Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:24

General

  • Target

    POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

  • Size

    969KB

  • MD5

    6a8addc2fd26cab55567eba884e377d5

  • SHA1

    2fba0e16b023e47ff5c866325c5208a2d49f9da2

  • SHA256

    86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26

  • SHA512

    024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

AUGUST-BLESS-ME

C2

officer170.webredirect.org:2404

chidera12345.ddns.net:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-T7VXCL

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • suricata: ET MALWARE Remcos RAT Checkin 23

    suricata: ET MALWARE Remcos RAT Checkin 23

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif
      "C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif" ujcr.qlu
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

  • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif
    Filesize

    712KB

    MD5

    43e7db53ce5c130179aef5b47dcf7608

    SHA1

    5398e207d9ad301860b570d87601c1664ada9c0a

    SHA256

    9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

    SHA512

    a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

  • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif
    Filesize

    712KB

    MD5

    43e7db53ce5c130179aef5b47dcf7608

    SHA1

    5398e207d9ad301860b570d87601c1664ada9c0a

    SHA256

    9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

    SHA512

    a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

  • C:\Users\Admin\AppData\Roaming\70555416\ujcr.qlu
    Filesize

    153MB

    MD5

    55de4daf609f11745b70ccff788cf6b7

    SHA1

    d3310c9191064bc293789730bd224dcc6f28b1b8

    SHA256

    d4de2f550e34ad7032b387ed80a4c89ba0c135a03afe67cbc256d0c79bdd7ddd

    SHA512

    dff151c5eec3468dc31a4b8ea359bd9fa3ed5e84eabd056f2702f4c193b2e556592dcd2ab67af1399074cba7290a065a10412a11e62a52b5d78fbe95831756a8

  • C:\Users\Admin\AppData\Roaming\70555416\unmgj.ppt
    Filesize

    303KB

    MD5

    5f85ab2afe7c7ccf97de9233f833aa5d

    SHA1

    4118e24542d053fd15f2f0b2d0d85d02cfc16572

    SHA256

    f50fa734c516bb80b7970f575e6da935b8ef378f53fbce0f03d29b27c6488cd9

    SHA512

    a0405f16da41defbe38155ef5b8489cbb1a4b617621fa850f7990bea0c0af04a1dc59eb9d13951e5ef393d7c531d8b5d6a42083267cbbb532e041ca136b0d84a

  • memory/1904-135-0x0000000000900000-0x0000000000F99000-memory.dmp
    Filesize

    6MB

  • memory/1904-136-0x0000000000913B74-mapping.dmp
  • memory/1904-139-0x0000000000900000-0x0000000000F99000-memory.dmp
    Filesize

    6MB

  • memory/1904-140-0x0000000000900000-0x0000000000F99000-memory.dmp
    Filesize

    6MB

  • memory/4360-130-0x0000000000000000-mapping.dmp