Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
23-03-2023 19:30
General
-
Target
IUVR-8403-8402-2023._patched.exe
-
Size
1.2MB
-
MD5
898190d53ed165a6f08d0b2e1af9bfe0
-
SHA1
cce3350bd6479aad0a4533401d875ec047c5f5d8
-
SHA256
8bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
-
SHA512
f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
SSDEEP
6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF
Malware Config
Extracted
remcos
BILLETE
cactus.con-ip.com:7770
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9927QM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\IUVR-8403-8402-2023._patched.exe"C:\Users\Admin\AppData\Local\Temp\IUVR-8403-8402-2023._patched.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\IUVR-8403-8402-2023._patched.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\IUVR-8403-8402-2023._patched.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {C31435EE-2383-4FF0-B1C9-1B8DE7437474} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD583531f61db53666797e41144a3e02e93
SHA1976ee6bd713ffa86aec8500454f6a4ad507d4184
SHA256804a418a17b3ff2de9e6959312af99b58286df11732c5d66e1fa16b8c9dc67e9
SHA512ac55838930bb1919b4dc814465339557f55bfa17ebe3deb11c827e1766579599b491fdfbbccd4cc1e4358cd791e659783309eebf2112948f1a99f7a84a33991a
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1.2MB
MD5898190d53ed165a6f08d0b2e1af9bfe0
SHA1cce3350bd6479aad0a4533401d875ec047c5f5d8
SHA2568bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
SHA512f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1.2MB
MD5898190d53ed165a6f08d0b2e1af9bfe0
SHA1cce3350bd6479aad0a4533401d875ec047c5f5d8
SHA2568bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
SHA512f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
1.2MB
MD5898190d53ed165a6f08d0b2e1af9bfe0
SHA1cce3350bd6479aad0a4533401d875ec047c5f5d8
SHA2568bbc5bd45c06cfb409bea5431cb5e876633cd2b30730f6d2ccd0b5cb36616826
SHA512f88e1ebd8e35945653824ace11d5ab85e7c33b7db876bd0e0cd2925beece608e2033144dbad4a6a3fa5d58425c8bbb9da74af03ce7bd4608ab26b0d7c3a139f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A6UL7XA8COSDO8YV6LQC.tempFilesize
7KB
MD55f3c817ce9c3f396d490e1fde7251174
SHA1970944d8d6d7286f4ca6009ae0a6fd244de48f50
SHA256561b9b6497994bf1bd466143353da71daeb8305bc15eba1bd78ecafa55df2e9f
SHA512bed30a5c9b4fd42e7dbc457bd9cc82abbc7902465b2e19df97001dd44e7c93772d565fce8c485fb4ed584aec415df2d23da3cfe852857bb7998f1b93f0a56de1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD55f3c817ce9c3f396d490e1fde7251174
SHA1970944d8d6d7286f4ca6009ae0a6fd244de48f50
SHA256561b9b6497994bf1bd466143353da71daeb8305bc15eba1bd78ecafa55df2e9f
SHA512bed30a5c9b4fd42e7dbc457bd9cc82abbc7902465b2e19df97001dd44e7c93772d565fce8c485fb4ed584aec415df2d23da3cfe852857bb7998f1b93f0a56de1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5fb9c81071e5d7fe48ae7813588c6ff51
SHA1c4dfd9575ad4a2c4e9ad83df0c3c64c8412c9752
SHA256833d2f3d083a3ab87bbf28260c5b5ccabd51659675985df7c1b50f74f007e572
SHA5120e88972134a6090fd7f7c2025cfccec6e3be38ca0e5211c0800e065efc9287ee32b52ddccc4dbea4b966608cb541705242b8e3d3a89bda5873349573ba994209
-
memory/368-84-0x0000000002510000-0x0000000002550000-memory.dmpFilesize
256KB
-
memory/368-85-0x0000000002510000-0x0000000002550000-memory.dmpFilesize
256KB
-
memory/848-101-0x0000000004D90000-0x0000000004DD0000-memory.dmpFilesize
256KB
-
memory/848-99-0x0000000000B60000-0x0000000000C92000-memory.dmpFilesize
1.2MB
-
memory/1176-88-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-64-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-79-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-80-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-82-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-83-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-69-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1176-86-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-60-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-89-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-90-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-67-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-66-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-65-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-74-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-63-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-62-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-61-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-140-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-130-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-131-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1176-139-0x0000000000080000-0x0000000000100000-memory.dmpFilesize
512KB
-
memory/1400-144-0x0000000000ED0000-0x0000000001002000-memory.dmpFilesize
1.2MB
-
memory/1924-151-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/1924-150-0x0000000002670000-0x00000000026B0000-memory.dmpFilesize
256KB
-
memory/1996-128-0x0000000002660000-0x00000000026A0000-memory.dmpFilesize
256KB
-
memory/1996-127-0x0000000002660000-0x00000000026A0000-memory.dmpFilesize
256KB
-
memory/2044-54-0x0000000000830000-0x0000000000962000-memory.dmpFilesize
1.2MB
-
memory/2044-57-0x0000000004DA0000-0x0000000004DE0000-memory.dmpFilesize
256KB