Overview

overview

10

Static

static

winprofile

windows7_x64

10

winprofile

windows10_x64

3

Analysis

  • max time kernel
    299s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-06-2022 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb.exe

  • Size

    718KB

  • MD5

    972334f0c55d0aeab0b32efe41ea3470

  • SHA1

    e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa

  • SHA256

    eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb

  • SHA512

    df120f43fa17b2c37ad6d31e528495241146420cd017c18116bd074498cef3834f408c50d289f8bdce2955c464664a6c446800cb7b55c1461fb3cc0accc7fe10

Score
10/10
remcos06192022persistencerat

Malware Config

Extracted

Family

remcos

Botnet

06192022

C2

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    scxs.dat

  • keylog_flag

    false

  • keylog_folder

    forbas

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    cvxyttydfsgbghfgfhtd-RXTSAM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb.exe
    "C:\Users\Admin\AppData\Local\Temp\eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1488-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1488-61-0x000000006FC10000-0x00000000701BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1488-60-0x000000006FC10000-0x00000000701BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1924-67-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-69-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-80-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-79-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-62-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-63-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-65-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-78-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-68-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-74-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-70-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-72-0x0000000000400000-0x000000000047B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/1924-75-0x000000000043133D-mapping.dmp
    Download
  • memory/2040-57-0x0000000075FE1000-0x0000000075FE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2040-54-0x00000000010B0000-0x000000000116A000-memory.dmp
    Filesize

    744KB

    Download
  • memory/2040-55-0x00000000049D0000-0x0000000004AC8000-memory.dmp
    Filesize

    992KB

    Download
  • memory/2040-56-0x0000000000E80000-0x0000000000ECC000-memory.dmp
    Filesize

    304KB

    Download