Overview

overview

10

Static

static

sample order.scr.exe

windows7-x64

10

sample order.scr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2022 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample order.scr.exe

  • Size

    1.2MB

  • MD5

    4334fe2b2fc94acca8388291eece9ac8

  • SHA1

    6eaff5e2672fbbdfd46b503365dbdc02ae668407

  • SHA256

    d0b3a869d6b24ab7a223cc2b74d8be81f5071e36397fcf64c110a332fc6e0f0c

  • SHA512

    4b721851b3ec1e888f5570f42fdc81410af6d251511b08ed246bb7dac6f6ff160f8630fa9750ffe09ea2e441f8e35c47681d7c827da32f772a29de2530b5ec72

  • SSDEEP

    24576:Z1r1uXqY/jeTNSpOvDfB835LoipEUvJJD:Z7uXcNSU7J8tpEU

Score
10/10
remcosip-remcoscollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

IP-REMCOS

C2

91.192.100.12:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-JS00ZN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\icsOakcPSkFF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4416
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\icsOakcPSkFF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E4C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:968
    • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjpsyainqxhncm"
        3⤵
          PID:4256
        • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
          "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zjpsyainqxhncm"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4528
        • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
          "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kdukzsshefzafssdt"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:3008
        • C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe
          "C:\Users\Admin\AppData\Local\Temp\sample order.scr.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ufivzllisnsfpzghdjjr"
          3⤵
          • Suspicious use of UnmapMainImage
          PID:4452
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 12
            4⤵
            • Program crash
            PID:2392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4452 -ip 4452
      1⤵
        PID:1756

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5E4C.tmp
        Filesize

        1KB

        MD5

        fa3b4d900521e927434a549a50f8fa2b

        SHA1

        cedec9ff48b978c9f01650cb81a672f49364d9e8

        SHA256

        142a3d58e34a795939dc978e3657211d8584e90b131be7d0c4cc0a0bf3aae66f

        SHA512

        49727b03501b7f679c70c825cee3ed5914c34d0467eb6dcd2c108a3c8774a745cd00df9b04869b96c730995c23424ab89bfb906acf3515a0700a9f50f18545a3

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zjpsyainqxhncm
        Filesize

        4KB

        MD5

        952a930b9fe70f809a67cb4e765c9448

        SHA1

        7e6c235246cc1be14d8a01ee7688a2a2471d44c9

        SHA256

        bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867

        SHA512

        10d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb

        Download Submit
      • memory/968-139-0x0000000000000000-mapping.dmp
        Download
      • memory/1004-144-0x0000000000400000-0x000000000047F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/1004-143-0x0000000000000000-mapping.dmp
        Download
      • memory/1004-149-0x0000000000400000-0x000000000047F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/1004-169-0x0000000000400000-0x000000000047F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/1004-146-0x0000000000400000-0x000000000047F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/1004-145-0x0000000000400000-0x000000000047F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/2296-135-0x0000000005570000-0x000000000557A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2296-133-0x0000000005990000-0x0000000005F34000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2296-132-0x0000000000A00000-0x0000000000B38000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2296-134-0x00000000054C0000-0x0000000005552000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2296-136-0x000000000A4C0000-0x000000000A55C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2296-137-0x000000000A6D0000-0x000000000A736000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3008-155-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/3008-153-0x0000000000000000-mapping.dmp
        Download
      • memory/4256-151-0x0000000000000000-mapping.dmp
        Download
      • memory/4416-150-0x0000000005AB0000-0x0000000005ACE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4416-159-0x0000000006170000-0x00000000061A2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4416-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4416-147-0x0000000005320000-0x0000000005342000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4416-168-0x00000000071D0000-0x00000000071D8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4416-142-0x0000000004CC0000-0x00000000052E8000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4416-167-0x00000000071F0000-0x000000000720A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4416-166-0x00000000070E0000-0x00000000070EE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4416-140-0x0000000004650000-0x0000000004686000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4416-148-0x00000000054D0000-0x0000000005536000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4416-160-0x0000000070C90000-0x0000000070CDC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4416-161-0x0000000006150000-0x000000000616E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4416-162-0x0000000007500000-0x0000000007B7A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4416-163-0x0000000006EB0000-0x0000000006ECA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4416-164-0x0000000006F30000-0x0000000006F3A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4416-165-0x0000000007130000-0x00000000071C6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4452-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4528-157-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/4528-156-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/4528-152-0x0000000000000000-mapping.dmp
        Download