Overview

overview

10

Static

static

32ea22866d...9e.exe

windows7_x64

10

32ea22866d...9e.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32ea22866d841b7d43f3213f4daa869e.exe

  • Size

    671KB

  • MD5

    32ea22866d841b7d43f3213f4daa869e

  • SHA1

    6d447d17f6940d420dea93bda24d42424ef0c5b2

  • SHA256

    91a6073fee95df45b5339667b67a48859d5be0e6cf8a8150ec3f448ee101d4a2

  • SHA512

    077d8da7d8ecbf6c2f137ef0506aa6e3300ea46daa1d78b3d60b3384129414815d23bf950d790b0983f0cd1669ce57ec3e0866ada3dd47f3a4a1aa792bbc126f

Score
10/10
remcosharrypersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Harry

C2

newremc22.ddns.net:2717

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_qvoysmnedqksues

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    bin

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe
    "C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe
      "C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe"
      2⤵
        PID:68
      • C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe
        "C:\Users\Admin\AppData\Local\Temp\32ea22866d841b7d43f3213f4daa869e.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3312
          • C:\Windows\SysWOW64\PING.EXE
            PING 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:3676
          • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3688
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:1536

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.bat
      MD5

      76c1687d97dfdbcea62ef1490bec5001

      SHA1

      5f4d1aeafa7d840cde67b76f97416dd68efd1bed

      SHA256

      79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

      SHA512

      da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      MD5

      32ea22866d841b7d43f3213f4daa869e

      SHA1

      6d447d17f6940d420dea93bda24d42424ef0c5b2

      SHA256

      91a6073fee95df45b5339667b67a48859d5be0e6cf8a8150ec3f448ee101d4a2

      SHA512

      077d8da7d8ecbf6c2f137ef0506aa6e3300ea46daa1d78b3d60b3384129414815d23bf950d790b0983f0cd1669ce57ec3e0866ada3dd47f3a4a1aa792bbc126f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      MD5

      32ea22866d841b7d43f3213f4daa869e

      SHA1

      6d447d17f6940d420dea93bda24d42424ef0c5b2

      SHA256

      91a6073fee95df45b5339667b67a48859d5be0e6cf8a8150ec3f448ee101d4a2

      SHA512

      077d8da7d8ecbf6c2f137ef0506aa6e3300ea46daa1d78b3d60b3384129414815d23bf950d790b0983f0cd1669ce57ec3e0866ada3dd47f3a4a1aa792bbc126f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
      MD5

      32ea22866d841b7d43f3213f4daa869e

      SHA1

      6d447d17f6940d420dea93bda24d42424ef0c5b2

      SHA256

      91a6073fee95df45b5339667b67a48859d5be0e6cf8a8150ec3f448ee101d4a2

      SHA512

      077d8da7d8ecbf6c2f137ef0506aa6e3300ea46daa1d78b3d60b3384129414815d23bf950d790b0983f0cd1669ce57ec3e0866ada3dd47f3a4a1aa792bbc126f

      Download Submit
    • memory/1536-131-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/2772-119-0x0000000005080000-0x000000000508A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2772-121-0x00000000079A0000-0x0000000007A3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2772-122-0x0000000007A40000-0x0000000007A8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2772-120-0x0000000007660000-0x000000000766C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2772-115-0x0000000000640000-0x00000000006EE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/2772-118-0x0000000004FF0000-0x0000000005000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2772-117-0x00000000050C0000-0x0000000005152000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2772-116-0x0000000005520000-0x0000000005A1E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3520-123-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3520-124-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3688-128-0x00000000049B0000-0x0000000004EAE000-memory.dmp
      Filesize

      5.0MB

      Download