Overview

overview

10

Static

static

10

864-80-0x0...ry.exe

windows7-x64

10

864-80-0x0...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    195s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    864-80-0x0000000000400000-0x0000000000417000-memory.exe

  • Size

    92KB

  • MD5

    81decf81e0f22a06673849e16ff57b01

  • SHA1

    de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb

  • SHA256

    2310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13

  • SHA512

    a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c

  • SSDEEP

    1536:4hhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6nrA:ehzYTGWVvJ8f2v1TbPzuMsIFSHNThy+b

Score
10/10
remcosnov 24thevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Nov 24th

C2

gcrozona.duckdns.org:6062

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Microsoft Intel Audios.exe

  • copy_folder

    Audio Microsoft File

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Windows Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Window Security Check

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    Username;password;proforma;invoice;notepad

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\864-80-0x0000000000400000-0x0000000000417000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\864-80-0x0000000000400000-0x0000000000417000-memory.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:4832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3192
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2328
      • C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
        "C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:4284
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    Filesize

    109B

    MD5

    8ddcdd0ab01b0740982e7b78b1591015

    SHA1

    acbb9c4bb32822a164f200f8b77eda0ce7bd758d

    SHA256

    7c1abbf1a20f581d2db76d769cc14cf753a412cf92e383a36ffbf0c962eaf678

    SHA512

    ef43e3cb89c800529530183d4315782a864281ef8a0e6443a54ccc4f1837fcbfe43027b399bb43ea114fab70416d49b3cb2539cf8bf658b4b447c4e8597959dc

    Download Submit
  • C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
    Filesize

    92KB

    MD5

    81decf81e0f22a06673849e16ff57b01

    SHA1

    de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb

    SHA256

    2310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13

    SHA512

    a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c

    Download Submit
  • C:\Windows\Audio Microsoft File\Microsoft Intel Audios.exe
    Filesize

    92KB

    MD5

    81decf81e0f22a06673849e16ff57b01

    SHA1

    de0023dc4f84a29cf2ea6238de09ba7f8deaf3cb

    SHA256

    2310d8f49412769bbb634a16cb272a77dcde3104405155e811d21a88712e4d13

    SHA512

    a484773eecc880b9975732ae4ba4ea7ca716f2e7f256344df52a09814821a63f56c9e306e248b5dfd6ca1f2b96d0c959efeb3103e397033cd98b7e34eb29bf4c

    Download Submit
  • memory/696-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1652-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2328-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2564-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3192-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3464-132-0x0000000000000000-mapping.dmp
    Download
  • memory/4284-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4832-133-0x0000000000000000-mapping.dmp
    Download