Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2023 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    14KB

  • MD5

    f503da8eee4e7cd822239110b488b08b

  • SHA1

    f122b5169aaf28a0906b16255cb0e4490dcfd62e

  • SHA256

    7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

  • SHA512

    9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

  • SSDEEP

    384:N6P1J3MxbGglqBcpnHp//UeUB7Eb2eqJT:N6dkQBcLSB7Eb21t

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomiana.duckdns.org:30491

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %Temp%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-EORWFM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:1092
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:1956
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe"
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:468
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 1
            3⤵
              PID:1360

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
          Filesize

          512KB

          MD5

          5a01a667c84893b0ab403b39b3c73b53

          SHA1

          61e797ce7faf1a6eca4038b29aac0364fb61fba9

          SHA256

          c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

          SHA512

          6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
          Filesize

          512KB

          MD5

          5a01a667c84893b0ab403b39b3c73b53

          SHA1

          61e797ce7faf1a6eca4038b29aac0364fb61fba9

          SHA256

          c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

          SHA512

          6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
          Filesize

          512KB

          MD5

          5a01a667c84893b0ab403b39b3c73b53

          SHA1

          61e797ce7faf1a6eca4038b29aac0364fb61fba9

          SHA256

          c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

          SHA512

          6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

          Download Submit
        • memory/844-64-0x00000000001D0000-0x00000000001DC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/844-66-0x000000001BE70000-0x000000001BEF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/844-62-0x0000000000220000-0x00000000002A4000-memory.dmp
          Filesize

          528KB

          Download
        • memory/844-63-0x0000000000850000-0x00000000008C4000-memory.dmp
          Filesize

          464KB

          Download
        • memory/1956-73-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-78-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-65-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-67-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-68-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-69-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-70-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-71-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-72-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-92-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1956-75-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-77-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-91-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-79-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-80-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-81-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-82-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-86-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-87-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-88-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-89-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/1956-90-0x0000000000400000-0x0000000000481000-memory.dmp
          Filesize

          516KB

          Download
        • memory/2020-55-0x0000000000500000-0x0000000000540000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2020-54-0x0000000000E90000-0x0000000000E9A000-memory.dmp
          Filesize

          40KB

          Download