Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
27-03-2023 15:16
General
-
Target
Best price inquiry.exe
-
Size
768KB
-
MD5
b5d80c839eed720a63fbc6cd47a80a9e
-
SHA1
ef4bf7a44f3f7da17798ad1be32055e359ecd90b
-
SHA256
643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
-
SHA512
5355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
SSDEEP
24576:aMwf+m50w/dByz9z+NTUv91fZ5ZM1P3A6YlBE5Gw9:aMwf0w/dsYqjfrW93AXbEN9
Malware Config
Extracted
remcos
RemoteHost
darren2023.sytes.net:2115
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3YNKQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"2⤵
- Checks QEMU agent file
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\scs.exe"C:\Users\Admin\AppData\Roaming\scs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsl530E.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Local\Temp\nsl530E.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Local\Temp\nsnA7FE.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Danskvandernes\Unselfconsciousness\penial\Unfooted\Fodermestrene\Wainer\Blackland22.StaFilesize
98KB
MD5f1c8c629cb85183aacc7cf48089b5c4b
SHA1a1902dfc003b9ec0b17115e71a41ec1fb8695c30
SHA256dcab505b1a5cfc6eb7ad308ba934b15132af881089a1ccd829a33b2be3efb6e6
SHA512e22a0de27171bfcd1ba1d03413781e01cacbccae7896a8fc59f5ff051334067ed3e097938294cf1fe1954a5866c5b2525e888b4edca8ba72da90d20f34b06025
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Danskvandernes\Unselfconsciousness\penial\Unfooted\Fodermestrene\Wainer\Caesura.PicFilesize
237KB
MD5bf854859a5af013bf3670f26c4f2e11d
SHA1f781202f218a1a999af14c8636bd488737221ed7
SHA25689e2b117d576e4bfd257072d00103860c28b1e737a50a02ca2acd92994c9a6e1
SHA512931e89c6bf79e5ab72c6ba45f8a0503d1c967aa39b4fa5d80aa005e34ba23309e17408af0c343f6fc88d923a0dd5c7e5a0d1da1efea91354efec90385744ccbb
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
memory/3476-163-0x0000000001660000-0x0000000004F11000-memory.dmpFilesize
56.7MB
-
memory/3476-159-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3476-146-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3476-174-0x0000000001660000-0x0000000004F11000-memory.dmpFilesize
56.7MB
-
memory/3476-182-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB