Overview

overview

10

Static

static

1

60793dd7cd...32.exe

windows7-x64

10

60793dd7cd...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-03-2023 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60793dd7cdaf080ab5ba21a3c1294e32.exe

  • Size

    1024.0MB

  • MD5

    932f4060cc31b4dbaffa1bb6d3991c20

  • SHA1

    989f4fb91c3a30a0789c0d61c1b8c5dad659747e

  • SHA256

    a40084ddc1d6655c2f78365a9ef6a9b81997cfa98a6f81c8d7dfe9619ef6b853

  • SHA512

    7bb952847d5bacff9275415ba02a6fbeb180d16b2ef23591a60f9fe302f51301d7c967af5eaa5dc9135ceb108cdf25afdf745a3875b5b0655924452d1f753ba5

  • SSDEEP

    6144:AxjCbYJafbpsBSM/HVFku/7AGLr5lw2H3SgoXraFjvVpQ+QW8uR3OoJWwvTTZlIY:+PozpsBzkuHPgDsvELuv7ZlIgCjIDF

Score
10/10
remcosbilleterat

Malware Config

Extracted

Family

remcos

Botnet

BILLETE

C2

cactus.con-ip.com:7770

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9927QM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe
    "C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
        3⤵
        • Creates scheduled task(s)
        PID:1184
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
      2⤵
        PID:1960
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Local\Temp\60793dd7cdaf080ab5ba21a3c1294e32.exe'"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1860
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {9083624B-AD2B-45C0-BE98-DB4B96168E6E} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Users\Admin\AppData\Roaming\AppData.exe
        C:\Users\Admin\AppData\Roaming\AppData.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
            4⤵
            • Creates scheduled task(s)
            PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
          3⤵
            PID:1892
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
            3⤵
            • Drops file in System32 directory
            PID:1184
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            3⤵
              PID:1752
          • C:\Users\Admin\AppData\Roaming\AppData.exe
            C:\Users\Admin\AppData\Roaming\AppData.exe
            2⤵
            • Executes dropped EXE
            PID:1060
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
              3⤵
                PID:1104
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\AppData.exe'" /f
                  4⤵
                  • Creates scheduled task(s)
                  PID:1696
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c copy "C:\Users\Admin\AppData\Roaming\AppData.exe" "C:\Users\Admin\AppData\Roaming\AppData.exe"
                3⤵
                  PID:1552
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\Admin\AppData\Roaming\AppData.exe'"
                  3⤵
                    PID:1084
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    3⤵
                      PID:392

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Credential Access

                Discovery

                System Information Discovery

                1
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\remcos\logs.dat
                  Filesize

                  144B

                  MD5

                  e21ec18e775405cc3990b6fbfc339759

                  SHA1

                  a1701cd5ebe334688afa0abb8cdd04f92a5e8505

                  SHA256

                  ed63243b5e954d61d1679ba5b07e64e21622763818c0af820ed61fdbba61eeb3

                  SHA512

                  21a606aa9f31bca9e1520d37fe8459194fd060b65425af3f3dfb7538f5cb80bed07461bbbd64539b1e4ce90881d850aecf0857486d448ac5ca564673bd6679a7

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  395.1MB

                  MD5

                  6ab40ea5cfddfe9155bae4e276018e9d

                  SHA1

                  06279c2eaad27ca32e6bbe83604cd53efaa2283b

                  SHA256

                  dd59534d0f12668a45c0ef8c2cd600b1725945b6e4903aa2d03f0e25a968e996

                  SHA512

                  2159ca9705ab01216237e2ecf9a5a81faafe1532d70283d5fcd6bed7f71dbb8df40e911ab4d90cfd84e13f8f7b02bf2371edbe736c280759e5f1e91be7328e42

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  74.3MB

                  MD5

                  557e9e7425dc01bd5fd6b32e5e568f04

                  SHA1

                  0921195640c907ecf5774ec4e3a2c9da93d150d3

                  SHA256

                  6023dc8db3ab4bed6d39ee7402fb86e315816860e5c5ab3d4eceb3dc5cee8990

                  SHA512

                  0535d02dc71b00ddb03d2504a9ed4aa8babef7d87c9468317aefefa0d39a16c394bcbc3b148a0a9e4b2f9736f374f881fde06ef18c74e7a369390fc5070a32b6

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\AppData.exe
                  Filesize

                  399.6MB

                  MD5

                  da6b2fc403baab5c5c6935b1da09bfae

                  SHA1

                  b9d6f1f10abe81bbf0f1da382ef56bf4369461bc

                  SHA256

                  38b4b39b7dd31d615e7bcd9d9e5102d21ff3983ba4dcad41a404a7bdcead5571

                  SHA512

                  b7a27724f984129d8e0def99a59e6bf9bed6eea371b9116cdcacc11d119019b9d16070d2060e4420e906702537caf24c011afd69450e702b298d301a879d2358

                  Download Submit
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  d6fce7724227ec312debe194b5ef0b28

                  SHA1

                  4cd8731ac7ce5ca7d887a69d706b72a7e2eb7c13

                  SHA256

                  591146b8ae2b95df75f0429eb05399668e9e255ea7e65bf3e9fea69d5bc9c1d9

                  SHA512

                  a0d721b38c396c07d607bdbcbaf411811fe27d812c09f4b4d833fe08996be1687e92b0d85b8798abf5aa198f68e19dc7574e339df15aebb11d055c94b8564691

                  Download Submit
                • \??\PIPE\srvsvc
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit
                • memory/392-161-0x0000000000400000-0x0000000000480000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1060-158-0x0000000004F60000-0x0000000004FA0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1060-137-0x0000000001100000-0x0000000001232000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/1120-59-0x0000000004F40000-0x0000000004F80000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1120-54-0x0000000000880000-0x00000000009B2000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/1296-108-0x0000000000AD0000-0x0000000000B10000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1296-101-0x0000000000E90000-0x0000000000FC2000-memory.dmp
                  Filesize

                  1.2MB

                  Download
                • memory/1448-61-0x0000000002760000-0x00000000027A0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1448-87-0x0000000002760000-0x00000000027A0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1448-88-0x0000000002760000-0x00000000027A0000-memory.dmp
                  Filesize

                  256KB

                  Download
                • memory/1752-119-0x0000000000400000-0x0000000000480000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1752-116-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1752-123-0x0000000000400000-0x0000000000480000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1860-66-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-89-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-90-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-91-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-85-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-84-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-82-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-81-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-105-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-106-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-76-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-69-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-86-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-65-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-64-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-63-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-131-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-132-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-62-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-60-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-142-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-143-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-58-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download
                • memory/1860-57-0x0000000000080000-0x0000000000100000-memory.dmp
                  Filesize

                  512KB

                  Download