Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2022 12:56

General

  • Target

    5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe

  • Size

    300.0MB

  • MD5

    e4511dbd38b06be47f59500d5e2d8df3

  • SHA1

    17f739c5c189d5ab042e8c9acf85f76fe94f719c

  • SHA256

    5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4

  • SHA512

    e7e9e1b07470e40e53bf6fde2cc4dbd4914ffed5170ae7024fabc980e05ab9bf343a72811ab9b8b35275c6a898a369a2a06103bd995bfc29cf314367550c9b9d

  • SSDEEP

    12288:81/TNU8vQHjdMMEDeoeeP1jDdxKwtMHFKmoP:aqjdMMEQeP17l

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

manup

C2

91.193.75.188:60005

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    universalupdaetfeeds.exe

  • copy_folder

    universalupdaetfeeds

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    universalupdaetfeeds

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    universalupdaetfeeds-13BJX3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    universalupdaetfeeds

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
    "C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe
      "C:\Users\Admin\AppData\Local\Temp\5baa3cce5cb687ac0f9001d78217a24c8f33bbe7713de5e85e669d21a996d9f4.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/392-62-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-64-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-56-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-57-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-59-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-61-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-74-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-63-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-73-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-66-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-68-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/392-69-0x00000000004327A4-mapping.dmp
  • memory/392-72-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

  • memory/892-54-0x00000000012C0000-0x0000000001352000-memory.dmp
    Filesize

    584KB

  • memory/892-55-0x0000000074E41000-0x0000000074E43000-memory.dmp
    Filesize

    8KB