Overview

overview

10

Static

static

a5dcc0d9f4...39.exe

windows7_x64

10

a5dcc0d9f4...39.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    25-01-2022 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5dcc0d9f44de85e8895ebb37aab0639.exe

  • Size

    219KB

  • MD5

    a5dcc0d9f44de85e8895ebb37aab0639

  • SHA1

    dec6df7d20dec256a0a5547fb9e4f297b1dd96f7

  • SHA256

    932382f377c00f267e7f102d6fb94aa69d6052302106d3578511e8c70e82bb70

  • SHA512

    986e4a3733ea4340d5a4ec41e6f6d9a8fa67bdf346df7afc375ae201724a5a926405ce6d576745d5dd913132229ebc5fe9fbe551db0dec728d91d4790990afce

Score
10/10
remcoshostpersistenceratupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

pvtrans.ydns.eu:3030

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    svchost.exe

  • copy_folder

    Microsoft Window Client

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Microsoft Window Clinet

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_oxhfteubwm

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    svchost

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5dcc0d9f44de85e8895ebb37aab0639.exe
    "C:\Users\Admin\AppData\Local\Temp\a5dcc0d9f44de85e8895ebb37aab0639.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HuzKkvOaVDHCNb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1528
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HuzKkvOaVDHCNb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71B7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\a5dcc0d9f44de85e8895ebb37aab0639.exe
      "C:\Users\Admin\AppData\Local\Temp\a5dcc0d9f44de85e8895ebb37aab0639.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Deletes itself
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:1624
        • C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1284
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HuzKkvOaVDHCNb.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HuzKkvOaVDHCNb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BB.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:1612
          • C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:600
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1136
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:520
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    4de133c09d0772f2b2032993c3e1c34a

    SHA1

    eb11f944f62816336b7928ca84184435dbc49aa4

    SHA256

    0d921f8e8f7acb3ec6bc07cb530b63cbc51edc2a057a2ea720160489f42b0a2e

    SHA512

    2671bd4a243e3232d8050477f5b48d665c8cb3b2fbe426b70f5bb1fd90828c16f383ff57d57d514ff9fdfe7b9ad585d9ed11b67eddfa404b2d52ab7167a715f7

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    3458a27acb3a1624b22f8d40e9d755a4

    SHA1

    1531e8aef83fae6ca18e8ffacccaf3163bea2cd0

    SHA256

    88e5d5445b0cdfbfbaa7e351c54ea70a3e68d7c3d4679bfc42ef164e7e6534d0

    SHA512

    cae501a8cf4f13c683dad5d6265dad88785d96d73da28ade5b16cd302b7722c565bdef8e688070eace03483f758ab9261eb03e041358afea1075b49af4531af0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    1cc12e347536b339e1174a7b3ee8ce6b

    SHA1

    889cec8403841781777c43b19a4e20d921f3a052

    SHA256

    bebba1583c3b78ff3702d12a386ee71c7a8ac80667692539bc50922546538de0

    SHA512

    7b802629dd54a8df73f3d74785606bc0e38089c5a89783d94b87f5032782c256406f34d9786ff9de76d952397206e90d075151a413905d4700ec53d94bfa6a78

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
    MD5

    46ddfe630120551304476485a349aeb6

    SHA1

    fe698e5e20982a0c431aa2aff2f4fc0f5f40ae90

    SHA256

    3299df2a1cb950c46a0c40f00479a71d53830e8f98bf71cb0e6320aad418792d

    SHA512

    b6b9774db90bf6dd6366a2bb6c299ed85f4aa1a99f1dba08170a2394c94c33a48eabdd8204c5d27b54d569042728cd86872f0e9eba44ffd7139d65d69858daf5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\install.bat
    MD5

    617b3071d93c16dac48d9f571b94443e

    SHA1

    4ccb339a960d3cac523d0e081ba4f6772cd1b865

    SHA256

    38b2d89f8ec584cc9f60697ca365c646cedb8caf619acfd9f2a059d016b1b9c5

    SHA512

    f72c3aaa94633618673582a8ec3c77e470b55f48492840e3499bbbde3efeb009dc5060ae0b2bdbb04c73b6dbefa24448839c90f866dbc1221962a8f11e8fab19

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5BB.tmp
    MD5

    78ee1c15f294f584b940ad3d158d3a87

    SHA1

    619d00977c3e72b5577aead261cc68901d41019f

    SHA256

    cb145d9fb34705a3b7c5ec664cc1aebac0f2044816e5df33f58a852b66fb33f4

    SHA512

    edb6b76b6b069c4ca54e8cf440a8ee3b4ee6056c4882d087de67e5500a83dd823bb45f7a367ee03c941efd06aead96cd11b6ecced20df811308b88b4e365fc3a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp71B7.tmp
    MD5

    78ee1c15f294f584b940ad3d158d3a87

    SHA1

    619d00977c3e72b5577aead261cc68901d41019f

    SHA256

    cb145d9fb34705a3b7c5ec664cc1aebac0f2044816e5df33f58a852b66fb33f4

    SHA512

    edb6b76b6b069c4ca54e8cf440a8ee3b4ee6056c4882d087de67e5500a83dd823bb45f7a367ee03c941efd06aead96cd11b6ecced20df811308b88b4e365fc3a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
    MD5

    a5dcc0d9f44de85e8895ebb37aab0639

    SHA1

    dec6df7d20dec256a0a5547fb9e4f297b1dd96f7

    SHA256

    932382f377c00f267e7f102d6fb94aa69d6052302106d3578511e8c70e82bb70

    SHA512

    986e4a3733ea4340d5a4ec41e6f6d9a8fa67bdf346df7afc375ae201724a5a926405ce6d576745d5dd913132229ebc5fe9fbe551db0dec728d91d4790990afce

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
    MD5

    a5dcc0d9f44de85e8895ebb37aab0639

    SHA1

    dec6df7d20dec256a0a5547fb9e4f297b1dd96f7

    SHA256

    932382f377c00f267e7f102d6fb94aa69d6052302106d3578511e8c70e82bb70

    SHA512

    986e4a3733ea4340d5a4ec41e6f6d9a8fa67bdf346df7afc375ae201724a5a926405ce6d576745d5dd913132229ebc5fe9fbe551db0dec728d91d4790990afce

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
    MD5

    a5dcc0d9f44de85e8895ebb37aab0639

    SHA1

    dec6df7d20dec256a0a5547fb9e4f297b1dd96f7

    SHA256

    932382f377c00f267e7f102d6fb94aa69d6052302106d3578511e8c70e82bb70

    SHA512

    986e4a3733ea4340d5a4ec41e6f6d9a8fa67bdf346df7afc375ae201724a5a926405ce6d576745d5dd913132229ebc5fe9fbe551db0dec728d91d4790990afce

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JOWTSPBE.txt
    MD5

    0b58178d71fc4cb9c9911649221a6d05

    SHA1

    e561e3b2a2a2438f9f9e3b866de5b80244573544

    SHA256

    08b33fbf2753f2b93f4fa99f214f5918dafc528e0cff2da99126fe922eb2a4ad

    SHA512

    aa2c73e8a6cb218ebbffc3e5f067a425cc2705dfbed3c926576d6080896889c6fab25048031057445b7b2507d1d09e88e03ece5e2f12e8a400e3d0f267292a22

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    4e3fa9969b19389049bf3d44ee7d2099

    SHA1

    10bc947879e41c1601341a6cce3d1e9ec3fef9b6

    SHA256

    3fe1248f124ad9f8e6ec7345261690c52f0224e663652ab52bd43f9fe519b665

    SHA512

    45ca5f26523b3f10cc9aa2812ff397a34e8e7af2c71f40b031e20324706ae59820d82fe718821374297afcc62925e6ec7760365cb7eca8d852831d8f013588ce

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft Window Client\svchost.exe
    MD5

    a5dcc0d9f44de85e8895ebb37aab0639

    SHA1

    dec6df7d20dec256a0a5547fb9e4f297b1dd96f7

    SHA256

    932382f377c00f267e7f102d6fb94aa69d6052302106d3578511e8c70e82bb70

    SHA512

    986e4a3733ea4340d5a4ec41e6f6d9a8fa67bdf346df7afc375ae201724a5a926405ce6d576745d5dd913132229ebc5fe9fbe551db0dec728d91d4790990afce

    Download Submit
  • memory/600-91-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/600-92-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/600-93-0x0000000000401000-0x000000000041D000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1284-81-0x000000007EF40000-0x000000007EFA0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1284-80-0x0000000004F60000-0x0000000004F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1284-78-0x0000000000A20000-0x0000000000A5E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1528-74-0x0000000002460000-0x00000000030AA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1528-73-0x0000000002460000-0x00000000030AA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1588-59-0x00000000007B0000-0x00000000007E4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1588-55-0x0000000076151000-0x0000000076153000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1588-56-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1588-57-0x000000007EF40000-0x000000007EFA0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1588-58-0x0000000000470000-0x000000000047E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1588-54-0x0000000000FD0000-0x000000000100E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1772-64-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-62-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-63-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-65-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-67-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-70-0x0000000000400000-0x000000000041D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1772-71-0x0000000000401000-0x000000000041D000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1924-94-0x0000000002410000-0x000000000305A000-memory.dmp
    Filesize

    12.3MB

    Download