Overview

overview

10

Static

static

Purchase Order PDF.js

windows7-x64

8

Purchase Order PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order PDF.js

  • Size

    9KB

  • MD5

    e646ada71279124c80535e45c7ec7c3f

  • SHA1

    422b6485e3fb58bed032df79d965c6c3be33f7b5

  • SHA256

    b9669fd190e61892ee488a3123a888aa1ecc4663e007f188fef03f6d15df1671

  • SHA512

    5e1c926fd1a989d4d30809c2eac6350510aeabdb903062cf42afe487218d2ea2eb097b661cd71ae85ef4e3f3d1fb07e4790eeb5c14476499011f7b8f2a18b9f4

  • SSDEEP

    192:P165D3hO1VDAYJM7tUw0NvxixiiIBBu0BhON2p+jXshalppRZoeoo0ns7BBTszZj:94hOrDAZ0NH+t2Bhmppfoo2s7/IMCBL

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CMFPLR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order PDF.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Users\Admin\AppData\Local\Temp\NhGG.exe
      "C:\Users\Admin\AppData\Local\Temp\NhGG.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\NhGG.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systjnjem.exe'
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:4876
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1324
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
            • Suspicious use of SetWindowsHookEx
            PID:1400

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\NhGG.exe
        Filesize

        591KB

        MD5

        ab6ebb46942e94eb3661c4c86b099e8b

        SHA1

        f54817be0255ff370d2f9272b6593d9aacf1b6b8

        SHA256

        fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab

        SHA512

        0c548efa026dd3d49b1cbe894ce1f2e75df4f965558e89677ef7199f67d019d4a1bb4ac7624cd1b307515018196b380205bd7aff7e57a2aeffa4418dd101c731

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NhGG.exe
        Filesize

        591KB

        MD5

        ab6ebb46942e94eb3661c4c86b099e8b

        SHA1

        f54817be0255ff370d2f9272b6593d9aacf1b6b8

        SHA256

        fff14d27cfcfd3a46729a41bd6dcbb09e667f894e2c85b4e7eb5098faccfa6ab

        SHA512

        0c548efa026dd3d49b1cbe894ce1f2e75df4f965558e89677ef7199f67d019d4a1bb4ac7624cd1b307515018196b380205bd7aff7e57a2aeffa4418dd101c731

        Download Submit

      • memory/1324-141-0x0000000000000000-mapping.dmp

        Download

      • memory/1400-147-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1400-146-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1400-143-0x0000000000000000-mapping.dmp

        Download

      • memory/1400-144-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1400-155-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1400-145-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/4772-135-0x00000000007B0000-0x000000000084A000-memory.dmp

        Filesize

        616KB

        Download

      • memory/4772-132-0x0000000000000000-mapping.dmp

        Download

      • memory/4772-137-0x0000000005350000-0x00000000053EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4772-136-0x0000000005860000-0x0000000005E04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4876-140-0x0000000000000000-mapping.dmp

        Download

      • memory/5076-138-0x0000000000000000-mapping.dmp

        Download

      • memory/5076-148-0x00000000059E0000-0x0000000005A02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5076-142-0x0000000005B10000-0x0000000006138000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/5076-149-0x00000000062B0000-0x0000000006316000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5076-150-0x0000000006390000-0x00000000063F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5076-151-0x0000000006990000-0x00000000069AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/5076-152-0x0000000006F60000-0x0000000006FF6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/5076-153-0x0000000006E70000-0x0000000006E8A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/5076-154-0x0000000006EF0000-0x0000000006F12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5076-139-0x0000000003070000-0x00000000030A6000-memory.dmp

        Filesize

        216KB

        Download