Overview

overview

10

Static

static

1

notifica a...do.rar

windows7-x64

3

notifica a...do.rar

windows10-2004-x64

3

notifica a...do.exe

windows7-x64

10

notifica a...do.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    notifica a usted la primera audiencia por el proceso judicial adelantado.exe

  • Size

    790KB

  • MD5

    81a23531cb13ca317bbe76d5331f0ce5

  • SHA1

    8895d9aefd3ca9f3c457fe51691c4a408819e69f

  • SHA256

    b6a42d45119abc492113b7ac0bcf51a7ffe2aec2ea5fe47c35b62af0beeefd5a

  • SHA512

    50c5bf43f9a0a5ed17415080f5394c72777f2b549df60e4707bb4b6e775e5570acb27d01a992d1037cf1c23deedf66991434cd73d86c5233c22691ed1cf994d6

  • SSDEEP

    12288:PUJB0O+SFTCulU37koolxZnQSYlIHSNdDhiJhNPHok3U0iTK+JuQyKJhZckedxNK:EISFfU37kRk3myN14PX4gT8Dc

Score
10/10
remcoslunesrat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

LUNES

C2

lunesgermanarellanos.con-ip.com:1013

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-ARW24P

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\notifica a usted la primera audiencia por el proceso judicial adelantado.exe
    "C:\Users\Admin\AppData\Local\Temp\notifica a usted la primera audiencia por el proceso judicial adelantado.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kwPouyOzCI.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:272
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kwPouyOzCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp214.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:268
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uninstall.vbs"
        3⤵
          PID:1848

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp214.tmp
      Filesize

      1KB

      MD5

      4f44625f53e82ffa7907343dd3888335

      SHA1

      bc646d1ebc319481bc9c06325da15dc6b6a8fb7f

      SHA256

      f49a57ebeb66ddc20f28df8f22a6a95702dab3a8b6ea453f6e1db3ef58125342

      SHA512

      c5325f0ae118727c52db0311dc67cdc6e59297b237bc82c4a40eac0eef54c1784b00382108e63ef179b938172f8284d9a14d99ddaa9e0fd43cd704560b36867b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uninstall.vbs
      Filesize

      548B

      MD5

      38fcc4640b2a71adf54bb166e9e2f8a9

      SHA1

      4839aad4fc2773d18867a3af4e5394ba988327a7

      SHA256

      fd9dddf8fd2a2c53e6085eb0666859248d5a4288f9e2402f4f312f19fc005aeb

      SHA512

      fdbf41020668a6f7cac7ae7e1cfd6752bde4917f11fbd8a53c419e64af3ef2b476b3fea22e45a1c06926fd89e141d98c554c5abd68381f3b3259f34e50e6e07b

      Download Submit
    • memory/272-84-0x00000000023A0000-0x00000000023E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/272-83-0x00000000023A0000-0x00000000023E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1060-77-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-81-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-98-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-99-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-68-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-69-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-70-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-71-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-72-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-73-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1060-75-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-97-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-78-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-80-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-94-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-82-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-91-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-89-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-85-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-86-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1060-88-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1436-56-0x0000000000970000-0x0000000000990000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1436-57-0x0000000004D50000-0x0000000004D90000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1436-59-0x0000000005FD0000-0x000000000606E000-memory.dmp
      Filesize

      632KB

      Download
    • memory/1436-54-0x0000000000C00000-0x0000000000CCA000-memory.dmp
      Filesize

      808KB

      Download
    • memory/1436-65-0x0000000004EB0000-0x0000000004ED8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1436-58-0x0000000000990000-0x000000000099C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1436-55-0x0000000004D50000-0x0000000004D90000-memory.dmp
      Filesize

      256KB

      Download