Overview

overview

10

Static

static

1

617c26fdce...bd.exe

windows7-x64

10

617c26fdce...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe

  • Size

    590KB

  • MD5

    200f70cceffbcc69815d125f1ca40fd8

  • SHA1

    137dc1cd3b2b5662e93595a348115cef942ff394

  • SHA256

    617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

  • SHA512

    a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

  • SSDEEP

    12288:P5S5QdJaSO35Y8y67puHSmNjYFnXgZDLfGxPRpCcPe+7We4:nJm5YgCNj4wlfGP4yJ7X4

Score
10/10
remcosremotehostcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomia.duckdns.org:30861

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-B0VP4N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe
    "C:\Users\Admin\AppData\Local\Temp\617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\gpygnlvqutwadntstwnahgiwiodmey"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4548
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jrdzndnsqboenbhwdhibsldnrvuvfjnjy"
        3⤵
          PID:2736
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\jrdzndnsqboenbhwdhibsldnrvuvfjnjy"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:664
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\tliro"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:8
        • C:\Users\Admin\AppData\Local\Temp\ori.exe
          "C:\Users\Admin\AppData\Local\Temp\ori.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c ping 127.0.0.1 -n 37 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1704
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 37
              5⤵
              • Runs ping.exe
              PID:4296
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe,"
              5⤵
              • Modifies WinLogon for persistence
              PID:760
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c ping 127.0.0.1 -n 49 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ori.exe" "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe" && ping 127.0.0.1 -n 49 > nul && "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4808
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 49
              5⤵
              • Runs ping.exe
              PID:844
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 49
              5⤵
              • Runs ping.exe
              PID:3604
            • C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe
              "C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4508

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gpygnlvqutwadntstwnahgiwiodmey
      Filesize

      4KB

      MD5

      7e7e8e77a909ae1ac11fb356c3430a5e

      SHA1

      ef6c5ac6efc7104809b00840dd24a8d74e706fd4

      SHA256

      d3e8da27af617990bdfcaef5c3617788a606ba5860967a679fa6d5279772a985

      SHA512

      fe6a8722197e4cd5f61ad7182c66f6cba60ada6ca482c12eefa184fb7cb509362142f1767cb89126bfa8caaa6ed087bfd0287aacbbb56dbaa9bc2245815b1bfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ori.exe
      Filesize

      765KB

      MD5

      c6d43b7e399cdb8f37c3b920cd592b6b

      SHA1

      756c5d2d46bb796e7af63e53a7c00e747a65c5f9

      SHA256

      5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

      SHA512

      b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ori.exe
      Filesize

      765KB

      MD5

      c6d43b7e399cdb8f37c3b920cd592b6b

      SHA1

      756c5d2d46bb796e7af63e53a7c00e747a65c5f9

      SHA256

      5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

      SHA512

      b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ori.exe
      Filesize

      765KB

      MD5

      c6d43b7e399cdb8f37c3b920cd592b6b

      SHA1

      756c5d2d46bb796e7af63e53a7c00e747a65c5f9

      SHA256

      5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

      SHA512

      b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe
      Filesize

      765KB

      MD5

      c6d43b7e399cdb8f37c3b920cd592b6b

      SHA1

      756c5d2d46bb796e7af63e53a7c00e747a65c5f9

      SHA256

      5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

      SHA512

      b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\fsgdhfgjf\dgfshjk.exe
      Filesize

      765KB

      MD5

      c6d43b7e399cdb8f37c3b920cd592b6b

      SHA1

      756c5d2d46bb796e7af63e53a7c00e747a65c5f9

      SHA256

      5f274df0116006f2ab64521860026e68ab2c9b980523d23997920a3e4a0693d5

      SHA512

      b827aae2673750b4392ae96e5c2f77da5ddc0841afbe4f1b8fe05bfef206871f8ff0b5ac64216f9363916d20a7ae326ba28849baa6215390d8b31883faed9c1c

      Download Submit
    • memory/8-160-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/8-152-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/8-159-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/8-158-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/664-164-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/664-157-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/664-153-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/664-150-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/3960-133-0x000001BF2A650000-0x000001BF2A6E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4132-197-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-194-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-190-0x0000000005780000-0x000000000581C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4132-187-0x0000000005C90000-0x0000000006234000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4132-186-0x0000000000730000-0x00000000007F6000-memory.dmp
      Filesize

      792KB

      Download
    • memory/4132-191-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-192-0x0000000005620000-0x000000000562A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4132-188-0x00000000056E0000-0x0000000005772000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4132-202-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-195-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-196-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-199-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4132-198-0x0000000005690000-0x00000000056A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4508-215-0x00000000004D0000-0x0000000000596000-memory.dmp
      Filesize

      792KB

      Download
    • memory/4508-216-0x00000000055D0000-0x00000000055E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4508-217-0x00000000055D0000-0x00000000055E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4508-218-0x00000000055D0000-0x00000000055E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4548-148-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4548-170-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4548-165-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4548-156-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4548-154-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4556-140-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-142-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-185-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4556-138-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-193-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-139-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-181-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-180-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4556-137-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-177-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4556-141-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-200-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-201-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-189-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-204-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-205-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-206-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-207-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-210-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-211-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-136-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-134-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-143-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-144-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-145-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download
    • memory/4556-147-0x0000000000400000-0x0000000000480000-memory.dmp
      Filesize

      512KB

      Download