Analysis

  • max time kernel
    150s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 00:39

General

  • Target

    a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe

  • Size

    182KB

  • MD5

    673843fcf41d43e013021716cbd9e32b

  • SHA1

    8f1c7ef48d59ed27e90d6f4aeca803c10363f75d

  • SHA256

    a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989

  • SHA512

    c916adde38053c09f3a10fff5f5a245e774db16624f887021e1c425af3c06651e984d418821ed83ba1e9abf1775d32798d8d9f14ac1e9fcc35747848e25941b1

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Buddy

C2

eastsidepapi.myq-see.com:6996

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Buddy.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Buddy-QTXQ69

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Buddy

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe
    "C:\Users\Admin\AppData\Local\Temp\a3a26e063f982945e88e5d912789cb667e1b351d9277a4e550d556b1ba50a989.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lOsAeIeZnxoiY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1608
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:944
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1368
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:908

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scripting

      1
      T1064

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Scripting

      1
      T1064

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3850.tmp
        Filesize

        1KB

        MD5

        d82236b48c473fc9c0d0ec05ed88e4bf

        SHA1

        4ece089d4590ae16f30d5bc57c201e369d99b35d

        SHA256

        22714d25aad550d46f98219857714d358f25335863d31d1e0f7bf0c5cc18e35c

        SHA512

        78d4c018877d89c9f9757054ba2e385ab769b568e95a9861bee5fd11e145b4f40aa296b139368669cad89a1692c996120bd52d390211963e5a88eeed738b4085

      • memory/908-69-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-66-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-74-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-61-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-63-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-60-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-65-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-67-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/908-70-0x0000000000413A84-mapping.dmp
      • memory/908-73-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

      • memory/1608-58-0x0000000000000000-mapping.dmp
      • memory/1960-54-0x0000000001380000-0x00000000013B4000-memory.dmp
        Filesize

        208KB

      • memory/1960-56-0x00000000005B0000-0x00000000005B8000-memory.dmp
        Filesize

        32KB

      • memory/1960-55-0x0000000075721000-0x0000000075723000-memory.dmp
        Filesize

        8KB

      • memory/1960-57-0x00000000009D0000-0x00000000009FC000-memory.dmp
        Filesize

        176KB