Overview

overview

10

Static

static

1

breakdown ...rt.exe

windows7-x64

7

breakdown ...rt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    breakdown confirmation dk transport.exe

  • Size

    331KB

  • MD5

    ffb5942257739fbfae0945ac0abff87d

  • SHA1

    a46905e807670eac4377a7d85d6be997bb369fa2

  • SHA256

    75a14fd568ca466ad9c8ec045fa133798dc93fbc96cfc93a27bee766460ef7b6

  • SHA512

    6f9a56532af9763fc7b2da78507485c511c5495438507ab70dfb1f649e4c130d005bc22790e8fed19313206f56a034c198702f69c7f06b8b3e23a117425b17d8

  • SSDEEP

    6144:0VGdx6xAZFn+coaljg+P6WHxYLMMAlbV0ZIwOkaMPuLOfu+dENnnbIAtdx4hj+x+:IyZFn+itXHx7MArgaVLOW+d8nbIA+kE

Score
10/10
remcoscryptedpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

ourt2949aslumes9.duckdns.org:2401

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    paqlgkfs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    ourvbpld-RBN2WW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\breakdown confirmation dk transport.exe
    "C:\Users\Admin\AppData\Local\Temp\breakdown confirmation dk transport.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Program Files (x86)\windows mail\wab.exe
      "C:\Users\Admin\AppData\Local\Temp\breakdown confirmation dk transport.exe"
      2⤵
      • Checks QEMU agent file
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    3dd80dff583544514eeb3a5ed851a519

    SHA1

    56f7324d9d4230c96d1963e7b3e02b05a6cf5c24

    SHA256

    86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b

    SHA512

    955f4df195b5d134449904e9020f80125cfb64d70d9482ff583451f3fcb10d15577ceac4180f71a96452d8478f6365160ab15731f9a79a494383087c9310fd1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nslEE1A.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit
  • memory/2336-28-0x0000000077AA1000-0x0000000077BC1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2336-29-0x0000000077AA1000-0x0000000077BC1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2336-30-0x0000000074780000-0x0000000074786000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4384-31-0x0000000077B28000-0x0000000077B29000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4384-32-0x0000000077AA1000-0x0000000077BC1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4384-37-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-38-0x0000000000F30000-0x0000000004C21000-memory.dmp
    Filesize

    60.9MB

    Download
  • memory/4384-40-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-41-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-39-0x0000000000F30000-0x0000000004C21000-memory.dmp
    Filesize

    60.9MB

    Download
  • memory/4384-42-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-43-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-44-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-45-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-46-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-47-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download
  • memory/4384-48-0x0000000073280000-0x00000000744D4000-memory.dmp
    Filesize

    18.3MB

    Download