Overview

overview

10

Static

static

CITAPDFRES...07.exe

windows7_x64

10

CITAPDFRES...07.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    25-01-2022 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CITAPDFRES743960001 CITAPDFRES743960007.exe

  • Size

    589KB

  • MD5

    80d706aa41da2983dc3b80782e22dfaa

  • SHA1

    0e6f43dbceae22222d09f5d7848aa4f24ee42c44

  • SHA256

    2161a41e36c0bb939dc0203f9e1ada84addcef0e2f31905fad860e16c7603c88

  • SHA512

    a8ece67856b180449d16ce98d7c627a1f02a854b6fff2bd03aa72e0119d1d64f3f68f0d4bcd345ff1248c534c9478cce808046230312d30fea09aa3897d80c04

Score
10/10
remcos9rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

9

C2

pruebanue97382.duckdns.org:1718

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-B5WISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CITAPDFRES743960001 CITAPDFRES743960007.exe
    "C:\Users\Admin\AppData\Local\Temp\CITAPDFRES743960001 CITAPDFRES743960007.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dmRXApqOj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:292
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:1076
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:1548
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1928

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpE418.tmp
        MD5

        bf453668a6a25b46d8f7eb523044e4ee

        SHA1

        8d4c98574a05400dc2004d36b0e0ee7b220bf82e

        SHA256

        9f0df3098eb8176b7a967ea5a48b3d129f525b84f5c40b97b12faca41092771a

        SHA512

        f143921bdcab040d9cb306e6122f4997b5482e80b7facb17c6573b3a210db42eb318939a0ff3333b896a9396fc4d2c0e226c84765beb87be6f922ddc26b05434

        Download Submit
      • memory/1664-54-0x0000000001120000-0x00000000011BA000-memory.dmp
        Filesize

        616KB

        Download
      • memory/1664-55-0x00000000754B1000-0x00000000754B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1664-56-0x0000000000D50000-0x0000000000D51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1664-57-0x0000000000410000-0x000000000041A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1664-58-0x0000000006120000-0x0000000006194000-memory.dmp
        Filesize

        464KB

        Download
      • memory/1664-59-0x0000000000D00000-0x0000000000D26000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1928-62-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-61-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-63-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-64-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-65-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-66-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-67-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-69-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1928-70-0x0000000000401000-0x0000000000421000-memory.dmp
        Filesize

        128KB

        Download