Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
20-03-2023 08:24
General
-
Target
Product Catalogue.exe
-
Size
783KB
-
MD5
6b04befe5957d4a3513447ae0eadbcd3
-
SHA1
cdb2fa02b24118d0c501a4bf6479a57e9b941c3c
-
SHA256
4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921
-
SHA512
8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c
-
SSDEEP
24576:4PSxu2EYvZOwbfeT/FmkSYTU5Nb+Ca75Et:h4Yx1rW/F8D6Ca75I
Malware Config
Extracted
remcos
RemoteHost
51.75.209.245:2406
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52YOYG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe"C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7227.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Sets service image path in registry
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52fdd2ec581447f7a32c089da6e7d079e
SHA124ae4df5afd345f8f3193bb4b301caf4590c53aa
SHA2560f68d4444b13a112000a81216d1fdb9b4a6f8ddbadd9ed7e594a2a6c3de1f4ff
SHA512bb1c267e654be78db34d5580e41ad5978b46dc1e13372d0f1eee904ccbb249f17f0a1ee0a9e9b7b9205aac3e2b13df24d914b9525139b3ab4f344ab68163ef7f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5f0e056f572c2ba1de5e6f555173820f8
SHA112c392e93706e2ef1f5130e96d81ed1997ec1393
SHA2564709f04c5252cb829f8c55db1d3dcd9d02da20f0c3b42af476d79651da87bccf
SHA512d64c0b4e3f98bf13e200eb2168a363328c8283e15d6dc79dc0dc21d82883361097fe4fe1049df8c92608c59098926c8cad720420479135d6f1eaf18aac31383c
-
Filesize
783KB
MD56b04befe5957d4a3513447ae0eadbcd3
SHA1cdb2fa02b24118d0c501a4bf6479a57e9b941c3c
SHA2564b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921
SHA5128754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c
-
Filesize
783KB
MD56b04befe5957d4a3513447ae0eadbcd3
SHA1cdb2fa02b24118d0c501a4bf6479a57e9b941c3c
SHA2564b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921
SHA5128754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c
-
Filesize
792KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB