Overview

overview

10

Static

static

10

1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2023 15:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    36KB

  • MD5

    955254331ec1b57550742ed9b353b00f

  • SHA1

    3a00c062489de5371742bc5eca43ae8ec32affac

  • SHA256

    e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0

  • SHA512

    5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70

  • SSDEEP

    768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer

Score
10/10
remcos1877evasionpersistenceratupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

1877

C2

hawler.duckdns.org:2404

5.206.227.115:2404
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    svshost.exe

  • copy_folder

    1877

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    1877

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    1877_spelzoyulk

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Google Update

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Adds policy Run key to start application
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4708
      • C:\Windows\1877\svshost.exe
        "C:\Windows\1877\svshost.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2988
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 236
              5⤵
              • Program crash
              PID:2884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2988 -ip 2988
      1⤵
        PID:3276

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      2
      T1004

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      4
      T1112

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        78B

        MD5

        f35509e5938343750502f45e998f8d0c

        SHA1

        74efa4a149f83d677bdf347149d33e0c25cb5af0

        SHA256

        969621479c4bc68f58f32db1d20a5f389200fee6cdf30e73fe70072184f58afb

        SHA512

        abb32f92b0dc6d76a5dd83a4d9268e321092626a5b810cbb9c96347e1b40d98ccada231b8d6ad5d5252a2e24082c88f184b201c399106248ea3de564b3483091

        Download Submit
      • C:\Windows\1877\svshost.exe
        Filesize

        36KB

        MD5

        955254331ec1b57550742ed9b353b00f

        SHA1

        3a00c062489de5371742bc5eca43ae8ec32affac

        SHA256

        e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0

        SHA512

        5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70

        Download Submit
      • C:\Windows\1877\svshost.exe
        Filesize

        36KB

        MD5

        955254331ec1b57550742ed9b353b00f

        SHA1

        3a00c062489de5371742bc5eca43ae8ec32affac

        SHA256

        e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0

        SHA512

        5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70

        Download Submit
      • memory/1088-133-0x0000000000000000-mapping.dmp
        Download
      • memory/1444-137-0x0000000000000000-mapping.dmp
        Download
      • memory/1444-140-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/4708-136-0x0000000000000000-mapping.dmp
        Download
      • memory/5056-132-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download
      • memory/5056-134-0x0000000000400000-0x000000000041D000-memory.dmp
        Filesize

        116KB

        Download