Analysis

  • max time kernel
    139s
  • max time network
    201s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 17:09

General

  • Target

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe

  • Size

    321KB

  • MD5

    efd7d49d7985282a6049b308965c1888

  • SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

  • SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

  • SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • SSDEEP

    6144:BrJOumSn1I+U5F5WTLErZ0ySwNNZFnKZ8+0nAbSfOL/+H0mjYawdF1Ust:KumSnm+U5F5WTLErZ0PwnySmL/+UmjY4

Malware Config

Extracted

Family

remcos

Version

2.4.7 Pro

Botnet

RemoteHost

C2

okkkk1.ddns.net:4444

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-9WWA88

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • UAC bypass 3 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops startup file 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe
    "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:596
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
      2⤵
      • Drops startup file
      PID:292
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
          4⤵
          • Drops startup file
          PID:2012
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe:Zone.Identifier"
          4⤵
          • Drops startup file
          PID:1816
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:304
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1860
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1528
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:275457 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

4
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    Filesize

    321KB

    MD5

    efd7d49d7985282a6049b308965c1888

    SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

    SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

    SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    Filesize

    321KB

    MD5

    efd7d49d7985282a6049b308965c1888

    SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

    SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

    SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    Filesize

    321KB

    MD5

    efd7d49d7985282a6049b308965c1888

    SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

    SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

    SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    Filesize

    321KB

    MD5

    efd7d49d7985282a6049b308965c1888

    SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

    SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

    SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\render.exe
    Filesize

    321KB

    MD5

    efd7d49d7985282a6049b308965c1888

    SHA1

    308ccb6f12c0f3c456c57051f691e929edf13a9e

    SHA256

    9082c4d76e331613cd970532a2fa90fcf86ffe0180b9d997dd8c4c93559e5d0d

    SHA512

    8ca78873323ed7d56b6f610227bb40d30883db1ba3dbee7a322872ab091a21b58dd52e762d00ea3d4eee7416c24400cac07743e21597d61bff5e83c1a7cacc21

  • memory/292-61-0x0000000000000000-mapping.dmp
  • memory/304-90-0x0000000000000000-mapping.dmp
  • memory/564-58-0x0000000002130000-0x0000000002138000-memory.dmp
    Filesize

    32KB

  • memory/564-60-0x0000000002140000-0x000000000214C000-memory.dmp
    Filesize

    48KB

  • memory/564-56-0x0000000076381000-0x0000000076383000-memory.dmp
    Filesize

    8KB

  • memory/564-55-0x0000000000360000-0x000000000038A000-memory.dmp
    Filesize

    168KB

  • memory/564-54-0x00000000003D0000-0x0000000000426000-memory.dmp
    Filesize

    344KB

  • memory/596-57-0x0000000000000000-mapping.dmp
  • memory/612-65-0x0000000000000000-mapping.dmp
  • memory/612-67-0x0000000000870000-0x00000000008C6000-memory.dmp
    Filesize

    344KB

  • memory/612-71-0x00000000047D0000-0x00000000047DC000-memory.dmp
    Filesize

    48KB

  • memory/1200-62-0x0000000000000000-mapping.dmp
  • memory/1404-78-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-87-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-74-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-76-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-89-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-79-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-80-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-82-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1404-83-0x00000000004139C4-mapping.dmp
  • memory/1404-73-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

  • memory/1684-59-0x0000000000000000-mapping.dmp
  • memory/1816-70-0x0000000000000000-mapping.dmp
  • memory/1868-88-0x0000000000000000-mapping.dmp
  • memory/2012-69-0x0000000000000000-mapping.dmp