \Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • \Users\Admin\AppData\Roaming\start\start.exe
        MD5

        c6ed7e791f0c36826d3c55e196dd7bd4

        SHA1

        97e94a141b7d479fd14373f724ce3232c2b0c429

        SHA256

        c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

        SHA512

        17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f

        Download Submit
      • memory/344-26-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/344-24-0x0000000000413FA4-mapping.dmp
        Download
      • memory/556-13-0x0000000000000000-mapping.dmp
        Download
      • memory/560-27-0x0000000000000000-mapping.dmp
        Download
      • memory/844-17-0x0000000000000000-mapping.dmp
        Download
      • memory/844-19-0x0000000074850000-0x0000000074F3E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/844-20-0x0000000000960000-0x0000000000961000-memory.dmp
        Filesize

        4KB

        Download
      • memory/848-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/848-5-0x0000000000410000-0x000000000043C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/848-3-0x0000000001060000-0x0000000001061000-memory.dmp
        Filesize

        4KB

        Download
      • memory/880-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1088-29-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1088-33-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1088-37-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1088-30-0x0000000000476274-mapping.dmp
        Download
      • memory/1236-36-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1236-32-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1236-34-0x0000000000455238-mapping.dmp
        Download
      • memory/1236-38-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1332-28-0x0000000000000000-mapping.dmp
        Download
      • memory/1488-8-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1488-7-0x0000000000413FA4-mapping.dmp
        Download
      • memory/1488-6-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1536-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-39-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1580-11-0x0000000000000000-mapping.dmp
        Download