Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2022, 11:38

General

  • Target

    oder.exe

  • Size

    1.4MB

  • MD5

    d09dec170b549ce4a803423a73f1ca12

  • SHA1

    a3288dafe2d5b2758846cbb685684583411494a2

  • SHA256

    3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61

  • SHA512

    30cc589739db5b083910b97c81aadb1f5a7983671e81364515648b1a8c7228168ed76adc9b403a6193b187fa30994479f8b9a431caa8f5b9d40d2427a54fe0ad

  • SSDEEP

    24576:7AOcZX4c9rYLMbYjqTfJ7UOO1mIgRBltn9zKnyjdrZYLphOaC/EZQ/J+43DsIYnV:djMEjqTBHQWXbFeyjJ6LPO3nh+y+V

Malware Config

Extracted

Family

remcos

Botnet

svnHost

C2

83.229.39.38:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-H96B2Z

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\oder.exe
    "C:\Users\Admin\AppData\Local\Temp\oder.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe
        "C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe" xhpfes.jus
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4792
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1380

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

          Filesize

          1023KB

          MD5

          f918014ea55e52d1fa0afd76f3a06e74

          SHA1

          3b8f11f27e469d02ec54f2ccf452add22413be36

          SHA256

          f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f

          SHA512

          b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

        • C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe

          Filesize

          1023KB

          MD5

          f918014ea55e52d1fa0afd76f3a06e74

          SHA1

          3b8f11f27e469d02ec54f2ccf452add22413be36

          SHA256

          f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f

          SHA512

          b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f

        • C:\Users\Admin\AppData\Local\Temp\4_49\hfswkaneb.lwa

          Filesize

          939KB

          MD5

          91cd0a1fffab60215a45d8eee93dc28b

          SHA1

          26e0fa3702d9d11d5077c0fe82b6ef2c177198dc

          SHA256

          be6a5a94f351db158d5a67f596b85a0baa112efc42fabf3a60e85c0169df73b0

          SHA512

          84dacf17999aa9efc73562681e9a2571ec9eeb8091e2615e469c705826ffe7ec40400680acc225cdd35548a874bb0bbdc7e41d7a69a6d31154e246ae026c85cd

        • C:\Users\Admin\AppData\Local\Temp\4_49\mlnrjrqvgw.exe

          Filesize

          48KB

          MD5

          6806cad8f76ac1e64729efabe69a6cc3

          SHA1

          79e5e3d2f558dc609f36dac2fe0c70a403e80a9b

          SHA256

          3be3e03a563b786d7ee47aa806c7ecc641bae2bbcc446e7d0b6980edf1e6e308

          SHA512

          a40937eef628dcec8a13c96859efaa4bf51977f0a9e03eeaa9a93d1e6b74cf5a77a2d23be69651fd18c47ad665df6e68d57cd177bd55a631afd39605e5ce37f8

        • C:\Users\Admin\AppData\Local\Temp\4_49\xhpfes.jus

          Filesize

          96.7MB

          MD5

          c358f58747a462523f062670fa9caa7e

          SHA1

          063d8a38f699a7ea3f3ded2b740f308d8d5e0731

          SHA256

          e68ead499ad15805ebae14eb3a567cc8571f2ae8a06fd78ab465b9ffebeed444

          SHA512

          98776ee8be1a0fd5d21dc99e047ed0d2c65e08b98a6c00ffd0b40c43db93b70674519312fbf75d3c0f9ec34f6c2d6ec1bd695f5aab49449f486fe89b46c3a9f2

        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

          Filesize

          44KB

          MD5

          9d352bc46709f0cb5ec974633a0c3c94

          SHA1

          1969771b2f022f9a86d77ac4d4d239becdf08d07

          SHA256

          2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

          SHA512

          13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

        • C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe

          Filesize

          32KB

          MD5

          c9ab163d2f7bc130856326b41406df9f

          SHA1

          7b581bc36fbe920087affb4ceed4878277de5b9f

          SHA256

          b1d50e6e39d34d9ba1c2bee72eebf36750f727ba618bf2caacf5400817fbc306

          SHA512

          fe3a7308fff00c8f6918945968eb902f0685d7977a0de76d070ba4ef5e48592e135ca7a4d68043941b583884c1da75d185af54f08f7f6d216813e93335b509c2

        • memory/1380-140-0x0000000000F90000-0x0000000001621000-memory.dmp

          Filesize

          6.6MB

        • memory/1380-143-0x0000000000F90000-0x0000000001621000-memory.dmp

          Filesize

          6.6MB

        • memory/1380-144-0x0000000000F90000-0x0000000001621000-memory.dmp

          Filesize

          6.6MB

        • memory/1380-145-0x0000000000F90000-0x0000000001621000-memory.dmp

          Filesize

          6.6MB

        • memory/1380-146-0x0000000000F90000-0x0000000001621000-memory.dmp

          Filesize

          6.6MB