Overview

overview

10

Static

static

SecuriteIn...44.exe

windows7-x64

1

SecuriteIn...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2022 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.4744.exe

  • Size

    12KB

  • MD5

    c5bfbb66c7e3eb946107feb15d7181c2

  • SHA1

    1fa470b2d3569cb1b61436a2aaeadc6d916e7a54

  • SHA256

    253ec23e3db30683bfed20ee25778f5632b700aaf411c498cb092ea18e0eb5cc

  • SHA512

    93e229e6d8063b606f648119e8904aa5921e9bc459fe6a31d68c86b6e33e814e3c25e54bcde55cc56d9eda947f8525c53b0bb02652783178616747cb5c7f680e

Score
10/10
remcosremotehostcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

obologs.work.gd:4044

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5Y5EWD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4744.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4744.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2252
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\wkztrdhxclppgwwmhcqkvenufw"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2388
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmedkwsyqthujklqyndmfiilocqtfp"
          4⤵
            PID:2516
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmedkwsyqthujklqyndmfiilocqtfp"
            4⤵
            • Accesses Microsoft Outlook accounts
            PID:1780
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"
            4⤵
              PID:1524
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"
              4⤵
                PID:4536
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jgkwkodsebzhtqhchyqfivcuwjacgazql"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:452
              • C:\Users\Admin\AppData\Local\Temp\dwn.exe
                "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
                4⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3696
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1824
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  5⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2964
          • C:\Windows\SysWOW64\wlanext.exe
            "C:\Windows\SysWOW64\wlanext.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1204
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:2356

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            1KB

            MD5

            4280e36a29fa31c01e4d8b2ba726a0d8

            SHA1

            c485c2c9ce0a99747b18d899b71dfa9a64dabe32

            SHA256

            e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

            SHA512

            494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
            Filesize

            53KB

            MD5

            06ad34f9739c5159b4d92d702545bd49

            SHA1

            9152a0d4f153f3f40f7e606be75f81b582ee0c17

            SHA256

            474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

            SHA512

            c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            16KB

            MD5

            f9cd81068ed125736f622dc118f18321

            SHA1

            8a85f1a7c47cb91997083fb95bd8588cf88049c9

            SHA256

            d53fc42d579dbc96b080a0d23f585ce3966c54edf3843c4ef87997e0b3908166

            SHA512

            99648e06b9e53f76d93d2d37780814b55dcd4aa07801af498059bb34d7a3c03b97b2fd3c6798c420802597da11697956f71283f1e418f85b34bbecb2322260f3

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\dwn.exe
            Filesize

            12KB

            MD5

            0cb74a735886a14d5fabe1a300cbdf71

            SHA1

            069e8a67a521cb593b525bf95ae0c7bde2debccf

            SHA256

            a05ed1c19c64d7a966f5219dfcd06a3a82c2207d704c5ad4bd6353d17d418e28

            SHA512

            c5958271d9cdff5bef9f88d42df716d41095061bddf540a6fe57d9ff8bfccb7510a2e65f0ca954c423112510cbb5aad13c6458109efd8d46341b6eca2ccdedf9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\dwn.exe
            Filesize

            12KB

            MD5

            0cb74a735886a14d5fabe1a300cbdf71

            SHA1

            069e8a67a521cb593b525bf95ae0c7bde2debccf

            SHA256

            a05ed1c19c64d7a966f5219dfcd06a3a82c2207d704c5ad4bd6353d17d418e28

            SHA512

            c5958271d9cdff5bef9f88d42df716d41095061bddf540a6fe57d9ff8bfccb7510a2e65f0ca954c423112510cbb5aad13c6458109efd8d46341b6eca2ccdedf9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\wkztrdhxclppgwwmhcqkvenufw
            Filesize

            4KB

            MD5

            a64ef19cb7924d0ef7b27699e0237041

            SHA1

            b6392aa8451f0721fcadff793808f8630182e66e

            SHA256

            66635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56

            SHA512

            66f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b

            Download Submit
          • memory/452-154-0x0000000000000000-mapping.dmp
            Download
          • memory/452-155-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

            Download
          • memory/1204-179-0x0000000001300000-0x000000000138F000-memory.dmp
            Filesize

            572KB

            Download
          • memory/1204-174-0x0000000000000000-mapping.dmp
            Download
          • memory/1204-178-0x0000000000BB0000-0x0000000000BDB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1204-176-0x0000000000B10000-0x0000000000B27000-memory.dmp
            Filesize

            92KB

            Download
          • memory/1204-181-0x0000000000BB0000-0x0000000000BDB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1204-177-0x00000000014F0000-0x000000000183A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/1524-151-0x0000000000000000-mapping.dmp
            Download
          • memory/1780-152-0x0000000000400000-0x0000000000457000-memory.dmp
            Filesize

            348KB

            Download
          • memory/1780-150-0x0000000000000000-mapping.dmp
            Download
          • memory/1824-163-0x0000000000000000-mapping.dmp
            Download
          • memory/1828-146-0x0000000000400000-0x000000000047E000-memory.dmp
            Filesize

            504KB

            Download
          • memory/1828-145-0x0000000000400000-0x000000000047E000-memory.dmp
            Filesize

            504KB

            Download
          • memory/1828-144-0x0000000000400000-0x000000000047E000-memory.dmp
            Filesize

            504KB

            Download
          • memory/1828-143-0x0000000000000000-mapping.dmp
            Download
          • memory/1828-147-0x0000000000400000-0x000000000047E000-memory.dmp
            Filesize

            504KB

            Download
          • memory/1828-167-0x0000000000400000-0x000000000047E000-memory.dmp
            Filesize

            504KB

            Download
          • memory/2200-173-0x00000000088F0000-0x00000000089D2000-memory.dmp
            Filesize

            904KB

            Download
          • memory/2200-182-0x0000000008B20000-0x0000000008C8D000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/2200-180-0x0000000008B20000-0x0000000008C8D000-memory.dmp
            Filesize

            1.4MB

            Download
          • memory/2252-142-0x0000000006E10000-0x0000000006E2A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2252-139-0x00000000062A0000-0x0000000006306000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2252-138-0x0000000006230000-0x0000000006296000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2252-137-0x0000000005A20000-0x0000000006048000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/2252-136-0x0000000003370000-0x00000000033A6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/2252-135-0x0000000000000000-mapping.dmp
            Download
          • memory/2252-140-0x0000000006930000-0x000000000694E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/2252-141-0x00000000081A0000-0x000000000881A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/2388-156-0x0000000000400000-0x0000000000478000-memory.dmp
            Filesize

            480KB

            Download
          • memory/2388-157-0x0000000000400000-0x0000000000478000-memory.dmp
            Filesize

            480KB

            Download
          • memory/2388-148-0x0000000000000000-mapping.dmp
            Download
          • memory/2516-149-0x0000000000000000-mapping.dmp
            Download
          • memory/2964-175-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/2964-171-0x00000000010C0000-0x000000000140A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/2964-172-0x0000000000B50000-0x0000000000B60000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2964-169-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/2964-168-0x0000000000000000-mapping.dmp
            Download
          • memory/3696-161-0x0000000000260000-0x0000000000268000-memory.dmp
            Filesize

            32KB

            Download
          • memory/3696-158-0x0000000000000000-mapping.dmp
            Download
          • memory/4236-130-0x0000000000B50000-0x0000000000B58000-memory.dmp
            Filesize

            32KB

            Download
          • memory/4236-134-0x0000000007A80000-0x0000000007AA2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/4236-133-0x0000000005750000-0x000000000575A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4236-132-0x0000000005510000-0x00000000055A2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4236-131-0x00000000058E0000-0x0000000005E84000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4536-153-0x0000000000000000-mapping.dmp
            Download