Overview

overview

10

Static

static

3

NEAS.NEAS0...JC.exe

windows7-x64

10

NEAS.NEAS0...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    113s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    21/10/2023, 18:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.NEAS015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747dexeexe_JC.exe

  • Size

    909KB

  • MD5

    1471855e22fc3165fffc6e371bc01feb

  • SHA1

    acd40870c767d6a4590b0ba5abe8cffad7651de5

  • SHA256

    015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

  • SHA512

    419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

  • SSDEEP

    12288:OyQaMFM0Mvxv9pb4wWCr5RUggLg3pZgPBARN3qQ:Oyjv9Mwd7bcO4

Score
10/10
remcosindependencepersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Independence

C2

ascoitaliasasummer.duckdns.org:3030

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Windows Sessions Start.exe

  • copy_folder

    Microsoft Media Session

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Windows Display

  • keylog_path

    %WinDir%

  • mouse_option

    false

  • mutex

    Windows Audio

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Windows Sounds EndPoints

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    Username;password;proforma;invoice;notepad

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747dexeexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747dexeexe_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747dexeexe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747dexeexe_JC.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:2428
        • C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
          "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
            "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1316
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2792
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2948
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
                  8⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1924

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\install.bat
          Filesize

          112B

          MD5

          40a998ff79f4402d4f33fea33d691229

          SHA1

          16719c08bf1008db7ae4cc7dcc32bc8a5c231102

          SHA256

          c301c55862e8ec3d976b511dafd63f73cde752d8a3fd67a1c893f2c072fb06b5

          SHA512

          d1d6ce31648d560007127f694df0ae18edc93d4a2bc12ff50771d6d21023c8a2f80acef95e27bb97be3f0cac986f7945adfcf68b15287022464b0d1092c99b98

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\install.bat
          Filesize

          112B

          MD5

          40a998ff79f4402d4f33fea33d691229

          SHA1

          16719c08bf1008db7ae4cc7dcc32bc8a5c231102

          SHA256

          c301c55862e8ec3d976b511dafd63f73cde752d8a3fd67a1c893f2c072fb06b5

          SHA512

          d1d6ce31648d560007127f694df0ae18edc93d4a2bc12ff50771d6d21023c8a2f80acef95e27bb97be3f0cac986f7945adfcf68b15287022464b0d1092c99b98

          Download Submit

        • C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
          Filesize

          909KB

          MD5

          1471855e22fc3165fffc6e371bc01feb

          SHA1

          acd40870c767d6a4590b0ba5abe8cffad7651de5

          SHA256

          015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

          SHA512

          419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

          Download Submit

        • C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
          Filesize

          909KB

          MD5

          1471855e22fc3165fffc6e371bc01feb

          SHA1

          acd40870c767d6a4590b0ba5abe8cffad7651de5

          SHA256

          015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

          SHA512

          419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

          Download Submit

        • C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
          Filesize

          909KB

          MD5

          1471855e22fc3165fffc6e371bc01feb

          SHA1

          acd40870c767d6a4590b0ba5abe8cffad7651de5

          SHA256

          015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

          SHA512

          419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

          Download Submit

        • \Windows\Microsoft Media Session\Windows Sessions Start.exe
          Filesize

          909KB

          MD5

          1471855e22fc3165fffc6e371bc01feb

          SHA1

          acd40870c767d6a4590b0ba5abe8cffad7651de5

          SHA256

          015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

          SHA512

          419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

          Download Submit

        • memory/1316-55-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1316-53-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1316-52-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/1316-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2552-50-0x0000000074AD0000-0x00000000751BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2552-37-0x0000000074AD0000-0x00000000751BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2552-36-0x0000000000AB0000-0x0000000000B9A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2552-38-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2552-39-0x0000000074AD0000-0x00000000751BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2552-40-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2624-9-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-19-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-18-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-31-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-16-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2624-13-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-12-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-11-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2624-10-0x0000000000400000-0x0000000000417000-memory.dmp

          Filesize

          92KB

          Download

        • memory/2792-54-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2808-0-0x0000000074B20000-0x000000007520E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2808-8-0x0000000005030000-0x000000000508A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/2808-7-0x0000000000490000-0x00000000004A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2808-6-0x0000000000450000-0x000000000045C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2808-5-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2808-4-0x0000000074B20000-0x000000007520E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2808-3-0x0000000000470000-0x000000000048E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2808-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2808-23-0x0000000074B20000-0x000000007520E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2808-1-0x0000000000EE0000-0x0000000000FCA000-memory.dmp

          Filesize

          936KB

          Download