Analysis

  • max time kernel
    145s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2022 20:49

General

  • Target

    618cc1db8b0225b15c13df19b184970c0dfc180415c572ee7a12433a106e41e4.exe

  • Size

    218KB

  • MD5

    25f290634a8092cc13820b1ade6ec33c

  • SHA1

    3d4913172fedc50d9654effeab0fdcec9bb36014

  • SHA256

    618cc1db8b0225b15c13df19b184970c0dfc180415c572ee7a12433a106e41e4

  • SHA512

    22d9aaa2ab0780eab101a7c387e491e36f9672c59dc4b97a92488685dc3b62e585d004d8550f44a17034dc12e2dc6f08a2406991418452cb01e417f2b5e6da29

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-6PPTSU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\618cc1db8b0225b15c13df19b184970c0dfc180415c572ee7a12433a106e41e4.exe
    "C:\Users\Admin\AppData\Local\Temp\618cc1db8b0225b15c13df19b184970c0dfc180415c572ee7a12433a106e41e4.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vf45\b9876.exe.lnk" /f
        3⤵
          PID:1236
      • C:\Users\Admin\AppData\Roaming\tmp.exe
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
            PID:2692
        • C:\Users\Admin\AppData\Local\Temp\.exe
          "C:\Users\Admin\AppData\Local\Temp\.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            3⤵
              PID:1800

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\.exe
          Filesize

          1.6MB

          MD5

          1c9ff7df71493896054a91bee0322ebf

          SHA1

          38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

          SHA256

          e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

          SHA512

          aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        • C:\Users\Admin\AppData\Local\Temp\.exe
          Filesize

          1.6MB

          MD5

          1c9ff7df71493896054a91bee0322ebf

          SHA1

          38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

          SHA256

          e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

          SHA512

          aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

        • C:\Users\Admin\AppData\Local\Temp\vf45\b9876.exe
          Filesize

          218KB

          MD5

          25f290634a8092cc13820b1ade6ec33c

          SHA1

          3d4913172fedc50d9654effeab0fdcec9bb36014

          SHA256

          618cc1db8b0225b15c13df19b184970c0dfc180415c572ee7a12433a106e41e4

          SHA512

          22d9aaa2ab0780eab101a7c387e491e36f9672c59dc4b97a92488685dc3b62e585d004d8550f44a17034dc12e2dc6f08a2406991418452cb01e417f2b5e6da29

        • C:\Users\Admin\AppData\Roaming\tmp.exe
          Filesize

          108KB

          MD5

          07dafacf45c8e2fe217985a20c1ee89d

          SHA1

          f62ec5fdd8a397465399b8d20a9196ebbbfe5a1c

          SHA256

          71f4ff98b5c43912e39c9b68c0ae1ed894903e94756f41cf5631445499356527

          SHA512

          08c3a614f2e44bde9610519e0f751f131d80d2dd1c4939921f1b4455d2e7095d96d0c21f9c854dcdc4abf0d1e20c2de4a9e2cb602367f7efa5f4c524909c4074

        • C:\Users\Admin\AppData\Roaming\tmp.exe
          Filesize

          108KB

          MD5

          07dafacf45c8e2fe217985a20c1ee89d

          SHA1

          f62ec5fdd8a397465399b8d20a9196ebbbfe5a1c

          SHA256

          71f4ff98b5c43912e39c9b68c0ae1ed894903e94756f41cf5631445499356527

          SHA512

          08c3a614f2e44bde9610519e0f751f131d80d2dd1c4939921f1b4455d2e7095d96d0c21f9c854dcdc4abf0d1e20c2de4a9e2cb602367f7efa5f4c524909c4074

        • memory/1236-136-0x0000000000000000-mapping.dmp
        • memory/1812-138-0x0000000000000000-mapping.dmp
        • memory/2024-135-0x0000000000000000-mapping.dmp
        • memory/3064-141-0x0000000000000000-mapping.dmp
        • memory/3064-142-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

        • memory/3064-146-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

        • memory/3064-148-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

        • memory/3696-133-0x0000000074780000-0x0000000074D31000-memory.dmp
          Filesize

          5.7MB

        • memory/3696-134-0x0000000074780000-0x0000000074D31000-memory.dmp
          Filesize

          5.7MB

        • memory/3696-149-0x0000000074780000-0x0000000074D31000-memory.dmp
          Filesize

          5.7MB