Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2023 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    114KB

  • MD5

    53d4ab9c429de02b7efc94d7be3e6059

  • SHA1

    2dba6ac014c7115407fbd56e6367c3f57679404f

  • SHA256

    497181638d2830749115aff8751dfaddc201d4a9de50e731c7e999381575f714

  • SHA512

    a19570164b7bc47c6975b93835b408c80f7fed8a9874d398cf0227e2dd2c033d4e31f0bb332c800bab0f60073eec084a0bebac4abc6ba069aa3547c27c9622cb

  • SSDEEP

    3072:1toI3eJY6z2cQEjbCTb6TbEVDR2fxvPXj5:1aJJ9zpblEVDsvj5

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomia.duckdns.org:30861

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-B0VP4N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:1564
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2248
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 1
          3⤵
            PID:3608

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
        Filesize

        590KB

        MD5

        200f70cceffbcc69815d125f1ca40fd8

        SHA1

        137dc1cd3b2b5662e93595a348115cef942ff394

        SHA256

        617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

        SHA512

        a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
        Filesize

        590KB

        MD5

        200f70cceffbcc69815d125f1ca40fd8

        SHA1

        137dc1cd3b2b5662e93595a348115cef942ff394

        SHA256

        617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

        SHA512

        a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\H2.exe
        Filesize

        590KB

        MD5

        200f70cceffbcc69815d125f1ca40fd8

        SHA1

        137dc1cd3b2b5662e93595a348115cef942ff394

        SHA256

        617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

        SHA512

        a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

        Download Submit
      • memory/1564-155-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-157-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-170-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-148-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-150-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-151-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-152-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-153-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-154-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-169-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-156-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-168-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-160-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-161-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-162-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-163-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-165-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-166-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1564-167-0x0000000000400000-0x0000000000480000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2568-134-0x000001F179D80000-0x000001F179D90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2568-133-0x000001F15F640000-0x000001F15F65C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4700-146-0x000001F1D17A0000-0x000001F1D1832000-memory.dmp
        Filesize

        584KB

        Download