Overview

overview

10

Static

static

b57f46aae5...PDF.js

windows7-x64

10

b57f46aae5...PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    166s
  • max time network
    190s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b57f46aae59e5b141af36a0e5598cb7b.PDF.js

  • Size

    856KB

  • MD5

    b57f46aae59e5b141af36a0e5598cb7b

  • SHA1

    d7c37a169fd2399d44b6330d8c459f5edd0151dd

  • SHA256

    15c52aa78fef0b66472f35c92e2778fcc726762e4f648ea8b027074f4d13fe46

  • SHA512

    040321fa3f3db208587af428bcc2643e36b941eaaea788c86c1e380168b35790c735cc09bbe29305feb1612bd9673e239007a728a7aa388427a7fa34235eb6f1

  • SSDEEP

    12288:5F+J0rvOJnnLrRoIalxPZu2o0iZTbSX7/QCFxweyve:+JGrhu5qVGve

Score
10/10
remcosvjw0rmremotehostcollectionevasionpersistenceratspywarestealertrojanworm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

84.21.172.33:5763

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    uac.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-AG7QM3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 10 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 8 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b57f46aae59e5b141af36a0e5598cb7b.PDF.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:320
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      "C:\Users\Admin\AppData\Roaming\remcos_a.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:280
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:1632
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vzsvavczmffzzguhtxxttgxqmrvzs.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\uac.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\ProgramData\Remcos\uac.exe
            C:\ProgramData\Remcos\uac.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:928
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • Modifies registry key
                PID:1980
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:868
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\dmnkzegxrabkcsrpv"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:272
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\qjynbpbktqlcpftfwoyzylqp"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1760
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\ohtdaxrrfitxezfbedlyv"
                6⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:1080
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\ffqecniiurupnhcrqeselnfpjfmmkcwr"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1512
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\phvp"
                6⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:628
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\abaivxed"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1796

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ffqecniiurupnhcrqeselnfpjfmmkcwr
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vzsvavczmffzzguhtxxttgxqmrvzs.vbs
      Filesize

      380B

      MD5

      7b8772bb10bd0b5381f26c961f6d2768

      SHA1

      ad8bdcb8251394e87f5599abdb0bc2334f65eb12

      SHA256

      0bb9b2e1d903edf86f15874531f3ceea186e953ab8f8489ecd601fd7eac5b457

      SHA512

      bff73e04eb175c741a733c48a3bb38821d26d470e9b25ee0c18b1b7d0ccf850d57a9cee94843016c78e17f6859ca86dd6b4ea59296ed7b0022d7cf915a743a75

      Download Submit
    • C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.js
      Filesize

      7KB

      MD5

      de6279ecda86cb1c9dea290f11778fed

      SHA1

      510eeb73129bf63873ed19fd07955e2e8cb3e83d

      SHA256

      a99dbe1f52517b26087512d54d1f849c0216f14ab9f3c618c437546118dd1373

      SHA512

      f3434f9b38f0d2b9a52aa160698aec75d03f3bd92263a06636098561e0b5f310191bca760338a0640a280893488f781cb2df80f52b9a6f3a631dd2c4fcecff73

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • \ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • \ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • memory/272-108-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/272-91-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/272-83-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/272-77-0x0000000000476274-mapping.dmp
      Download
    • memory/280-61-0x0000000000000000-mapping.dmp
      Download
    • memory/320-55-0x0000000000000000-mapping.dmp
      Download
    • memory/368-59-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/368-57-0x0000000000000000-mapping.dmp
      Download
    • memory/628-103-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/628-106-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/628-96-0x0000000000455238-mapping.dmp
      Download
    • memory/868-76-0x00000000000B292E-mapping.dmp
      Download
    • memory/868-92-0x0000000000080000-0x00000000000FF000-memory.dmp
      Filesize

      508KB

      Download
    • memory/928-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1080-79-0x0000000000455238-mapping.dmp
      Download
    • memory/1080-84-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1080-107-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1080-93-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1512-94-0x0000000000476274-mapping.dmp
      Download
    • memory/1512-109-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1512-105-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1628-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1632-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1648-74-0x0000000000000000-mapping.dmp
      Download
    • memory/1760-90-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1760-85-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1760-81-0x0000000000422206-mapping.dmp
      Download
    • memory/1768-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1796-98-0x0000000000422206-mapping.dmp
      Download
    • memory/1796-102-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1956-54-0x000007FEFC631000-0x000007FEFC633000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1980-75-0x0000000000000000-mapping.dmp
      Download