Analysis
-
max time kernel
54s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
27-03-2023 19:45
General
-
Target
home/raid_service/casing_module/case_updater/tmppayload.exe
-
Size
1024.0MB
-
MD5
932f4060cc31b4dbaffa1bb6d3991c20
-
SHA1
989f4fb91c3a30a0789c0d61c1b8c5dad659747e
-
SHA256
a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853
-
SHA512
7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5
-
SSDEEP
6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF
Malware Config
Extracted
remcos
BILLETE
cactus.con-ip.com:7770
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9927QM
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe"C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\home\raid_service\casing_module\case_updater\tmppayload.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\AppData.exeC:\Users\Admin\AppData\Roaming\AppData.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD553b593beafb971433b9b3c10f3b5d089
SHA17da61f6b333ba16659f61ed4b5cdb703aa013656
SHA2567eac7fc553c4f8159d6fb9c27bb3e4d619f76c597848125e2a0210a890f49b3d
SHA5129a6ca6fa3bc2702403a7e0de328b21ae498c334f4c97c5f232739c2fd14cbc7f28630f2e852f2b33de561307e5aa1266e2b81d5f327b140eb4874745707caff0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppData.exe.logFilesize
520B
MD503febbff58da1d3318c31657d89c8542
SHA1c9e017bd9d0a4fe533795b227c855935d86c2092
SHA2565164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA5123750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD506adfe7bdee61985821786d796196498
SHA156e110a68f1997c89a77ddb80672d6199ab09311
SHA256763bde2e8bcbe694aee7ea4e10e018c6aedb095dec91c1018fb38a2c6a300e27
SHA5126175720c9126243633461141cefcd69ebf5faaef330e7e647aeb85ca96543f76107ec3aa3bbefa21ce8e04ad6b55632bc16cdeece7634e7166350baa0eb864b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD59a76b2717d0569faa0a46f8a6088187f
SHA1daeee7733dc788055c8a4f2f7787b9dc77e19f34
SHA2564b6fd1a0590daa59315cd84c71861869efa2a6af50373fb3169f603acba1fdd1
SHA51239afebfc11da4adf38c730b171fac7c81403ca060ae058e3f9da5bebdb18f17c2d7dcd90867502c560d8bf087b282ef18e424daf67ce110481a9608a5a047a25
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0vcyjcc.d4l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
722.6MB
MD54adfef5e9374e8e685021b0d256c15a0
SHA1d4624fbf38cb00d8c6375b6ce8c63343d900b169
SHA2569ae6adf72f8cd4e3b5a314c5385e259929908b3265a2a66f237e78a2434b9274
SHA512ee5e0d43d46ff47d7efc89935af21600071a77df1d6f56cd79bf498d5b9599e7f11518b9ee866f27e246e46ab49e005f1cd530725615d63c318f3aa603efe620
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
750.7MB
MD5b07450285b76116c0dc019a0c6181a55
SHA1957c47d1cec8ac4804ca5ac2a550639d250e9dab
SHA256a767e107b33fe599d66d56a61cd029feb1db1487d4210bb7bac29e58f12bcf59
SHA5121357002f155547131a82658fabc2dbca3f8807b6253eb5b3e69e3d4653941313f6109f6f6d856626b89e3b9cb774091fa653c1642a1685c903150bce98db9ab2
-
C:\Users\Admin\AppData\Roaming\AppData.exeFilesize
306.1MB
MD50df32d3c1a9a73d02a9c701e66d26419
SHA15b2062a30727ed7d6c30ceebbcf88e267db84b88
SHA25677b83f691b699e81b53825e762c67acd373c363fdefcbd55ed269b739a589640
SHA51229f9f9a114f4694061242c9d238fa54222ffecfc4414e727222049a0911f9def10bdc78e62ae749495042fefbb62c609e928edf8d17d28aec995ba57a474a1fe
-
memory/180-246-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/180-245-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/180-244-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/752-186-0x0000000007CA0000-0x0000000007D36000-memory.dmpFilesize
600KB
-
memory/752-187-0x0000000007C60000-0x0000000007C6E000-memory.dmpFilesize
56KB
-
memory/752-149-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/752-150-0x00000000060E0000-0x0000000006146000-memory.dmpFilesize
408KB
-
memory/752-147-0x0000000005780000-0x00000000057A2000-memory.dmpFilesize
136KB
-
memory/752-160-0x0000000006720000-0x000000000673E000-memory.dmpFilesize
120KB
-
memory/752-138-0x00000000051A0000-0x00000000051D6000-memory.dmpFilesize
216KB
-
memory/752-142-0x0000000005810000-0x0000000005E38000-memory.dmpFilesize
6.2MB
-
memory/752-146-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/752-189-0x0000000007D50000-0x0000000007D58000-memory.dmpFilesize
32KB
-
memory/752-168-0x0000000002D70000-0x0000000002D80000-memory.dmpFilesize
64KB
-
memory/752-169-0x0000000006CF0000-0x0000000006D22000-memory.dmpFilesize
200KB
-
memory/752-170-0x0000000071360000-0x00000000713AC000-memory.dmpFilesize
304KB
-
memory/752-181-0x0000000006CD0000-0x0000000006CEE000-memory.dmpFilesize
120KB
-
memory/752-182-0x0000000008070000-0x00000000086EA000-memory.dmpFilesize
6.5MB
-
memory/752-183-0x0000000007A30000-0x0000000007A4A000-memory.dmpFilesize
104KB
-
memory/752-184-0x000000007FD30000-0x000000007FD40000-memory.dmpFilesize
64KB
-
memory/752-185-0x0000000007AB0000-0x0000000007ABA000-memory.dmpFilesize
40KB
-
memory/752-188-0x0000000007D60000-0x0000000007D7A000-memory.dmpFilesize
104KB
-
memory/900-233-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/900-234-0x000000007FD10000-0x000000007FD20000-memory.dmpFilesize
64KB
-
memory/900-222-0x00000000755A0000-0x00000000755EC000-memory.dmpFilesize
304KB
-
memory/900-208-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/900-209-0x0000000002E10000-0x0000000002E20000-memory.dmpFilesize
64KB
-
memory/936-214-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/936-213-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/936-218-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4272-268-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4272-272-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4272-271-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/4272-257-0x0000000071410000-0x000000007145C000-memory.dmpFilesize
304KB
-
memory/4312-221-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-139-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-220-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-167-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-143-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-144-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-148-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-236-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-140-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-162-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-161-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-136-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-135-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-193-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-145-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-267-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-270-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4312-163-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4376-134-0x0000000006010000-0x00000000065B4000-memory.dmpFilesize
5.6MB
-
memory/4376-133-0x0000000000FF0000-0x0000000001122000-memory.dmpFilesize
1.2MB