Overview

overview

10

Static

static

1

on demand.exe

windows7-x64

10

on demand.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    on demand.exe

  • Size

    541KB

  • MD5

    a6ef3293f66f1f2d3ae7a368b60dc577

  • SHA1

    af2f768b813b8a05908ab2040551728427a7078a

  • SHA256

    cf9bbb8ecfcffe72f03f134197a9e6e58c405b6f0eba941bf079899d4411c5db

  • SHA512

    a0c03dc2f552c51552c8dfcb54b46757aeb0efc5160e1c82f91951c8e1ef3106b2609129f01eaab0cbf3eedbb350afde693749c14b38c1877df75b3deea5dd0d

  • SSDEEP

    12288:KYTv1iDSrrW+gEYdOobbP/x6Gc6OFGXF4ifMyyqBgD+J:KYTv1iOgGWlKF/K7gD+J

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:55898

180.214.238.18:55898
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-08QBMU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\on demand.exe
    "C:\Users\Admin\AppData\Local\Temp\on demand.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe
      "C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe" C:\Users\Admin\AppData\Local\Temp\wvoxvopxjva.w
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe
        "C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    21978df572df6df7edcca865a577241a

    SHA1

    75d139bf92e2caa45df54cadc26b4b9b98b2865d

    SHA256

    d3f2b5a08193e3fcdb18ae3f03822d0d9472449c5695c1bb2bd8445c2a6596e4

    SHA512

    a7b6166e221e2d68cee16b327bb10b62be3542806de45fed4e2eaeef5a40351b162e4352db1b3c58252708881c27b84bebf503d158006c1c630f68b9416fa9f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe
    Filesize

    138KB

    MD5

    82334772e194ae5493a7dbb0659eaeda

    SHA1

    c3fd675eeabce7da7440e5675105239693b2bee7

    SHA256

    4dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530

    SHA512

    766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe
    Filesize

    138KB

    MD5

    82334772e194ae5493a7dbb0659eaeda

    SHA1

    c3fd675eeabce7da7440e5675105239693b2bee7

    SHA256

    4dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530

    SHA512

    766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pghscxwgeb.exe
    Filesize

    138KB

    MD5

    82334772e194ae5493a7dbb0659eaeda

    SHA1

    c3fd675eeabce7da7440e5675105239693b2bee7

    SHA256

    4dafd419d7527d71fa56c6c124b1da96ec108bd7685ff98e79d15ba122e04530

    SHA512

    766d3e8cf88d635fb78ef33613ef8d2926cc1a113613df9bf3f639ec5db394657aabe53e5d1b2ead6aa6ebcc4c1da1803992fa13bf6271e3f9628d6aadb228ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wvoxvopxjva.w
    Filesize

    7KB

    MD5

    1f908367955b6d2238e2d5640f05177e

    SHA1

    b24c2f3c2dcdbbb8d5a74ea3db8349225f9ee926

    SHA256

    b8cb0a382514f8598ece81d01ed770a182420fe92f0049fbf0285668d8eca0ef

    SHA512

    88aa1bb3078471416cbbd511435896bcc064de414cdc7362d1f64070559f623c99597370d78503aff12f5da69113697a7a301471c14445bc76598c9a013532b7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xpwswdvofjr.bla
    Filesize

    496KB

    MD5

    54ecaf4f40b83a83f7667ab7016c7b5c

    SHA1

    a3d877d72f7b8986d196a9ee09c01e7c4a8df453

    SHA256

    58c07d62898690ecbb0ed26859c087ae7f22ee71f1973eaab4041a1a48754d82

    SHA512

    9ee717cce17da6f754330f660c94fb9cf7bf614f6a1715046acd5d001b660dace0d827831eb37938d48ac0b9b7a36098b5905467b63b77f6dc96e21cf30a9a82

    Download Submit
  • memory/1328-164-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-173-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-147-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-149-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-150-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-151-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-152-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-153-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-155-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-156-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-157-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-160-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-161-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-162-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-144-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-167-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-142-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-170-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-172-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-145-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-175-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-177-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-180-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-183-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-184-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-185-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-189-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-192-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-194-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-195-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-196-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-199-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-202-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-205-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-206-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-207-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1328-211-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download