Overview

overview

10

Static

static

10

2744-28-0x...ry.exe

windows7-x64

10

2744-28-0x...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    30/08/2023, 06:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2744-28-0x0000000000400000-0x0000000000417000-memory.exe

  • Size

    92KB

  • MD5

    76cc8e284837cbf99ba063fdca261590

  • SHA1

    5713d6267f2ebb8d3b1ccd0e9349225011ae71af

  • SHA256

    fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede

  • SHA512

    f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52

  • SSDEEP

    1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6krl:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+B

Score
10/10
remcosturk summerpersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Turk Summer

C2

ascoitaliasasummer.duckdns.org:4045

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Windows Session Start.exe

  • copy_folder

    Microsoft Media Session

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Windows Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Windows Sound EndPoints

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    Username;password;proforma;invoice;notepad

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2744-28-0x0000000000400000-0x0000000000417000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\2744-28-0x0000000000400000-0x0000000000417000-memory.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2516
      • C:\Windows\Microsoft Media Session\Windows Session Start.exe
        "C:\Windows\Microsoft Media Session\Windows Session Start.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\install.bat
          Filesize

          111B

          MD5

          7fe5a8c6b904f70919d38c7170e201de

          SHA1

          68b95c26da83c89c1aaafe1337c42759fd99d4aa

          SHA256

          4b1774ffddb1debe67e8938724d2dc873b5a4e174735065935c13a1078c41fa4

          SHA512

          a6bfc1eeec4466d51375d025fcb082c799b008ad56dc073d0462604f5413d9499822fb61434a4b3773c530c3b756236eed0cf4f372699d8eb1eda99b29e291df

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\install.bat
          Filesize

          111B

          MD5

          7fe5a8c6b904f70919d38c7170e201de

          SHA1

          68b95c26da83c89c1aaafe1337c42759fd99d4aa

          SHA256

          4b1774ffddb1debe67e8938724d2dc873b5a4e174735065935c13a1078c41fa4

          SHA512

          a6bfc1eeec4466d51375d025fcb082c799b008ad56dc073d0462604f5413d9499822fb61434a4b3773c530c3b756236eed0cf4f372699d8eb1eda99b29e291df

          Download Submit

        • C:\Windows\Microsoft Media Session\Windows Session Start.exe
          Filesize

          92KB

          MD5

          76cc8e284837cbf99ba063fdca261590

          SHA1

          5713d6267f2ebb8d3b1ccd0e9349225011ae71af

          SHA256

          fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede

          SHA512

          f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52

          Download Submit

        • C:\Windows\Microsoft Media Session\Windows Session Start.exe
          Filesize

          92KB

          MD5

          76cc8e284837cbf99ba063fdca261590

          SHA1

          5713d6267f2ebb8d3b1ccd0e9349225011ae71af

          SHA256

          fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede

          SHA512

          f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52

          Download Submit

        • \Windows\Microsoft Media Session\Windows Session Start.exe
          Filesize

          92KB

          MD5

          76cc8e284837cbf99ba063fdca261590

          SHA1

          5713d6267f2ebb8d3b1ccd0e9349225011ae71af

          SHA256

          fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede

          SHA512

          f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52

          Download Submit

        • \Windows\Microsoft Media Session\Windows Session Start.exe
          Filesize

          92KB

          MD5

          76cc8e284837cbf99ba063fdca261590

          SHA1

          5713d6267f2ebb8d3b1ccd0e9349225011ae71af

          SHA256

          fdbdb240f8a3257d858f92cb4d8019f89e951069f0b233a0b6c77acb38603ede

          SHA512

          f3964eb9fcd0031311647ae999551af31a1c04380da02ba6cbf4d97aad7a3e8e23ec22fb4694ca0fdc7b5ba9c67dac6bce49021f51235ba2381dee6970587b52

          Download Submit

        • memory/2940-15-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download