Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
-
submitted
10-08-2022 19:52
General
-
Target
RtJT2FrE.exe
-
Size
128KB
-
MD5
648e9dc18a8bd5dda03ca12f4f2768e7
-
SHA1
efaefb940f47210dd0a3e9483aede0d9d5ce8a52
-
SHA256
e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
-
SHA512
6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
Malware Config
Extracted
remcos
2.5.0 Pro
system
213.152.161.40:8733
109.202.103.170:8733
213.152.162.89:8733
213.152.162.109:8733
213.152.161.239:8733
213.152.162.69:8733
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
sys.exe
-
copy_folder
sys
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
system-UQU82S
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%WinDir%\System32
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
https://online.mbank.pl/pl/Login;https://login.ingbank.pl/mojeing/app/#login;https://www.pekao24.pl/;https://online.santanderconsumer.pl/Authentication/;https://orangefinanse.com.pl/or/Login;https://login.aliorbank.pl/;https://www.ipko.pl/;https://secure.getinbank.pl/#index/index;https://www.bankmillennium.pl/logowanie;https://www.ideabank.pl/logowanie;https://www.bosbank.pl/#;https://www.bankbps.pl/;https://plusbank24.pl/;https://www.citibankonline.pl/apps/auth/signin/;https://e-bank.credit-agricole.pl/;https://moj.raiffeisenpolbank.com/;https://login.bgzbnpparibas.pl/login/Redirect?SAMLRequest=fZDBTsMwDIZfpcp9bdoG2lltpQouk%2BDCEPe09bZKbRJiB008PWET0uDA0fb3%2FZbdkF4XB33gk3nB94DEyXldDMFl0IrgDVhNM4HRKxLwCPv%2B%2BQmKVILzlu1oF3Gj%2FG9oIvQ8WyOS3WMryvupVnlZTbqUoyoHuVWYq8MW1aEqsFQieUNPEW9FtKNDFHBniLXh2JJ5vZHbTSFf8wLyCu5qkfQ%2FGx6sobCi36P%2FmMdoTXhuRQzpmf08BMYrMZvjX6Rrvi%2BByzbfnZgdZJlbtEFOh%2BPnYJzTMUJT6pYmu2Wv1e9%2Fdl8%3D;https://konto.toyotabank.pl/auth/login.jsp;https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie;https://www.deutschebank.pl/;https://www.pocztowy.pl/;https://www.t-mobilebankowe.pl/;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass 3 TTPs 3 IoCs
-
Adds policy Run key to start application 2 TTPs 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\sys\sys.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sys\sys.exeC:\Windows\SysWOW64\sys\sys.exe4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
384B
MD5662f40cdb9d6399685c73db8fa6af55c
SHA1b4843af100dd7d5789d192982aaf7bc84972f781
SHA256fa133903e470717684b46478695d90b7832ce468da7eebfd468cd51dcd244280
SHA512bdd9a4dbc7fb1e7b2fce423dcd4d2cabe4a5027f12699d4caf9260304bd403c1099265c12975bac4bae2745a1f3d3804e184b35f5756f2aa5321f0cc109c3d0b
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
memory/524-143-0x0000000000000000-mapping.dmp
-
memory/832-140-0x0000000000000000-mapping.dmp
-
memory/1112-133-0x0000000000000000-mapping.dmp
-
memory/1776-132-0x0000000000000000-mapping.dmp
-
memory/2292-136-0x0000000000000000-mapping.dmp
-
memory/3396-141-0x0000000000000000-mapping.dmp
-
memory/3748-134-0x0000000000000000-mapping.dmp
-
memory/3920-142-0x0000000000000000-mapping.dmp
-
memory/4556-137-0x0000000000000000-mapping.dmp
-
memory/4928-144-0x0000000000000000-mapping.dmp
-
memory/4928-145-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4928-147-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4928-148-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB