Analysis

  • max time kernel
    123s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-06-2022 06:58

General

  • Target

    326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe

  • Size

    208KB

  • MD5

    eb38e581ba2c7d46a2373dc9abc02b3b

  • SHA1

    86d8449307be9bdeea725c56254fde1692b82a30

  • SHA256

    326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693

  • SHA512

    d09ebf20951ec472b3b68e02f79493049f0f81972327a8d12ee7b7a3c643bb8a5f2ad5377f1f228fda61f38bfffb2c2123ca17095c30ea94c24dbb2cc40ac800

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    xi3s.exe

  • copy_folder

    xi3x

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %Temp%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-NL03Y0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    xi5w

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe
    "C:\Users\Admin\AppData\Local\Temp\326395aaa7878f136cf1b425be58bafc14becbdf9541532abab89d4c6a6ab693.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            5⤵
            • Executes dropped EXE
            PID:1020
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
            5⤵
            • Executes dropped EXE
            PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • C:\Users\Admin\AppData\Local\Temp\.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    416B

    MD5

    453f89e2c8f4e830ac8db7611532f1dd

    SHA1

    d1e4a30ec5fd1067ade5d4a806457829038131ad

    SHA256

    533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

    SHA512

    840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    416B

    MD5

    453f89e2c8f4e830ac8db7611532f1dd

    SHA1

    d1e4a30ec5fd1067ade5d4a806457829038131ad

    SHA256

    533afaf7f3b5f135c3c9cfa7dc71bba8452949c40ba0d8ffc56daf87fb306936

    SHA512

    840c7af7dc1911f983a3f0005b9b0efa7b63161b62d53b859b29b3d2d313653d88a5e1db687f87fff1e47e233160fc96ed5067b4f11be6ef9f4bdf72c6b145df

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    Filesize

    108KB

    MD5

    7ead38802bd7c0a3af677214f2ba23db

    SHA1

    f0c204c57146244c7e2cc744214c3deff5a9f4b6

    SHA256

    c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

    SHA512

    88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    Filesize

    108KB

    MD5

    7ead38802bd7c0a3af677214f2ba23db

    SHA1

    f0c204c57146244c7e2cc744214c3deff5a9f4b6

    SHA256

    c75ba3917383a776dee26a215929d242b7896641a4157afa1d7d05913eb473fd

    SHA512

    88c35c02fc21850904f41563611b57f3bd6c39b649fd8017d6fc19135c87a2b288365020a04d2571a64a91772edda9444821301d69d1ba8b4702fb577b98ac69

  • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • C:\Users\Admin\AppData\Local\Temp\xi3x\xi3s.exe
    Filesize

    1.6MB

    MD5

    1c9ff7df71493896054a91bee0322ebf

    SHA1

    38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

    SHA256

    e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

    SHA512

    aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

  • memory/1020-148-0x0000000000000000-mapping.dmp
  • memory/1308-135-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/1308-145-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/1308-140-0x0000000000400000-0x000000000041B000-memory.dmp
    Filesize

    108KB

  • memory/1308-134-0x0000000000000000-mapping.dmp
  • memory/1564-147-0x0000000000000000-mapping.dmp
  • memory/2384-152-0x0000000000000000-mapping.dmp
  • memory/2556-144-0x0000000000000000-mapping.dmp
  • memory/3356-131-0x0000000000000000-mapping.dmp
  • memory/4492-151-0x0000000000000000-mapping.dmp
  • memory/4552-139-0x0000000000000000-mapping.dmp
  • memory/4580-130-0x0000000074970000-0x0000000074F21000-memory.dmp
    Filesize

    5.7MB

  • memory/4580-154-0x0000000074970000-0x0000000074F21000-memory.dmp
    Filesize

    5.7MB