Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30-01-2022 16:23

General

  • Target

    99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe

  • Size

    775KB

  • MD5

    69dfc61329cd3e395a08f14a86bb6b24

  • SHA1

    12bf261e27956522b0990a7ea87cbfdf03ce9321

  • SHA256

    99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928

  • SHA512

    5b6bd87748111a15912bca528b0847dd71dbd6ed18a3a28fcec4e6916a7f9601156a69d557279dffa388d136614b853ed8ef8ddb8a76427220b854cce6e8a705

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

VEINTIOCHO

C2

veintisieteremc.duckdns.org:1011

veintiochoremc.duckdns.org:1011

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-98T9IZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe
    "C:\Users\Admin\AppData\Local\Temp\99d59c6d778270f7f4ae047a74746e4ee0275eefe3dc3a51c4921ac785d81928.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe GuestRummy,Michelle
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GuestRummy.DLL
    MD5

    fc2b4128dbe4d1885b5f3297b8d77e3d

    SHA1

    239043c06a87fd038f242a240d64996acd7de8b9

    SHA256

    95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

    SHA512

    a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

  • C:\Users\Admin\AppData\Local\Temp\Widget
    MD5

    e0c846e4fef7c6fe7ec0a47d17be4f52

    SHA1

    3ba713e6692628483d009b49924769858edf7896

    SHA256

    fd30c39c9be4bc5676acb04b175daf6859d9d40d20760d4d4300cbd4ce361cfc

    SHA512

    8434580551afc8f5ff2945facfcc9e2284829416e0cf94febc9bbe2bc950eb226301777e33f4b056944cbb48803173f08a1f8ceaf73a60a07d39f8d1ea62d357

  • \Users\Admin\AppData\Local\Temp\GuestRummy.dll
    MD5

    fc2b4128dbe4d1885b5f3297b8d77e3d

    SHA1

    239043c06a87fd038f242a240d64996acd7de8b9

    SHA256

    95965a6f6a610d3cd68ab6f2eabdb2fb23c29db258761ea8b547c754fe11ce4e

    SHA512

    a477136f2ebf89257197d86cd35b050e7fd0ad8cce97f3d532ac9749ddb9e4dfc9bce365543ab812b80a182f10f631bddb322bb9a89e745cb75a7116e2061f84

  • memory/1292-54-0x0000000076641000-0x0000000076643000-memory.dmp
    Filesize

    8KB

  • memory/1396-63-0x00000000779E0000-0x0000000077B89000-memory.dmp
    Filesize

    1.7MB

  • memory/1396-67-0x00000000001D0000-0x00000000001D6000-memory.dmp
    Filesize

    24KB

  • memory/1396-69-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/2044-59-0x0000000077690000-0x00000000776C5000-memory.dmp
    Filesize

    212KB

  • memory/2044-60-0x00000000779E0000-0x0000000077B89000-memory.dmp
    Filesize

    1.7MB

  • memory/2044-61-0x0000000000170000-0x0000000000172000-memory.dmp
    Filesize

    8KB