Overview

overview

10

Static

static

RFQ 2290.exe

windows7-x64

9

RFQ 2290.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ 2290.exe

  • Size

    1.3MB

  • MD5

    85e8ae98556d7927fa40c5cba4e4a16a

  • SHA1

    3013724dbc0bedda4bc2528ba01c7495f26614b1

  • SHA256

    f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d

  • SHA512

    25e6158d69a61945d1513d0a12ffe1d1178a5c9e2ffeb032791b2dadc294d4f1e6b4d73242183b1ce0059e7421c9a9eea62cca6a3683002ee841e42cedce9969

  • SSDEEP

    24576:WqHo1sfbYnNTHIsxcb5V9zpn8jte3q/3uASeA8vOE/dkJw1:WqIafENUkcb5rpn8Y3q/eAYU

Score
10/10
remcosnew rem stubevasionrat

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

C2

valvesco.duckdns.org:5050

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-48V73L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4476
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDKZenUzizmrGT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDKZenUzizmrGT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    f13b0fa235c126c9f903253926a2ad93

    SHA1

    5d47d1d1c4481464f7bb54fda0d34e631c9f1506

    SHA256

    4274bd1768c9a1a90c1ba852c9310946069896f99de22ce1dd01aa3eb9fa6247

    SHA512

    bfe329b5df6952041e09606494e5eef2ab4c52be9aa196df866a00c1e341776e296b61e46dd1341b2beccd629859c52fabfcee3385be2843c077a2b94c361ea2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA9F.tmp
    Filesize

    1KB

    MD5

    87451919f5d65562bf3cfd629504c061

    SHA1

    da01a8b27ba37d8b1766e1442b835e58ebb8801a

    SHA256

    119a02eebb18308e59331ce42fbba67d9434ac1baa1413da66cd885a55479cee

    SHA512

    e3a9894a002fa9536fc4be1307780b351839948162b3f47e53a2e5b1d7a93651941acdeddeb30e053e56e5e6461455a5a6f23525f415a19c367e240bf96c0e0a

    Download Submit
  • memory/1488-142-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-165-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/2040-151-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/2040-149-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/2040-148-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/2040-147-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/2040-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2804-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2804-153-0x0000000072ED0000-0x0000000072F1C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2804-161-0x0000000007490000-0x00000000074AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2804-159-0x00000000073D0000-0x0000000007466000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2804-156-0x0000000007790000-0x0000000007E0A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2804-155-0x00000000063E0000-0x00000000063FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3868-133-0x00000000056D0000-0x0000000005C74000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3868-134-0x00000000051C0000-0x0000000005252000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3868-132-0x00000000006A0000-0x00000000007F8000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3868-135-0x00000000051A0000-0x00000000051AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3868-137-0x0000000009340000-0x00000000093A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3868-136-0x0000000009090000-0x000000000912C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4476-154-0x0000000072ED0000-0x0000000072F1C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4476-143-0x0000000004FA0000-0x0000000004FC2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4476-157-0x0000000007270000-0x000000000728A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4476-152-0x0000000006F00000-0x0000000006F32000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4476-158-0x00000000072E0000-0x00000000072EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4476-150-0x0000000005F50000-0x0000000005F6E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4476-160-0x00000000074A0000-0x00000000074AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4476-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4476-162-0x0000000007590000-0x0000000007598000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4476-139-0x0000000002630000-0x0000000002666000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4476-141-0x00000000051B0000-0x00000000057D8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4476-144-0x0000000005140000-0x00000000051A6000-memory.dmp
    Filesize

    408KB

    Download