Overview

overview

10

Static

static

Cobro Juri...df.exe

windows7_x64

10

Cobro Juri...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe

  • Size

    273KB

  • MD5

    716d5468b4acda0549df7307b2db1500

  • SHA1

    4c228a8b8d406e62ffe2827294c88d895a8663d4

  • SHA256

    aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213

  • SHA512

    beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174

Score
10/10
remcoszonabancos1persistencerat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

ZonaBancos1

C2

recuperaciondecartera.website:6790

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    PXServiceNet.exe

  • copy_folder

    System32

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    xlogs9.dat

  • keylog_flag

    false

  • keylog_folder

    Runtime5

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos-WMUCYW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    MServices

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Cobro Juridico_0269238974920802_5210818_018214297558997881904018_759752_5835240459117026008_2344621_118955780952_pdf.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
            C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1840
            • C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
              "C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    434B

    MD5

    d33aedaade0c88a1a0e2ab0df13b0664

    SHA1

    e044455e25cc9598045e24f79ddf7482f8f66765

    SHA256

    a7636b433c56dfb0e833c5354352e4f88bc01701eb81895c0cedc645eb2ae85c

    SHA512

    570f7d522896c053f96ad1d5c1da761468a66722cb2b09f914ae293312f69214b38b25767e90cfd36d5def0219c8b104757c08b56dc2a5b261e8d900344d8924

    Download Submit
  • C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
    Filesize

    273KB

    MD5

    716d5468b4acda0549df7307b2db1500

    SHA1

    4c228a8b8d406e62ffe2827294c88d895a8663d4

    SHA256

    aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213

    SHA512

    beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174

    Download Submit
  • C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
    Filesize

    273KB

    MD5

    716d5468b4acda0549df7307b2db1500

    SHA1

    4c228a8b8d406e62ffe2827294c88d895a8663d4

    SHA256

    aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213

    SHA512

    beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174

    Download Submit
  • C:\Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
    Filesize

    273KB

    MD5

    716d5468b4acda0549df7307b2db1500

    SHA1

    4c228a8b8d406e62ffe2827294c88d895a8663d4

    SHA256

    aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213

    SHA512

    beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174

    Download Submit
  • \Users\Admin\AppData\Roaming\System32\PXServiceNet.exe
    Filesize

    273KB

    MD5

    716d5468b4acda0549df7307b2db1500

    SHA1

    4c228a8b8d406e62ffe2827294c88d895a8663d4

    SHA256

    aa9608f32f753da933fc3d931a99fd1767b9970a5a95ac7ed01e11a51421f213

    SHA512

    beff5e1447b87d2792d6199bf9a464760761574f23a433962b18f2a967e9b84c953095cd77e846d29663653de50634758b9e08a79b9ed9653648dbe32343f174

    Download Submit
  • memory/740-62-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-59-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-60-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-64-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-65-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-66-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-68-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-69-0x0000000000413B74-mapping.dmp
    Download
  • memory/740-72-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/740-74-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/852-100-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/852-99-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/852-95-0x0000000000413B74-mapping.dmp
    Download
  • memory/1236-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1824-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-84-0x0000000000470000-0x0000000000486000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1840-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1840-82-0x00000000012C0000-0x0000000001308000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1944-58-0x00000000004E0000-0x00000000004F6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1944-56-0x0000000000890000-0x00000000008CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1944-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1944-57-0x0000000000530000-0x0000000000548000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1944-54-0x0000000000CC0000-0x0000000000D08000-memory.dmp
    Filesize

    288KB

    Download