Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
30-11-2023 17:55
Behavioral task
behavioral1
Sample
Remcos v4.9.3 Pro.exe
Resource
win7-20231023-en
General
-
Target
Remcos v4.9.3 Pro.exe
-
Size
467KB
-
MD5
ccb5f97be3daefc9cdeaff2aec1ad323
-
SHA1
3b561e66a88eb6072a363c1b9cc52d0a679c20e6
-
SHA256
f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
-
SHA512
c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
SSDEEP
6144:sXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNF5Gv:sX7tPMK8ctGe4Dzl4h2QnuPs/Zs0cv
Malware Config
Extracted
remcos
nulled
essagbs.ddns.net:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
svhost.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
logs
-
mouse_option
false
-
mutex
ewaewefsefsefdseadwadf-21RLZF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
svhost.exeiexplore.exeRemcos v4.9.3 Pro.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" svhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Remcos v4.9.3 Pro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" Remcos v4.9.3 Pro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 3056 svhost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
iexplore.exeRemcos v4.9.3 Pro.exesvhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" Remcos v4.9.3 Pro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" Remcos v4.9.3 Pro.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ewaewefsefsefdseadwadf-21RLZF = "\"C:\\Windows\\svhost.exe\"" iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
svhost.exeiexplore.exedescription pid process target process PID 3056 set thread context of 616 3056 svhost.exe iexplore.exe PID 616 set thread context of 2324 616 iexplore.exe svchost.exe -
Drops file in Windows directory 3 IoCs
Processes:
Remcos v4.9.3 Pro.exeiexplore.exedescription ioc process File created C:\Windows\svhost.exe Remcos v4.9.3 Pro.exe File opened for modification C:\Windows\svhost.exe Remcos v4.9.3 Pro.exe File opened for modification C:\Windows\svhost.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
svhost.exeiexplore.exepid process 3056 svhost.exe 616 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 616 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
Remcos v4.9.3 Pro.exesvhost.execmd.execmd.exeiexplore.execmd.exedescription pid process target process PID 2040 wrote to memory of 2116 2040 Remcos v4.9.3 Pro.exe cmd.exe PID 2040 wrote to memory of 2116 2040 Remcos v4.9.3 Pro.exe cmd.exe PID 2040 wrote to memory of 2116 2040 Remcos v4.9.3 Pro.exe cmd.exe PID 2040 wrote to memory of 2116 2040 Remcos v4.9.3 Pro.exe cmd.exe PID 2040 wrote to memory of 3056 2040 Remcos v4.9.3 Pro.exe svhost.exe PID 2040 wrote to memory of 3056 2040 Remcos v4.9.3 Pro.exe svhost.exe PID 2040 wrote to memory of 3056 2040 Remcos v4.9.3 Pro.exe svhost.exe PID 2040 wrote to memory of 3056 2040 Remcos v4.9.3 Pro.exe svhost.exe PID 3056 wrote to memory of 2088 3056 svhost.exe cmd.exe PID 3056 wrote to memory of 2088 3056 svhost.exe cmd.exe PID 3056 wrote to memory of 2088 3056 svhost.exe cmd.exe PID 3056 wrote to memory of 2088 3056 svhost.exe cmd.exe PID 2116 wrote to memory of 2900 2116 cmd.exe reg.exe PID 2116 wrote to memory of 2900 2116 cmd.exe reg.exe PID 2116 wrote to memory of 2900 2116 cmd.exe reg.exe PID 2116 wrote to memory of 2900 2116 cmd.exe reg.exe PID 3056 wrote to memory of 616 3056 svhost.exe iexplore.exe PID 3056 wrote to memory of 616 3056 svhost.exe iexplore.exe PID 3056 wrote to memory of 616 3056 svhost.exe iexplore.exe PID 3056 wrote to memory of 616 3056 svhost.exe iexplore.exe PID 3056 wrote to memory of 616 3056 svhost.exe iexplore.exe PID 2088 wrote to memory of 2612 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2612 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2612 2088 cmd.exe reg.exe PID 2088 wrote to memory of 2612 2088 cmd.exe reg.exe PID 616 wrote to memory of 2720 616 iexplore.exe cmd.exe PID 616 wrote to memory of 2720 616 iexplore.exe cmd.exe PID 616 wrote to memory of 2720 616 iexplore.exe cmd.exe PID 616 wrote to memory of 2720 616 iexplore.exe cmd.exe PID 2720 wrote to memory of 2992 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2992 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2992 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2992 2720 cmd.exe reg.exe PID 616 wrote to memory of 2324 616 iexplore.exe svchost.exe PID 616 wrote to memory of 2324 616 iexplore.exe svchost.exe PID 616 wrote to memory of 2324 616 iexplore.exe svchost.exe PID 616 wrote to memory of 2324 616 iexplore.exe svchost.exe PID 616 wrote to memory of 2324 616 iexplore.exe svchost.exe PID 616 wrote to memory of 1088 616 iexplore.exe WScript.exe PID 616 wrote to memory of 1088 616 iexplore.exe WScript.exe PID 616 wrote to memory of 1088 616 iexplore.exe WScript.exe PID 616 wrote to memory of 1088 616 iexplore.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"C:\Users\Admin\AppData\Local\Temp\Remcos v4.9.3 Pro.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tzwwqbukn.vbs"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\logs\logs.datFilesize
144B
MD5d2e33ffe5bc444099a579c4460b730cf
SHA1d0c39337d1402438616be8915f4421148f4c60f6
SHA2565b7b158297f985b3836870d4890cdd38be085dca02ad4248fbc13a2a3ba2be61
SHA51214dc3736d453a0bcec8675ce0f0eab2fdbf830a6952c40906c4b7f5eef5f66ffb6a2dc060c6f0924c6d5c1e0111e6dfff47d9d148377c5eea805205ed2ccc40c
-
C:\Users\Admin\AppData\Local\Temp\tzwwqbukn.vbsFilesize
404B
MD5add5c07ccccb47a55d146baefa26ae14
SHA1f4f673a17ff2d1ccf91ba8fab00c07869c07f1e7
SHA2563c57ff2c305b8048ce2569a62fe40c600c891a81cece9ee42f2f8310c0a83518
SHA5129786c6f0d60de49a417a194e77859427517a6819f450676a303226f793f108ae4f8345cfd2cb94ecd5a204d6592a81325c7d80a7a08b318a922621495ffa9261
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
C:\Windows\svhost.exeFilesize
467KB
MD5ccb5f97be3daefc9cdeaff2aec1ad323
SHA13b561e66a88eb6072a363c1b9cc52d0a679c20e6
SHA256f7284ed876aebbf3407d50fd6acdbd11adb75c31550c3034c1600f4eb4e61043
SHA512c6716462e91b02b561ebe89418c3a36eea7dea6924ff6483cef6c834512123258706924cb8ec07040325522d41fe329659758b01f69bf6a17805599344f01180
-
memory/616-28-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-34-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-14-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-16-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-17-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-19-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-18-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/616-24-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-56-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-27-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-12-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-29-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-32-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-33-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-13-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-35-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-37-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-38-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-42-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-43-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-44-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-10-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-47-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-49-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-50-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/616-51-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/2324-26-0x0000000000130000-0x00000000001AE000-memory.dmpFilesize
504KB
-
memory/2324-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB