Overview

overview

10

Static

static

f2efed3085...33.exe

windows7_x64

10

f2efed3085...33.exe

windows10_x64

10

Analysis

  • max time kernel
    199s
  • max time network
    223s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-01-2022 23:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2efed3085222702283f7d44a8b2ce38612575a40ae54a17aaadf22054217b33.exe

  • Size

    839KB

  • MD5

    4de864017ab66eb555be73eb54749347

  • SHA1

    6e81343018136b271d1f95db536ca6b2fd1dfcd6

  • SHA256

    f2efed3085222702283f7d44a8b2ce38612575a40ae54a17aaadf22054217b33

  • SHA512

    689fcdc236a287bfd0cd866ec3af3ab471d53579a37daf59c74b89400f937ada873edb5a968bfd04e57573391c6e1d6e2af86e4e11c05ea5a2bb70b22280a868

Score
10/10
remcosmarzorat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Marzo

C2

marzoorganigrama20202020.duckdns.org:1419

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-3EHDVQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2efed3085222702283f7d44a8b2ce38612575a40ae54a17aaadf22054217b33.exe
    "C:\Users\Admin\AppData\Local\Temp\f2efed3085222702283f7d44a8b2ce38612575a40ae54a17aaadf22054217b33.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe Galvanometry,Pickaninny
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Firebug
    MD5

    7663e89cb0bce6839c818cf01bddd41f

    SHA1

    a099cdaae06bb49ec15e3d9db3127b9da51acf89

    SHA256

    a196489d91451949ff3521f357fdf4de50aa99b4df93f9a258611c3a3ec1d099

    SHA512

    9dd59033e30a49cc967c9f5dbc7ac44b0e3e96696a60a0c8585c8081a30553d8a411e878d3cea891f09859d7aaddfc98103ca99fa336d973fafb345c651250d9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Galvanometry.DLL
    MD5

    bc2c79b3780c12c0d508b4fbf37ef15c

    SHA1

    5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

    SHA256

    c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

    SHA512

    9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Galvanometry.dll
    MD5

    bc2c79b3780c12c0d508b4fbf37ef15c

    SHA1

    5b2328a38ff40d57c78a8174ebdc9a7f5553c35f

    SHA256

    c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598

    SHA512

    9c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136

    Download Submit
  • memory/1088-125-0x0000000077639000-0x000000007763A000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1088-131-0x00007FFE414C0000-0x00007FFE4169B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1088-151-0x00000000009C0000-0x00000000009C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1088-157-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2720-122-0x00000000004E0000-0x00000000004E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2720-121-0x00000000736A0000-0x000000007374D000-memory.dmp
    Filesize

    692KB

    Download
  • memory/2720-123-0x0000000075450000-0x00000000754B7000-memory.dmp
    Filesize

    412KB

    Download
  • memory/2720-124-0x00007FFE414C0000-0x00007FFE4169B000-memory.dmp
    Filesize

    1.9MB

    Download