Overview

overview

10

Static

static

1

home/raid_...ad.exe

windows7-x64

10

home/raid_...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    home/raid_service/casing_module/case_updater/tmppayload.exe

  • Size

    1024.0MB

  • MD5

    932f4060cc31b4dbaffa1bb6d3991c20

  • SHA1

    989f4fb91c3a30a0789c0d61c1b8c5dad659747e

  • SHA256

    a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853

  • SHA512

    7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5

  • SSDEEP

    6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF

Score
10/10
remcosbilleterat

Malware Config

Extracted

Family

remcos

Botnet

BILLETE

C2

cactus.con-ip.com:7770

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9927QM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe
    "C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:680
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
      2⤵
        PID:1584
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1148
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {4D29E7AC-FDCE-4DBA-97D4-A8AB94CDCFC3} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Users\Admin\AppData\Roaming\AppData.exe
        C:\Users\Admin\AppData\Roaming\AppData.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
          3⤵
            PID:852
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
              4⤵
              • Creates scheduled task(s)
              PID:1804
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            3⤵
              PID:1356
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            C:\Users\Admin\AppData\Roaming\AppData.exe
            2⤵
            • Executes dropped EXE
            PID:968
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
              3⤵
                PID:1808

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\remcos\logs.dat
            Filesize

            144B

            MD5

            78bf4fd8f8a23059fbab5edcbe20e4ac

            SHA1

            c2bb1655c713603af40478afc8d65b3d1da05fdb

            SHA256

            2d324ea9a3e9241017898c1cde6aa103a5a12d3a3e3d0a3af299ad76a53fbab0

            SHA512

            5e0aa76b0c0a5ef0c713429ec1313ad42c8be4af4b2a6d8df80340767a334045d3632fb92844615aaea6d69bbec6eb705ac45fce53bc42cc3dd0f232c0e5288e

            Download Submit
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            Filesize

            360.4MB

            MD5

            3df644233a3e3dc045f963ecaa8fee48

            SHA1

            1ddfd6ab2e40a0a47955b25a3a78cc8baaa449fa

            SHA256

            1caec81fa9f923d28e0be0c6f5f9676450f8f6bb0cd48ae41dc8e392b337dda1

            SHA512

            d57aba6871b2a16dc033c31218e1ea1659ebef92dc7955ac84907c3e6606d085d3f9af83136794e76463ace38e7273130e90cb1d72810b70edf50d56d323949d

            Download Submit
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            Filesize

            603.4MB

            MD5

            7b7ae6b17314d6efcfe9f6b740a525ee

            SHA1

            664446669e9d75e2a43a45ec2a993bc536822735

            SHA256

            f2ad44382db2114ea77c6659bac44891b9984b5367e00c14ba1720c0f85ba3ef

            SHA512

            c05cf5d76710af90a2de692b2d6dc4c6bad6af175a3bc6ae4ac60f0dc209026eb81ce8d638ef1d41358a91372255f83e0ab99a150299c183f288606617cacff0

            Download Submit
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            Filesize

            595.8MB

            MD5

            42f5a93b98386b58b2fc49fe510f5fa9

            SHA1

            3a855bb4e4036483bbe860da971186d42cc5a223

            SHA256

            dbe36cfe0d35587c35d00696358f1d0d439b09afd66a9b7dd3e68ca51fa555c8

            SHA512

            56282c16feb2b841b8c3a73c9a8d6c4a2d0c1ae8f8423699728e7caac591c8e10249e82dfa87b316ec6d11b70063a75acf312474e7a019e4aa76a4e48429f373

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            21a23a189509905a859a042ed339219b

            SHA1

            446a04358b665cf3319d8ad93f81c50a05351b96

            SHA256

            dd8c37e1d261614963596ba66600d0a524522126be4cf0e6fe89b97ab62586dd

            SHA512

            a06746bb621215103b630b13b2ea266fbbcef44869bc2025040f875db488f8a0faadd25bbb42d728652b1daa97c9f27cfddd4c78cc5e2def114292faab05ac09

            Download Submit
          • memory/760-86-0x0000000002770000-0x00000000027B0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/968-142-0x00000000000F0000-0x0000000000222000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1148-62-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-88-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-63-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-64-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1148-66-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-71-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-76-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-77-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-80-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-79-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-85-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-60-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-87-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-149-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-89-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-61-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-59-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-58-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-148-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-104-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-103-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-57-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-136-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-138-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1148-56-0x0000000000080000-0x0000000000100000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1336-55-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/1336-54-0x0000000000CE0000-0x0000000000E12000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1724-100-0x0000000000220000-0x0000000000352000-memory.dmp
            Filesize

            1.2MB

            Download