Overview

overview

10

Static

static

1

Product Catalogue.exe

windows7-x64

10

Product Catalogue.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product Catalogue.exe

  • Size

    783KB

  • MD5

    6b04befe5957d4a3513447ae0eadbcd3

  • SHA1

    cdb2fa02b24118d0c501a4bf6479a57e9b941c3c

  • SHA256

    4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921

  • SHA512

    8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c

  • SSDEEP

    24576:4PSxu2EYvZOwbfeT/FmkSYTU5Nb+Ca75Et:h4Yx1rW/F8D6Ca75I

Score
10/10
remcosremotehostevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-52YOYG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe
    "C:\Users\Admin\AppData\Local\Temp\Product Catalogue.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:340
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp39F5.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1500
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Sets service image path in registry
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1636
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
          4⤵
            PID:1156
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
            4⤵
              PID:1368
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
              4⤵
                PID:1392
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                4⤵
                  PID:964
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                  4⤵
                    PID:1872
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                    4⤵
                      PID:1932
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                      4⤵
                        PID:1896
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                        4⤵
                          PID:1940
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                          4⤵
                            PID:1908
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                            4⤵
                              PID:848
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                              4⤵
                                PID:1948
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                4⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:456

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\remcos\logs.dat
                          Filesize

                          144B

                          MD5

                          279b61d6e7ab94f227a5455012832eb3

                          SHA1

                          7ceb9f653458f53deed019a29884a13efcb993e3

                          SHA256

                          9f1f48a66162eec38a328cdd16b43d3d432ceda8315886b088bfc9c5def4c049

                          SHA512

                          22745e799ae1136b368df5095e23e267a9638797cd33a88846330ada4a4061d6bfb8ff9adf9ac6054bae86a92e747bfedc1db4127d97ea4e88a78d9d88ae65da

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp39F5.tmp.bat
                          Filesize

                          151B

                          MD5

                          1f96cadc1bf6584fbfe24e551a91d664

                          SHA1

                          19a9fa5c160fe9f8d4b01179aaba66f47073cb94

                          SHA256

                          afb764f9037af3a330bb628dc5416d1f30d5097584d9eb4c16b09be04c48a5c0

                          SHA512

                          f622cc3619a3017522ec6b8d5020b60b6d869743f1c015cebab05a408c0677779eebdfda6ee1e017c606aba6096ce46136c1fb406545424f2b5b0a4c8262f263

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp39F5.tmp.bat
                          Filesize

                          151B

                          MD5

                          1f96cadc1bf6584fbfe24e551a91d664

                          SHA1

                          19a9fa5c160fe9f8d4b01179aaba66f47073cb94

                          SHA256

                          afb764f9037af3a330bb628dc5416d1f30d5097584d9eb4c16b09be04c48a5c0

                          SHA512

                          f622cc3619a3017522ec6b8d5020b60b6d869743f1c015cebab05a408c0677779eebdfda6ee1e017c606aba6096ce46136c1fb406545424f2b5b0a4c8262f263

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\svchost.exe
                          Filesize

                          783KB

                          MD5

                          6b04befe5957d4a3513447ae0eadbcd3

                          SHA1

                          cdb2fa02b24118d0c501a4bf6479a57e9b941c3c

                          SHA256

                          4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921

                          SHA512

                          8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\svchost.exe
                          Filesize

                          783KB

                          MD5

                          6b04befe5957d4a3513447ae0eadbcd3

                          SHA1

                          cdb2fa02b24118d0c501a4bf6479a57e9b941c3c

                          SHA256

                          4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921

                          SHA512

                          8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c

                          Download Submit

                        • \Users\Admin\AppData\Roaming\svchost.exe
                          Filesize

                          783KB

                          MD5

                          6b04befe5957d4a3513447ae0eadbcd3

                          SHA1

                          cdb2fa02b24118d0c501a4bf6479a57e9b941c3c

                          SHA256

                          4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921

                          SHA512

                          8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c

                          Download Submit

                        • \Users\Admin\AppData\Roaming\svchost.exe
                          Filesize

                          783KB

                          MD5

                          6b04befe5957d4a3513447ae0eadbcd3

                          SHA1

                          cdb2fa02b24118d0c501a4bf6479a57e9b941c3c

                          SHA256

                          4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921

                          SHA512

                          8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c

                          Download Submit

                        • memory/456-107-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-100-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-113-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-101-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-114-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-120-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-79-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-81-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-106-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-119-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-86-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-82-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-87-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-88-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-91-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-94-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/456-95-0x0000000000400000-0x000000000047F000-memory.dmp

                          Filesize

                          508KB

                          Download

                        • memory/1356-70-0x0000000000F10000-0x0000000000FD6000-memory.dmp

                          Filesize

                          792KB

                          Download

                        • memory/1356-71-0x000000001B360000-0x000000001B3E0000-memory.dmp

                          Filesize

                          512KB

                          Download

                        • memory/1636-78-0x00000000024E0000-0x00000000024E8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1636-85-0x000000000223B000-0x0000000002272000-memory.dmp

                          Filesize

                          220KB

                          Download

                        • memory/1636-84-0x0000000002234000-0x0000000002237000-memory.dmp

                          Filesize

                          12KB

                          Download

                        • memory/1636-77-0x000000001B200000-0x000000001B4E2000-memory.dmp

                          Filesize

                          2.9MB

                          Download

                        • memory/2000-55-0x0000000000CF0000-0x0000000000DAC000-memory.dmp

                          Filesize

                          752KB

                          Download

                        • memory/2000-54-0x0000000000DE0000-0x0000000000EA6000-memory.dmp

                          Filesize

                          792KB

                          Download

                        • memory/2000-56-0x000000001B3F0000-0x000000001B470000-memory.dmp

                          Filesize

                          512KB

                          Download