Overview

overview

10

Static

static

1

DOCX_F0067193508.exe

windows7-x64

10

DOCX_F0067193508.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23-03-2023 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOCX_F0067193508.exe

  • Size

    1024.0MB

  • MD5

    932f4060cc31b4dbaffa1bb6d3991c20

  • SHA1

    989f4fb91c3a30a0789c0d61c1b8c5dad659747e

  • SHA256

    a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853

  • SHA512

    7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5

  • SSDEEP

    6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF

Score
10/10
remcosbilleterat

Malware Config

Extracted

Family

remcos

Botnet

BILLETE

C2

cactus.con-ip.com:7770

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9927QM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe
    "C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1832
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
      2⤵
        PID:1976
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\DOCX_F0067193508.exe'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:672
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1636
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {CE80079C-034D-43A6-8446-55CFBC5045A7} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Users\Admin\AppData\Roaming\AppData.exe
        C:\Users\Admin\AppData\Roaming\AppData.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:1736
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
          3⤵
            PID:1596
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
            3⤵
            • Drops file in System32 directory
            PID:1428
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            3⤵
              PID:532
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            C:\Users\Admin\AppData\Roaming\AppData.exe
            2⤵
            • Executes dropped EXE
            PID:1080
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
              3⤵
                PID:1928
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:564
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
                3⤵
                  PID:1208
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
                  3⤵
                    PID:1704
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    3⤵
                      PID:2008

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\remcos\logs.dat
                  Filesize

                  224B

                  MD5

                  7f415bfc880e70c58477d07289282b58

                  SHA1

                  35735e74c8caf995fa29d02aca594737cc9b8feb

                  SHA256

                  2f5589693999ecd0500336b431269de928c6e099aa374dd7acea9c3b9bdcd368

                  SHA512

                  5e296bb779ce49424e0bb4da5c824fb6f74422c1dd845232d6cda7b2fd9f2f1ca54671606d61931a4e71a40d8b48757b3c3502e42166e3e6b163f2522bf8223f

                  Download Submit
                • C:\ProgramData\remcos\logs.dat
                  Filesize

                  144B

                  MD5

                  c95555ba8a09ac77f682499395b7cc6e

                  SHA1

                  8858f1043f3f06a3db1f627d84e03d9749e4deea

                  SHA256

                  c79a703c9a3aebc625169050e6101c8930f109cd62e1af24bac0ec6bd5ba230e

                  SHA512

                  33eb821f64e3e4f0b291f5e0dacfdc79720916415fea10ea914a11019e3ac81496b5973e8cf61d14bdcec497918c521aa23f5034b1f3b97793dea31f9bd65d25

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  635.6MB

                  MD5

                  5982b86460f73d75954d7ac77b77bc01

                  SHA1

                  fde9f2da283606433da3936da19e7b5c9df41a57

                  SHA256

                  59ac10889e2a838d086e74782ddd04fdd40f58dc05069129ba7924d41f244a5d

                  SHA512

                  fbd1dfcbd1d59e990dccae236b75e84ebdffea1118980e93942b9583b333f32569d8eadfa706fe91b72fc3557d2f6e9e9f1c33191176e1c0cf35f619a8564d17

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  481.6MB

                  MD5

                  2588bb9c08ddca70f7bba6b17ea21beb

                  SHA1

                  2c9a311dc0c27edc621cc9c1edbe248c6b28f688

                  SHA256

                  082339b4c60b00e2b395b150d0f5a9f8c76a8f5438e007800826566cabffe5fa

                  SHA512

                  5cad26e9ba13edb48af52cca724a47f3dfc0268f9d04f4c372bfe73cbac43ce5ef447cdf59b18b10c7b1dfd3a83f9f8a6e2b9d3416edcef1d1c8ab59bc0dfe20

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  280.1MB

                  MD5

                  5e4badb0b5286d8445cb952dcaff3f9a

                  SHA1

                  241c44e33b68503c290a3dd459cbb9e400c37c91

                  SHA256

                  b773486bc98d8c3a6e4413af8cf26c29ff8bc7934b442018dd3d244ce4ef2474

                  SHA512

                  7ea81406b68dd5cb66b6af90e647a1a5ece57fc7b39f486dc65262f7f84539d979bc3ff0265ecff2fee4db208274a3f6e00c3b1ea162e73f9840b74c8d97ac96

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  3dee39426f2f4adfec6546978a70ca7e

                  SHA1

                  e25e55a13a8c5d4d01d0852acc94ac307d5d4c26

                  SHA256

                  58e5ad66bc688de6e03a65f91cb73cb812254cfb9330a0e3e1b43ecd12f749d3

                  SHA512

                  a90c5db98f3d2b04f56a70f3930a7ffbc7e54081d5dcbc0fff3226e393b63b6dd17df1bec47527e8f8b8f21b1c6f5bfdf2aa7a9c699ed21aadd02b7bf2aeff99

                  Download Submit
                • \??\PIPE\srvsvc
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit
                • memory/532-136-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/532-130-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/532-123-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/672-80-0x0000000002620000-0x0000000002660000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/672-84-0x0000000002620000-0x0000000002660000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/672-82-0x0000000002620000-0x0000000002660000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1080-151-0x0000000000BE0000-0x0000000000D12000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/1636-89-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-99-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-78-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-73-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-85-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-86-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-87-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-88-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-81-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-90-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-93-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-67-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-98-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-58-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-66-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1636-65-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-156-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-64-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-63-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-111-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-112-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-61-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-155-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-62-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-60-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-143-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-144-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1636-59-0x00000000004F0000-0x0000000000570000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1992-54-0x0000000000B60000-0x0000000000C92000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/1992-57-0x00000000023B0000-0x00000000023F0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/2036-128-0x0000000000BD0000-0x0000000000C10000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/2036-107-0x00000000009A0000-0x0000000000AD2000-memory.dmp
                  Filesize

                  1.2MB

                  Download