Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:20
General
-
Target
RFQ TRQ22-06-20200051_pdf.exe
-
Size
315KB
-
MD5
154aa4440eee43b6472416eeb938f9e8
-
SHA1
643b61955b6743f33db01be7ecf93463fd887da1
-
SHA256
d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e
-
SHA512
2a225d7128166394a26e226febd275f1ca1dead61666136008ff843b4a21eb0bf16a5b66c055a2d213d272d63c940d2cce02270475c9bb2551135a58cff77020
Malware Config
Extracted
remcos
2.5.1 Pro
xxxxxxxxxxxx
109.169.89.116:2021
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
s.sex
-
keylog_flag
false
-
keylog_folder
ssssss
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
fuckhere-M9W1LK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ TRQ22-06-20200051_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ TRQ22-06-20200051_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FAcxLxvdLu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ TRQ22-06-20200051_pdf.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmpFilesize
1KB
MD5f3a7ae1cc94ca28e1dc5086495751ede
SHA1e80db9a98478247e2c8fab75338ca9bf8b654da3
SHA256115e1d865c556a8e3b3de618cf64c360fc753f99986c4a785611e36f04d62f8a
SHA512bb15929b88317edd6d13dbd2e2c992111f17272e5414dcbc7cf3a2ace9870d9170dd04a2bbdf08a8070ca7bd265f191fd4fe7fa8d4836b93c9d9d6508432e2e1
-
memory/1392-58-0x0000000000000000-mapping.dmp
-
memory/1700-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-65-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-74-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-73-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-61-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-70-0x0000000000413B74-mapping.dmp
-
memory/1700-67-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-66-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1700-69-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1948-57-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1948-54-0x0000000000EB0000-0x0000000000F06000-memory.dmpFilesize
344KB
-
memory/1948-55-0x0000000000AB0000-0x0000000000ACC000-memory.dmpFilesize
112KB
-
memory/1948-56-0x0000000000C40000-0x0000000000C6E000-memory.dmpFilesize
184KB