Overview

overview

10

Static

static

1

617c26fdce...bd.exe

windows7-x64

10

617c26fdce...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2023 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe

  • Size

    590KB

  • MD5

    200f70cceffbcc69815d125f1ca40fd8

  • SHA1

    137dc1cd3b2b5662e93595a348115cef942ff394

  • SHA256

    617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

  • SHA512

    a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

  • SSDEEP

    12288:P5S5QdJaSO35Y8y67puHSmNjYFnXgZDLfGxPRpCcPe+7We4:nJm5YgCNj4wlfGP4yJ7X4

Score
10/10
remcosremotehostcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomia.duckdns.org:30861

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-B0VP4N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 4 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe
    "C:\Users\Admin\AppData\Local\Temp\617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Users\Admin\AppData\Local\Temp\ori.exe
        "C:\Users\Admin\AppData\Local\Temp\ori.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1348
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 35
            5⤵
            • Runs ping.exe
            PID:836
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"
            5⤵
            • Modifies WinLogon for persistence
            PID:1616
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ori.exe" "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 42
            5⤵
            • Runs ping.exe
            PID:1704
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 42
            5⤵
            • Runs ping.exe
            PID:1548
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\tjmluthhcjwaanqhh"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1884
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\wdrenmsjyrofkuelqbmn"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1372
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gfwonedcmzgknaapzlzotkao"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Remote System Discovery

1
T1018

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ori.exe
    Filesize

    765KB

    MD5

    c6d43b7e399cdb8f37c3b920cd592b6b

    SHA1

    756c5d2d46bb796e7af63e53a7c00e747a65c5f9

    SHA256

    5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

    SHA512

    b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ori.exe
    Filesize

    765KB

    MD5

    c6d43b7e399cdb8f37c3b920cd592b6b

    SHA1

    756c5d2d46bb796e7af63e53a7c00e747a65c5f9

    SHA256

    5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

    SHA512

    b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tjmluthhcjwaanqhh
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit
  • C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe
    Filesize

    765KB

    MD5

    c6d43b7e399cdb8f37c3b920cd592b6b

    SHA1

    756c5d2d46bb796e7af63e53a7c00e747a65c5f9

    SHA256

    5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

    SHA512

    b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ori.exe
    Filesize

    765KB

    MD5

    c6d43b7e399cdb8f37c3b920cd592b6b

    SHA1

    756c5d2d46bb796e7af63e53a7c00e747a65c5f9

    SHA256

    5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

    SHA512

    b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

    Download Submit
  • memory/908-114-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/908-122-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/908-113-0x00000000005A0000-0x00000000005B8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/908-112-0x0000000000550000-0x000000000059A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/908-111-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/908-124-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/908-104-0x0000000000B00000-0x0000000000BC6000-memory.dmp
    Filesize

    792KB

    Download
  • memory/908-127-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/908-129-0x0000000004CA0000-0x0000000004CE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/916-119-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/916-130-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-71-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-72-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-73-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-74-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-75-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-77-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-69-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-68-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-67-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-85-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-137-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-136-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-133-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-132-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-131-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-121-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-56-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-128-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/916-57-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-126-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-125-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-58-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-70-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-65-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-123-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/916-63-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-62-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-61-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-60-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/916-120-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/916-116-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/916-59-0x0000000000400000-0x0000000000480000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1372-103-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1372-90-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1372-115-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1372-98-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1372-101-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

    Download
  • memory/1456-54-0x0000000001010000-0x00000000010A2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1456-55-0x0000000000150000-0x000000000015C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1884-102-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1884-109-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1884-96-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1884-93-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1884-87-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1884-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2036-100-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2036-99-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2036-97-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2036-94-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download