Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    972KB

  • MD5

    3d21e82b2ab2331133cbf0fe32c43f7a

  • SHA1

    7bcd150f9e1377bb3439fac2d631a59c2bf06fac

  • SHA256

    4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

  • SHA512

    6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

  • SSDEEP

    12288:jagh/PsZ1DX/VDJKqzbq+HyByFAchZgiHeRhWqK2N0xW8yhn4VTBRWhA84PT2kyD:jagh/PBUtjFxgUemxhyah7XTDTs

Score
10/10
remcosawelepersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Awele

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    qoc.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-LLTFOH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    mix

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\qoc.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Users\Admin\AppData\Roaming\qoc.exe
            C:\Users\Admin\AppData\Roaming\qoc.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Users\Admin\AppData\Roaming\qoc.exe
              "C:\Users\Admin\AppData\Roaming\qoc.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:3212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    Filesize

    398B

    MD5

    9edf722c5b68fc5befaf057c2aad1ccb

    SHA1

    0b079fc86d4c859ecb3c1a1893b6ffae2eb1e2cb

    SHA256

    bfdf30f700f36f615a0b3a9389bdaa2b3a334ece816e95a3090f7c41ec8efba6

    SHA512

    ea4f1e5842c38f998f2050004f4af9ffedeb0bbd4e6cf9e29b037f9659d48dd17b477a2b0ab23c1b6f8b94c4355a17f6155965bada1b98fd12c2868ec7ea82fc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qoc.exe
    Filesize

    972KB

    MD5

    3d21e82b2ab2331133cbf0fe32c43f7a

    SHA1

    7bcd150f9e1377bb3439fac2d631a59c2bf06fac

    SHA256

    4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

    SHA512

    6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qoc.exe
    Filesize

    972KB

    MD5

    3d21e82b2ab2331133cbf0fe32c43f7a

    SHA1

    7bcd150f9e1377bb3439fac2d631a59c2bf06fac

    SHA256

    4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

    SHA512

    6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

    Download Submit

  • C:\Users\Admin\AppData\Roaming\qoc.exe
    Filesize

    972KB

    MD5

    3d21e82b2ab2331133cbf0fe32c43f7a

    SHA1

    7bcd150f9e1377bb3439fac2d631a59c2bf06fac

    SHA256

    4d87f600c35b4b795142195bbe75c8e1a80f3c587c0c5eea6afa20d2f6587861

    SHA512

    6ada585028f73f0de860900275a384638a59648252842cbef60da2d9be63e2272cf7ae09914c2fafa5fc85809c3d7f59369d291b702211a44cdaa1b64c563529

    Download Submit

  • memory/1348-133-0x00000000053A0000-0x0000000005944000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1348-134-0x0000000004E90000-0x0000000004F22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1348-135-0x0000000004E80000-0x0000000004E8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1348-136-0x00000000075B0000-0x000000000764C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1348-132-0x00000000003D0000-0x00000000004CA000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1836-137-0x0000000000000000-mapping.dmp

    Download

  • memory/1836-139-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1836-141-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1836-144-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1836-138-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1836-140-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2612-146-0x0000000000000000-mapping.dmp

    Download

  • memory/3212-152-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3212-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3212-153-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3212-154-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3212-155-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/3244-142-0x0000000000000000-mapping.dmp

    Download

  • memory/3420-145-0x0000000000000000-mapping.dmp

    Download