Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 11:40

General

  • Target

    ConsoleApp2.exe

  • Size

    38KB

  • MD5

    6b0c8dc28ebc349b2b360dc92f2b6ed2

  • SHA1

    f9491e07725f29e5852c501f99c87319ca5b1201

  • SHA256

    ec3d28f2132d699e7efe8ee2139e3df6fde94e8859402bec216f17d0e55b0bfc

  • SHA512

    8febb5532529cc43215f75926b5c03cbdc63f04b3f5dabdf18453071cf5cc2a56c874f083ec94720044d1937d7eaba037b2de657952f1675d907794a7e37c29e

Score
10/10

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

Grace2

C2

orozco-fax.home-webserver.de:8932

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    iouyts.exe

  • copy_folder

    iuyt

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    6yuigs.dat

  • keylog_flag

    false

  • keylog_folder

    oiuyt

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    jhgfiuyt-QMLKNN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    poiuy

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConsoleApp2.exe
    "C:\Users\Admin\AppData\Local\Temp\ConsoleApp2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

  • memory/648-120-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

  • memory/648-121-0x000000000042FC39-mapping.dmp
  • memory/648-123-0x0000000000400000-0x0000000000479000-memory.dmp
    Filesize

    484KB

  • memory/2720-115-0x0000000000940000-0x0000000000941000-memory.dmp
    Filesize

    4KB

  • memory/2720-117-0x00000000052A0000-0x00000000052A1000-memory.dmp
    Filesize

    4KB

  • memory/2720-118-0x0000000005CF0000-0x0000000005D58000-memory.dmp
    Filesize

    416KB

  • memory/2720-119-0x0000000006040000-0x000000000608B000-memory.dmp
    Filesize

    300KB