Overview

overview

10

Static

static

3cf83d826c...2f.rtf

windows7-x64

10

3cf83d826c...2f.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf

  • Size

    23KB

  • MD5

    4c6aaef387645227a1a987043d56d6be

  • SHA1

    feaec8f7f4652115ee34e2eae79987778ca87de9

  • SHA256

    3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f

  • SHA512

    ef2d4e034f262fbe25a81f9db08b00c7c87881c96c76c7958ca547174f6b9791ea64bc499936af27b140cac2d9161b24f04edab9b13fd3889f916d22da97879c

  • SSDEEP

    384:KQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ9GBpwe2ok/+EeIA:GFx0XaIsnPRIa4fwJMi7J2ok/HHA

Score
10/10
remcosdec 1stevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dec 1st

C2

terzona2022.duckdns.org:3030

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Windows input text.exe

  • copy_folder

    Microsoft Text

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Windows Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Microsoft Sound Text

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    Username;password;proforma;invoice;notepad

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1388
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Users\Admin\AppData\Roaming\chungec84736.exe
        "C:\Users\Admin\AppData\Roaming\chungec84736.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Users\Admin\AppData\Roaming\chungec84736.exe
          "C:\Users\Admin\AppData\Roaming\chungec84736.exe"
          3⤵
          • Executes dropped EXE
          PID:1832
        • C:\Users\Admin\AppData\Roaming\chungec84736.exe
          "C:\Users\Admin\AppData\Roaming\chungec84736.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:840
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              5⤵
              • UAC bypass
              • Modifies registry key
              PID:468
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\SysWOW64\PING.EXE
              PING 127.0.0.1 -n 2
              5⤵
              • Runs ping.exe
              PID:1116
            • C:\Windows\Microsoft Text\Windows input text.exe
              "C:\Windows\Microsoft Text\Windows input text.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:816
              • C:\Windows\Microsoft Text\Windows input text.exe
                "C:\Windows\Microsoft Text\Windows input text.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1760
                • C:\Windows\SysWOW64\cmd.exe
                  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1084
                  • C:\Windows\SysWOW64\reg.exe
                    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                    8⤵
                    • UAC bypass
                    • Modifies registry key
                    PID:1736
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                  7⤵
                    PID:1188
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                      8⤵
                      • Modifies Internet Explorer settings
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:952
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
                        9⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        PID:1500

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Bypass User Account Control

      1
      T1088

      Disabling Security Tools

      1
      T1089

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        99B

        MD5

        cd13321bdef41f7575c97a6c302668c1

        SHA1

        f7de6ac53a6914dde55fe408c67ec934686ecc9f

        SHA256

        2e7ff7169fe44c0360335a47264f1963bb65ae1ca3f93a20922074f143491dc8

        SHA512

        75ea823f45820f7bc118f8f982faee3b4ede68ab42958723647c356b9f667026d37c75702f4360bc38e19b44efbf4d9bf574e8b65f6a8ef37139216041ab234b

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chungec84736.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chungec84736.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chungec84736.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Users\Admin\AppData\Roaming\chungec84736.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Windows\Microsoft Text\Windows input text.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Windows\Microsoft Text\Windows input text.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • C:\Windows\Microsoft Text\Windows input text.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • \Users\Admin\AppData\Roaming\chungec84736.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • \Windows\Microsoft Text\Windows input text.exe
        Filesize

        845KB

        MD5

        a978a64c13cfda974d57a2f8f551ce1d

        SHA1

        f2dfb8462deba835a5128642330d51a4f2c94d90

        SHA256

        f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa

        SHA512

        42d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24

        Download Submit
      • memory/468-88-0x0000000000000000-mapping.dmp
        Download
      • memory/816-98-0x0000000000D00000-0x0000000000DDA000-memory.dmp
        Filesize

        872KB

        Download
      • memory/816-100-0x00000000004F0000-0x0000000000506000-memory.dmp
        Filesize

        88KB

        Download
      • memory/816-96-0x0000000000000000-mapping.dmp
        Download
      • memory/840-85-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-91-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-73-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-74-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-81-0x000000000040FD88-mapping.dmp
        Download
      • memory/840-80-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-79-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-78-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/840-76-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1084-114-0x0000000000000000-mapping.dmp
        Download
      • memory/1116-93-0x0000000000000000-mapping.dmp
        Download
      • memory/1388-68-0x000007FEFB931000-0x000007FEFB933000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1388-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1644-87-0x0000000000000000-mapping.dmp
        Download
      • memory/1712-66-0x00000000001F0000-0x0000000000206000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1712-70-0x00000000050A0000-0x0000000005118000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1712-71-0x0000000000640000-0x0000000000680000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1712-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1712-69-0x00000000003C0000-0x00000000003CE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1712-64-0x0000000000EF0000-0x0000000000FCA000-memory.dmp
        Filesize

        872KB

        Download
      • memory/1736-115-0x0000000000000000-mapping.dmp
        Download
      • memory/1756-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1756-54-0x0000000072281000-0x0000000072284000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1756-58-0x0000000070CED000-0x0000000070CF8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1756-57-0x0000000075141000-0x0000000075143000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1756-89-0x0000000070CED000-0x0000000070CF8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1756-55-0x000000006FD01000-0x000000006FD03000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1756-86-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1760-109-0x000000000040FD88-mapping.dmp
        Download
      • memory/1760-113-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1760-116-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1892-90-0x0000000000000000-mapping.dmp
        Download