Analysis

  • max time kernel
    51s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 06:30

General

  • Target

    58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe

  • Size

    385KB

  • MD5

    e8fcccc14df4c8fbde4223b16fdb4e63

  • SHA1

    6bb4317b855e9f07c9f63b33455eeaa7335bfade

  • SHA256

    58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a

  • SHA512

    8cb6aab343972ef7384c6e8e4d2418e168c35e448a4e1183d650776762c407239d265838fe1c03bd10cf4415238c4e7b08ed9a9d95a62f70bcc4f50561b01c1c

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-6PPTSU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe
    "C:\Users\Admin\AppData\Local\Temp\58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8778\name.exe.lnk" /f
        3⤵
          PID:4204
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
            PID:4420

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\8778\name.exe
        Filesize

        385KB

        MD5

        e8fcccc14df4c8fbde4223b16fdb4e63

        SHA1

        6bb4317b855e9f07c9f63b33455eeaa7335bfade

        SHA256

        58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a

        SHA512

        8cb6aab343972ef7384c6e8e4d2418e168c35e448a4e1183d650776762c407239d265838fe1c03bd10cf4415238c4e7b08ed9a9d95a62f70bcc4f50561b01c1c

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        Filesize

        1.6MB

        MD5

        1c9ff7df71493896054a91bee0322ebf

        SHA1

        38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

        SHA256

        e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

        SHA512

        aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

      • memory/3532-133-0x0000000000000000-mapping.dmp
      • memory/4204-134-0x0000000000000000-mapping.dmp
      • memory/4232-132-0x0000000075290000-0x0000000075841000-memory.dmp
        Filesize

        5.7MB

      • memory/4232-144-0x0000000075290000-0x0000000075841000-memory.dmp
        Filesize

        5.7MB

      • memory/4276-136-0x0000000000000000-mapping.dmp
      • memory/4276-137-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

      • memory/4276-141-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

      • memory/4276-143-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB