Overview

overview

10

Static

static

SecuriteIn...17.exe

windows7-x64

10

SecuriteIn...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2022 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe

  • Size

    883KB

  • MD5

    d693283a2b6c3a4b36f503b741cef17a

  • SHA1

    d38ba08bce1821bf81d76c1e5b7b769c6681f159

  • SHA256

    be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

  • SHA512

    0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

  • SSDEEP

    12288:NJ1bM9KvvqzRDYCIbw4IK2HBNxIJqRMj4V9N8kgJFT1scYq6y7qPg:etsENO2Mj4Gk4FTOq6y7qPg

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bodhansanders.hopto.org:2490

[email protected]:2490
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-G7HDVY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4556
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 636
          3⤵
          • Program crash
          PID:2196
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
        2⤵
          PID:1000
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4260
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:2112
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.IL.Trojan.MSILZilla.22441.31968.10217.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
          2⤵
            PID:1056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
          1⤵
            PID:3736
          • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
            C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1800
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:2340
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
              2⤵
                PID:2260
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2336
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                  3⤵
                  • Creates scheduled task(s)
                  PID:5068
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
                2⤵
                  PID:4900
              • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  2⤵
                    PID:4328
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\taxrecords"
                    2⤵
                      PID:3488
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                      2⤵
                        PID:4296
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe'" /f
                          3⤵
                          • Creates scheduled task(s)
                          PID:1676
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c copy "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe" "C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe"
                        2⤵
                          PID:1208

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\taxrecords.exe.log
                        Filesize

                        425B

                        MD5

                        4eaca4566b22b01cd3bc115b9b0b2196

                        SHA1

                        e743e0792c19f71740416e7b3c061d9f1336bf94

                        SHA256

                        34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                        SHA512

                        bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\taxrecords\taxrecords.exe
                        Filesize

                        883KB

                        MD5

                        d693283a2b6c3a4b36f503b741cef17a

                        SHA1

                        d38ba08bce1821bf81d76c1e5b7b769c6681f159

                        SHA256

                        be0c5e38edc7aba393016c5cdf21d7a93b2daf78395ced609104f7055fd5f162

                        SHA512

                        0db444e29a7c574a91e140c06d84a66aa84d3884d4d593b5de8be50ee84acc8209831569aaa636b80a003ef240b2954a3929297445e08f30ca7ca3f995de30d6

                        Download Submit

                      • memory/748-167-0x0000000000CB0000-0x0000000000D92000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/1748-132-0x0000000000050000-0x0000000000132000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/1800-153-0x0000000000CB0000-0x0000000000D92000-memory.dmp

                        Filesize

                        904KB

                        Download

                      • memory/2340-156-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/2340-157-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/2340-163-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/2340-164-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4328-172-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4328-171-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4328-174-0x0000000000400000-0x000000000047F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4556-148-0x0000000000600000-0x000000000067F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4556-142-0x0000000000600000-0x000000000067F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4556-149-0x0000000000600000-0x000000000067F000-memory.dmp

                        Filesize

                        508KB

                        Download

                      • memory/4556-135-0x0000000000600000-0x000000000067F000-memory.dmp

                        Filesize

                        508KB

                        Download