Overview

overview

10

Static

static

1

baa1926f8f...af.exe

windows7-x64

10

baa1926f8f...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe

  • Size

    1.3MB

  • MD5

    9ca296392ffda3a2168b2c8e38423f88

  • SHA1

    5a6001e488ee7fb0ec19e5727871c7a1d476457d

  • SHA256

    baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af

  • SHA512

    80be381586098c24ad441b638f45924af481063bd28a84aa0f2dc1e177fa23a4d8a8ca2263977380c4af054870f64704bbb72b6845ce17375d563d5d2a9ce8b1

  • SSDEEP

    24576:lTbBv5rUqDGbB22Y7+QE96qZaeUTHc8SqAOgRF65:PBX0YZD40kVqK65

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.254.90.203:42940

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KNQYWF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe
    "C:\Users\Admin\AppData\Local\Temp\baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" Update-pe.b.vbe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif
        "C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif" mmooosqfr.xml
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\bibc
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:520
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:292
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:680
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:480
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bibc\askagvk.xml
    Filesize

    37KB

    MD5

    df2aad1df52884dacca9ce4c9df73715

    SHA1

    d9271cfd6486175ac744583c883c19b00821f647

    SHA256

    6d4a527a9bf69e28defe550a737b13a7d9f11c0dc4296cd3e5873648f0321776

    SHA512

    6803d4f3ed270edcc04aa7de79442036783ed4233854615b41628f903b1ad1460fb27cc40d386482cd40a860432b8a727a003087b3b014493425ebdc05085822

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif
    Filesize

    1.1MB

    MD5

    c81409f51b6115a5513a4ee52ec94b1d

    SHA1

    97d49ccce31bf74c9dd1841b07a7a4ac4fe8dba1

    SHA256

    2957e77587a002d380031ac26da95e605fa18e2d23ae7a141595406652be6cd6

    SHA512

    cca20666de959cc0e49b7381d20a201c12b02db7bb1b0d2f6c3d0b51e02494567f615bd3205d1e1cbb08f658d8db552e22abe7ed079eba403889a4dcdabd21e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif
    Filesize

    1.1MB

    MD5

    c81409f51b6115a5513a4ee52ec94b1d

    SHA1

    97d49ccce31bf74c9dd1841b07a7a4ac4fe8dba1

    SHA256

    2957e77587a002d380031ac26da95e605fa18e2d23ae7a141595406652be6cd6

    SHA512

    cca20666de959cc0e49b7381d20a201c12b02db7bb1b0d2f6c3d0b51e02494567f615bd3205d1e1cbb08f658d8db552e22abe7ed079eba403889a4dcdabd21e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bibc\mmooosqfr.xml
    Filesize

    118.7MB

    MD5

    0b8c3389fcfa4b23792cfe4be9bf5d4d

    SHA1

    fb874d34954345f99fc32dcf1bd2d7dd552a69a4

    SHA256

    0ff9a189fe4a7fc1d0988f13c4a641b8a2b467fc0304df7f4a130346c5378399

    SHA512

    990ed70cc4d98035cff152df2401ec923ecb2aca040f1664825eff73ef859f561fc8d337beedf4c39a02d17c2bbaba1ea26ca7e7c72d9e759af7e6d0e2e5fbf8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bibc\olmk.kef
    Filesize

    869KB

    MD5

    88e9eb2b1734c06854c9a7f0ce654481

    SHA1

    3a390631ad78073dfe0a9fc02dcd18ab01ffce0c

    SHA256

    2f0ee4d549cae7625366077f4d73dad31f276e9fde10a0a61d035887ae729789

    SHA512

    8e7381c4113e6f8280c1172278570464607e538f6eac3766a6912e3f5980f89f848a0658b3956f27cf44c7c88a158cb75cd0981b390dd0efea3d74bcd903538f

    Download Submit
  • C:\Users\Admin\AppData\Local\temp\bibc\Update-pe.b.vbe
    Filesize

    90KB

    MD5

    c0f4bcc7ee5b04990cbef34b501af814

    SHA1

    50b0ca595eba95a552f98d0e616a4ac0d28dc511

    SHA256

    36d08a949ccf2b6628711d4642efead0f675c2f42be30bace2c93a7a8e49e9dc

    SHA512

    747d53ea0a172936dc4c290afdea6116ddac9af5eef6f3f0ef7f8e66e74a0f3b6ad176f3f2dc52a7832c5d5b972dfcae64500a373b9df79aea93fbda3d57b955

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YHKECDAARGJB2G73076K.temp
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a71eba984c11237e3b7586e325ce0d75

    SHA1

    707781added728b21fc2831fe9abee848b0b0613

    SHA256

    125fb4705cfac83508e1d61a7ebf88f8e358c350bd13be6e8180371e859291a2

    SHA512

    4683db9cd59a5fed6cd5d49c9e4d04c49143d4047a487ba8a0a553084b0b8401b84bb78e3287ad00819ad28273b7e42fd1b364effc4becbc2e4d3805e659f10a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • \Users\Admin\AppData\Local\Temp\bibc\exrthati.pif
    Filesize

    1.1MB

    MD5

    c81409f51b6115a5513a4ee52ec94b1d

    SHA1

    97d49ccce31bf74c9dd1841b07a7a4ac4fe8dba1

    SHA256

    2957e77587a002d380031ac26da95e605fa18e2d23ae7a141595406652be6cd6

    SHA512

    cca20666de959cc0e49b7381d20a201c12b02db7bb1b0d2f6c3d0b51e02494567f615bd3205d1e1cbb08f658d8db552e22abe7ed079eba403889a4dcdabd21e9

    Download Submit
  • memory/480-241-0x0000000001D60000-0x0000000001DA0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/608-274-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/608-283-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-275-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-292-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-278-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-279-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-280-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-281-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-282-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-273-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-284-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-285-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-286-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-287-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-288-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-289-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-290-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/608-291-0x00000000002A0000-0x0000000000775000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/1612-269-0x0000000002700000-0x0000000002740000-memory.dmp
    Filesize

    256KB

    Download