Overview

overview

10

Static

static

Shipment D...pg.exe

windows7_x64

10

Shipment D...pg.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.jpg.exe

  • Size

    1.6MB

  • MD5

    672cc6ba8db2c80b6e0b8bfbd94f5eb0

  • SHA1

    7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

  • SHA256

    59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

  • SHA512

    cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

Score
10/10
remcoshostpersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

194.5.97.32:5890

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_oqkhxjzletgovfx

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AEEAcgB0AC0AUwBsAEUAZQBQACAALQBzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 20
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\timeout.exe
        timeout 20
        3⤵
        • Delays execution with timeout.exe
        PID:1492
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
      2⤵
        PID:1452
      • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1420
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\SysWOW64\PING.EXE
            PING 127.0.0.1 -n 2
            4⤵
            • Runs ping.exe
            PID:1888
          • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AEEAcgB0AC0AUwBsAEUAZQBQACAALQBzACAAMgAwAA==
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1796
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 20
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\SysWOW64\timeout.exe
                timeout 20
                6⤵
                • Delays execution with timeout.exe
                PID:904
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              5⤵
              • Executes dropped EXE
              PID:932
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              PID:604
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                6⤵
                  PID:2040
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                    7⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SetWindowsHookEx
                    PID:1016
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:2
                      8⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of SetWindowsHookEx
                      PID:1580

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat
        Filesize

        21KB

        MD5

        20ea40a5c53ce84724b44128ba221023

        SHA1

        bae0b2094d0e62df0cc0a90a64bc278b02056392

        SHA256

        0c943d2908ed1501497dfb04a56ccc42727bcf33fa035ed07dd66de1f1728a0d

        SHA512

        d6116dd052f6323e5f3e2838d149fce5a2391ecfeda89a60efc3d1defef64a076e0db7e438da673da49bf51f72c7122f9a38e9d2869de27aaa3998da54273dc4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        99B

        MD5

        76c1687d97dfdbcea62ef1490bec5001

        SHA1

        5f4d1aeafa7d840cde67b76f97416dd68efd1bed

        SHA256

        79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4

        SHA512

        da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        6a623cb53e9ae27591e78802889c0c87

        SHA1

        be7ab14598d52a797dd306ff9f93485ffd547259

        SHA256

        ed65fe2264ef90e9e86abea1099574d002e347d6e1d0c16430538911c2d6551f

        SHA512

        72181d0e770704b5606dd91836bbd4042d4cf776efb46c53f85eb4924bf1c1b4c3fdcc857ab596a6c0c5aa9901b3a251cdc7c58282341ebd16a29cd5bc6d7356

        Download Submit
      • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        Filesize

        1.6MB

        MD5

        672cc6ba8db2c80b6e0b8bfbd94f5eb0

        SHA1

        7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

        SHA256

        59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

        SHA512

        cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        Filesize

        1.6MB

        MD5

        672cc6ba8db2c80b6e0b8bfbd94f5eb0

        SHA1

        7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

        SHA256

        59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

        SHA512

        cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        Filesize

        1.6MB

        MD5

        672cc6ba8db2c80b6e0b8bfbd94f5eb0

        SHA1

        7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

        SHA256

        59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

        SHA512

        cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        Filesize

        1.6MB

        MD5

        672cc6ba8db2c80b6e0b8bfbd94f5eb0

        SHA1

        7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

        SHA256

        59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

        SHA512

        cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

        Download Submit
      • \Users\Admin\AppData\Roaming\remcos\remcos.exe
        Filesize

        1.6MB

        MD5

        672cc6ba8db2c80b6e0b8bfbd94f5eb0

        SHA1

        7d0dcda440b2ad736514c27f3b445ae8e4ae6c38

        SHA256

        59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41

        SHA512

        cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2

        Download Submit
      • memory/604-106-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/604-101-0x000000000040FD88-mapping.dmp
        Download
      • memory/604-105-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/768-89-0x0000000000000000-mapping.dmp
        Download
      • memory/904-90-0x0000000000000000-mapping.dmp
        Download
      • memory/1052-54-0x0000000001360000-0x00000000014F8000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1052-62-0x0000000004910000-0x0000000004944000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1052-59-0x00000000053C0000-0x000000000554E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1052-55-0x00000000763E1000-0x00000000763E3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1420-64-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-66-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-74-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-76-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-71-0x000000000040FD88-mapping.dmp
        Download
      • memory/1420-70-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-63-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-69-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1420-68-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1448-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1492-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1608-58-0x0000000071870000-0x0000000071E1B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1720-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-91-0x0000000004810000-0x0000000004844000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1720-83-0x0000000000180000-0x0000000000318000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1796-88-0x0000000072B00000-0x00000000730AB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1796-85-0x0000000000000000-mapping.dmp
        Download
      • memory/1888-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1940-60-0x0000000000000000-mapping.dmp
        Download