Overview

overview

10

Static

static

SecuriteIn...59.exe

windows7_x64

10

SecuriteIn...59.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    06-12-2021 04:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKDZ.81096.27678.10459.exe

  • Size

    523KB

  • MD5

    6f78f5cf377470fc449263eaf2231dac

  • SHA1

    067211e73b880a6a7c9c01ac2c309ea49579ad1f

  • SHA256

    2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

  • SHA512

    cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

Score
10/10
remcosj3j3-uspersistencerat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

J3J3-US

C2

kent0mushinec0n3t.casacam.net:32095

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Pin.exe

  • copy_folder

    J3J3-US

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    J3J3-US

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-TFIQE4

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    J3J3-US

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.81096.27678.10459.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.81096.27678.10459.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
          C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:1056
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4bc
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1732

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      1b9ad3c55bc8a8e557a4a955c337d9ab

      SHA1

      e5208f130862c525fcf83581133acef2b98ec026

      SHA256

      667cd100e97e085a660a912694d2bc1fb1c690065ad1b850c86a5056db80cb70

      SHA512

      8ef83ba293a93d70c19f0f94639b240a35f21aaca182120d812136cd8eb7771bb2a054cc809fa385bbb3872cbd81b04beba8cf17a68ea4b18ba3487865be409e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      MD5

      6f78f5cf377470fc449263eaf2231dac

      SHA1

      067211e73b880a6a7c9c01ac2c309ea49579ad1f

      SHA256

      2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

      SHA512

      cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      MD5

      6f78f5cf377470fc449263eaf2231dac

      SHA1

      067211e73b880a6a7c9c01ac2c309ea49579ad1f

      SHA256

      2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

      SHA512

      cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

      Download Submit
    • \Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      MD5

      6f78f5cf377470fc449263eaf2231dac

      SHA1

      067211e73b880a6a7c9c01ac2c309ea49579ad1f

      SHA256

      2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

      SHA512

      cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

      Download Submit
    • \Users\Admin\AppData\Roaming\J3J3-US\Pin.exe
      MD5

      6f78f5cf377470fc449263eaf2231dac

      SHA1

      067211e73b880a6a7c9c01ac2c309ea49579ad1f

      SHA256

      2fae5c7782b7c0cf7e205c1cf79400ef3c88c261b51882fb7f5dadab37013cf9

      SHA512

      cc4c07d4b7072391e8c3d182f6a0f85f6994a40b0e0f4d8d2158cd9c6f112e58e2f45f3fff3205c9e7c2e18940f24f713e558aa608683fb897346953d05e758c

      Download Submit
    • memory/572-59-0x0000000000000000-mapping.dmp
      Download
    • memory/952-57-0x0000000000310000-0x0000000000385000-memory.dmp
      Filesize

      468KB

      Download
    • memory/952-55-0x0000000000608000-0x000000000064D000-memory.dmp
      Filesize

      276KB

      Download
    • memory/952-56-0x0000000075A61000-0x0000000075A63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/952-58-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-83-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-80-0x0000000000608000-0x000000000064D000-memory.dmp
      Filesize

      276KB

      Download
    • memory/1056-79-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-81-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-71-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-72-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-73-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-74-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-75-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-76-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1056-77-0x000000000044D470-mapping.dmp
      Download
    • memory/1056-70-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1620-68-0x0000000000288000-0x00000000002CD000-memory.dmp
      Filesize

      276KB

      Download
    • memory/1620-78-0x0000000000400000-0x0000000000504000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1620-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-62-0x0000000000000000-mapping.dmp
      Download