Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 14:43
Static task
static1
Behavioral task
behavioral1
Sample
02102299.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02102299.exe
Resource
win10v2004-20230220-en
General
-
Target
02102299.exe
-
Size
426KB
-
MD5
3d5c45dfc5e4d5e92519baaa10eef55e
-
SHA1
4060970106372cca520182bd6767a372cb1d8881
-
SHA256
0b503c9f8f6f4879b48c019d31ac921f11d62ab469aa0fce0ac309aca525cde2
-
SHA512
a02be1e1b1e3ad70208b781ce6f42e7d61ce275f7330acc834832831a1e7abdb89b06907fe39622649ab1dfa61a6631d147c36b14c7aeaa4dfaf1b671b5a3c8e
-
SSDEEP
12288:oSZkNErxea4TdsqFodI6Ck45qnHY4XfoYX:VZ6Eroa4vFNIPb
Malware Config
Extracted
remcos
RemoteHost
192.3.223.132:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JJJLWY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
02102299.exe02102299.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 02102299.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 02102299.exe -
Loads dropped DLL 1 IoCs
Processes:
02102299.exepid process 1716 02102299.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
02102299.exepid process 1808 02102299.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
02102299.exe02102299.exepid process 1716 02102299.exe 1808 02102299.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
02102299.exedescription pid process target process PID 1716 set thread context of 1808 1716 02102299.exe 02102299.exe -
Drops file in Windows directory 2 IoCs
Processes:
02102299.exedescription ioc process File opened for modification C:\Windows\Ruellia\Tilgangsrettighederne\Scranny.Pat 02102299.exe File opened for modification C:\Windows\Fonts\Superdatamat18.ini 02102299.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
02102299.exepid process 1716 02102299.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
02102299.exepid process 1808 02102299.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
02102299.exedescription pid process target process PID 1716 wrote to memory of 1808 1716 02102299.exe 02102299.exe PID 1716 wrote to memory of 1808 1716 02102299.exe 02102299.exe PID 1716 wrote to memory of 1808 1716 02102299.exe 02102299.exe PID 1716 wrote to memory of 1808 1716 02102299.exe 02102299.exe PID 1716 wrote to memory of 1808 1716 02102299.exe 02102299.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02102299.exe"C:\Users\Admin\AppData\Local\Temp\02102299.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02102299.exe"C:\Users\Admin\AppData\Local\Temp\02102299.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
170B
MD57be20d15bdc4e3c95a53bfe80faeff7f
SHA19efbb84058f2294c7747dad29ce0f1392c4423be
SHA256522191a4b08d4aa71ef71df25d76f3012d18d6e4df506527caf14d1637d0ef39
SHA512e8d368b2eb2e92a813c1a58a079541b72eb7fd21f08485d1510a5b8ae5cabdc99d01ae6bc18915bfaf374d652374e13cf265ef5b00bb07282c38ea6a1b46742c
-
C:\Windows\Fonts\Superdatamat18.iniFilesize
42B
MD50efb517a38bad656ca0827dbef67154b
SHA196c246f8d332e42f17ec5d63f73f319fe0c5fa8a
SHA2562a51482adc1ee0a79bff2a3f5ac2e9e300478856ae83d129aceed76f0354926c
SHA512ecea23873e00adbcd2a0a839a6aaaee20bdfc5c72cd22b560564f8e894845a1c840d4d85643f0a3e09a054018273816c4b5d8a41828e3d9a324590d7293e9227
-
\Users\Admin\AppData\Local\Temp\nsd24F0.tmp\System.dllFilesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
memory/1716-17099-0x0000000003B00000-0x0000000005B94000-memory.dmpFilesize
32.6MB
-
memory/1716-17100-0x0000000003B00000-0x0000000005B94000-memory.dmpFilesize
32.6MB
-
memory/1808-17109-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1808-17103-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17105-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17102-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1808-17111-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1808-17113-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17116-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17120-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17101-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17124-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17125-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17128-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1808-17131-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB