Analysis
-
max time kernel
303s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20230220-es -
resource tags
-
submitted
23-03-2023 21:39
General
-
Target
PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe
-
Size
1023.9MB
-
MD5
9d702008371d20fdd562bcda16e5980c
-
SHA1
2cdd65d525020bb353d7e53d8a1ee61263985849
-
SHA256
c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
-
SHA512
ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
-
SSDEEP
12288:Of0zcQzKT8oQo2p2vS0gALQN58cPD8f6r0OU2yJI0FSJr1rziqLcyFxfp:OqKQN/p2vSNycPgs0OU2yJpFSTWexh
Malware Config
Extracted
remcos
RemoteHost
marlonloperalora09.con-ip.com:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-L3LNUT
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe"C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A25030E-3C33-431C-9213-64385410D113} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msconfig.exe"C:\Windows\system32\msconfig.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4981⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7199758,0x7fef7199768,0x7fef71997782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1060,i,15943976386340873268,4058325254511932569,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1060,i,15943976386340873268,4058325254511932569,131072 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
308B
MD5f2d4d50a71992ea70d8d0c74073fc0c4
SHA192d1b6089a3893678c12b42692b70c61eb44d64e
SHA2562c24367fa4478fbe6b84156d74fc4a85bb768d3598d78a3c0b2c81a7012b05b3
SHA51220ed632e4d556853adefc3bfc8074238d29ab0bd92dea6395e6426758d9dec63a9b6131615b70386f84b0d711546a3bf9e31c21b65f594d584aad515d471b451
-
C:\ProgramData\remcos\logs.datFilesize
600B
MD50200808e3c7fc75b44aa62b93de31b14
SHA16ecb1e2ebedefd19765ef1dbbc1813c9434f4d31
SHA2562a6fb06398ace02fe973715fa43018a479e8497bd7587d992970e8b64311478a
SHA512a73744b99a8c104ba9c442cdd98940d31531cd117bb001dc2062e3fb2d9b15f5d4de2c4890051d6e2dc0451d3d2f64c546574f7b965ff39726b46d458be14b27
-
C:\ProgramData\remcos\logs.datFilesize
662B
MD5b5a69d6ace9fd84759681aed78d1d016
SHA1da9d81ab2727ec7cced7cadbd506f50a45d63e5b
SHA256844318c9908b9417c4cbe19c4576eac0818f7644d9ec85b489f3e8d0017c7545
SHA5126afb92f352532b42c7c47de6c92fa8942b7e54b1da47dbc8eb48cd230c66685c11fc42c758cc0f590a72a9a23d5c66b8c4ecece432822997ee202036552c29b9
-
C:\ProgramData\remcos\logs.datFilesize
1KB
MD5c2cef5692bf163efcdc272cd7ae0b6cc
SHA1d06007d0c73be914d7e80938e9b61c0535ee2d86
SHA2564f4d06b964223bbccff924e7b1bea9e3d78270c5030923ad70be4657245c48d3
SHA5123dfaa23ab683977ac2ab332bcfcec9abbf72a6d4ce816d2a897f82b200332811ba5415a6e87d26de55bf2f6edd2a27459cbfde30e9c130e5564239dcc9a962c8
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1023.9MB
MD59d702008371d20fdd562bcda16e5980c
SHA12cdd65d525020bb353d7e53d8a1ee61263985849
SHA256c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
SHA512ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1023.9MB
MD59d702008371d20fdd562bcda16e5980c
SHA12cdd65d525020bb353d7e53d8a1ee61263985849
SHA256c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
SHA512ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1023.9MB
MD59d702008371d20fdd562bcda16e5980c
SHA12cdd65d525020bb353d7e53d8a1ee61263985849
SHA256c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd
SHA512ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V21RAUN4R66OQ2EEK5UM.tempFilesize
7KB
MD5037f5a50c7613947824e235f34b0bdb0
SHA16f9badeacbe2940027591acd385c88d45e73e812
SHA2564225de732c828f8750af459b8d15deabf1cb7528be3dba429f3ba72f239abe6e
SHA51268a7128278f8b4d73a134bdedaa98444aace1bdeeacc387360205a45ac5ae758be4e6dd71e4bb054f089b092a65f92ec9f9e805dac339451f730544619aa2bc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5037f5a50c7613947824e235f34b0bdb0
SHA16f9badeacbe2940027591acd385c88d45e73e812
SHA2564225de732c828f8750af459b8d15deabf1cb7528be3dba429f3ba72f239abe6e
SHA51268a7128278f8b4d73a134bdedaa98444aace1bdeeacc387360205a45ac5ae758be4e6dd71e4bb054f089b092a65f92ec9f9e805dac339451f730544619aa2bc3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD51df87cb81d2e4cf848c8a63b3992025a
SHA1916d57256207e47c311f152b6ce355999fb082bd
SHA2561579dc37f28cf910e487231c3cea5d11f0a73e7d3e71fb6286ff71b9af825d9b
SHA5124e12b48ea1d6cd27b21615ad3e25018d605ad1dd884982841cb074b2e04858f6bd2d76c60446e736e21353649e6a2e0f524d449a30f3e641281d3b2ab2c89536
-
memory/552-168-0x0000000002630000-0x0000000002670000-memory.dmpFilesize
256KB
-
memory/552-175-0x0000000002630000-0x0000000002670000-memory.dmpFilesize
256KB
-
memory/552-177-0x0000000002630000-0x0000000002670000-memory.dmpFilesize
256KB
-
memory/596-65-0x0000000004E30000-0x0000000004E70000-memory.dmpFilesize
256KB
-
memory/596-54-0x0000000001230000-0x00000000012C2000-memory.dmpFilesize
584KB
-
memory/940-96-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/940-191-0x0000000002EF0000-0x0000000002EF1000-memory.dmpFilesize
4KB
-
memory/1156-76-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-68-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-206-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-80-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-81-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-82-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-84-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-86-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-87-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-77-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-75-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-207-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-94-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-73-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-72-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-57-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-199-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-198-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-123-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-124-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-58-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-131-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-132-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-78-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-143-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-146-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-186-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-151-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-66-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1156-152-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-158-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-64-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-61-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-63-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-62-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-174-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-178-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-60-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-59-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1156-185-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1304-67-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1304-79-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1316-122-0x0000000000080000-0x00000000000FF000-memory.dmpFilesize
508KB
-
memory/1316-117-0x0000000000080000-0x00000000000FF000-memory.dmpFilesize
508KB
-
memory/1644-184-0x0000000000DF0000-0x0000000000E30000-memory.dmpFilesize
256KB
-
memory/1644-149-0x0000000000DF0000-0x0000000000E30000-memory.dmpFilesize
256KB
-
memory/1696-103-0x0000000000AC0000-0x0000000000B00000-memory.dmpFilesize
256KB
-
memory/1696-92-0x0000000000FF0000-0x0000000001082000-memory.dmpFilesize
584KB