Overview

overview

10

Static

static

SECRHACIEN...07.exe

windows7_x64

10

SECRHACIEN...07.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26-01-2022 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SECRHACIEN36590001 SECRHACIEN36590007.exe

  • Size

    579KB

  • MD5

    bc521cfe669b897e7adaf6439b91790e

  • SHA1

    2dce5e832053ddb8f32ab8179aac830a12fe760a

  • SHA256

    bbe26aa677d50f8ac1f37c0d7489a22284a84af8ae353e14a4765b8371d20665

  • SHA512

    d5446fa1ec6cdca541245222e796064dbc9fba602861c78bbc3ecbcff19455987c29db19ba316cf2933295372c80374f14dc3adf802dd047d508a1946bef7cf7

Score
10/10
remcos11rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

11

C2

pruebaonce83191.duckdns.org:1717

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-9IG8KM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SECRHACIEN36590001 SECRHACIEN36590007.exe
    "C:\Users\Admin\AppData\Local\Temp\SECRHACIEN36590001 SECRHACIEN36590007.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQRirl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27B8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3908
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp27B8.tmp
    MD5

    65a2ea1d4953586e2c37f551023ec417

    SHA1

    2054126460841af8da9ba75b874b9a5d95897785

    SHA256

    6f90b2f36446f6ef415c741ba22bdf34dbf4682c706e95eb1c52577855bad5be

    SHA512

    61442c6ef75aace753bfd38760135ed324df0fb22b5f5c5f8c5352b87cc2c1c6111e43e0a1fee45b14116ff000c7f701d2b53cc44e60427ac820d0275fae2f6e

    Download Submit
  • memory/856-125-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/856-126-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/2428-115-0x0000000000480000-0x0000000000516000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2428-116-0x0000000005240000-0x000000000573E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2428-117-0x0000000004DE0000-0x0000000004E72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2428-118-0x0000000004E80000-0x0000000004F1C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2428-119-0x0000000004D40000-0x0000000004D4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2428-120-0x0000000004D40000-0x000000000523E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2428-121-0x0000000004FE0000-0x0000000004FEA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2428-122-0x0000000007380000-0x00000000073F4000-memory.dmp
    Filesize

    464KB

    Download
  • memory/2428-123-0x0000000009A30000-0x0000000009A56000-memory.dmp
    Filesize

    152KB

    Download