Overview

overview

10

Static

static

c0204213cc...8a.exe

windows7_x64

10

c0204213cc...8a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-06-2022 22:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0204213ccd9c96e609da9d595810128e74e8fa9b79c71f5b7a5c03cde9ffd8a.exe

  • Size

    248KB

  • MD5

    86f10875627339a0476b10370f17803f

  • SHA1

    443af8aaee870027e4fee6c83c0de9efb3d27813

  • SHA256

    c0204213ccd9c96e609da9d595810128e74e8fa9b79c71f5b7a5c03cde9ffd8a

  • SHA512

    fd87f02e34801da818d4b0c764c78cea0c15d64c4f30f49e3b3c34d0cf52842966a6a36b10c72986bd6ec1289d8a8fc866df83d9fdbfe6536ff13b1d82b9ce2d

Score
10/10
remcosbuddyevasionrattrojan

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

Buddy

C2

eastsidepapi.myq-see.com:6996

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Buddy.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Buddy-PVO134

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Buddy

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0204213ccd9c96e609da9d595810128e74e8fa9b79c71f5b7a5c03cde9ffd8a.exe
    "C:\Users\Admin\AppData\Local\Temp\c0204213ccd9c96e609da9d595810128e74e8fa9b79c71f5b7a5c03cde9ffd8a.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BzXaFglBDacDie" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47D2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp47D2.tmp
    Filesize

    1KB

    MD5

    bc30f0ac305a521ec8c40720ecc682f1

    SHA1

    670e25a9b5ccbf46b0c873887a563b51900a5a19

    SHA256

    e73e505150306c2fb04a97fd75a5e3bba9bb2d8db7b8b9f3d242ee56e3c517e7

    SHA512

    d166cbafba925a1d90cc078e3afb8f07015f41978a26295c261fcc02216d6b25a679eaaa768ab37dc5b7dff6e2b3f5c373a3d2da7c9f89e3b958982015c9ef4f

    Download Submit
  • memory/1088-144-0x0000000006430000-0x000000000644E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1088-150-0x0000000007170000-0x000000000718A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1088-143-0x0000000070D20000-0x0000000070D6C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1088-151-0x0000000004BE0000-0x0000000004BE8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1088-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1088-136-0x00000000025F0000-0x0000000002626000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1088-137-0x0000000005170000-0x0000000005798000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1088-138-0x00000000058D0000-0x00000000058F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1088-139-0x0000000005970000-0x00000000059D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1088-140-0x0000000005A50000-0x0000000005AB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1088-141-0x0000000004CB0000-0x0000000004CCE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1088-142-0x0000000006450000-0x0000000006482000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1088-145-0x0000000007860000-0x0000000007EDA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1088-148-0x00000000074B0000-0x0000000007546000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1088-149-0x0000000007470000-0x000000000747E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1088-146-0x0000000007220000-0x000000000723A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1088-147-0x0000000007280000-0x000000000728A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2928-132-0x0000000004BC0000-0x0000000004C52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2928-134-0x0000000004B80000-0x0000000004B8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2928-131-0x0000000005170000-0x0000000005714000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2928-130-0x00000000002D0000-0x0000000000314000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2928-133-0x0000000004C60000-0x0000000004CFC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2996-157-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2996-159-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2996-154-0x0000000000000000-mapping.dmp
    Download
  • memory/2996-155-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2996-158-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3396-152-0x0000000000000000-mapping.dmp
    Download