Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2023, 05:35

General

  • Target

    6a9957dd2a19a1bf4af05ca7be1694de.exe

  • Size

    268KB

  • MD5

    6a9957dd2a19a1bf4af05ca7be1694de

  • SHA1

    72c945a8acf762df42d5d5ae1a281a2e5c3d9196

  • SHA256

    17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

  • SHA512

    42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

  • SSDEEP

    6144:7sGckEKnZ9WIUwBjbXB2PwpD1l0FxFAZAO4adb/oN:AGcbKnZkIUwBjV2PwpRzu6oN

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.157.162.241:1303

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NT0JNG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe
    "C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe
      "C:\Users\Admin\AppData\Local\Temp\6a9957dd2a19a1bf4af05ca7be1694de.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\ProgramData\Remcos\remcos.exe
        "C:\ProgramData\Remcos\remcos.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\ProgramData\Remcos\remcos.exe
          "C:\ProgramData\Remcos\remcos.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:1560

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Remcos\remcos.exe

          Filesize

          268KB

          MD5

          6a9957dd2a19a1bf4af05ca7be1694de

          SHA1

          72c945a8acf762df42d5d5ae1a281a2e5c3d9196

          SHA256

          17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

          SHA512

          42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

        • C:\ProgramData\Remcos\remcos.exe

          Filesize

          268KB

          MD5

          6a9957dd2a19a1bf4af05ca7be1694de

          SHA1

          72c945a8acf762df42d5d5ae1a281a2e5c3d9196

          SHA256

          17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

          SHA512

          42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

        • C:\ProgramData\Remcos\remcos.exe

          Filesize

          268KB

          MD5

          6a9957dd2a19a1bf4af05ca7be1694de

          SHA1

          72c945a8acf762df42d5d5ae1a281a2e5c3d9196

          SHA256

          17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

          SHA512

          42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

        • C:\ProgramData\Remcos\remcos.exe

          Filesize

          268KB

          MD5

          6a9957dd2a19a1bf4af05ca7be1694de

          SHA1

          72c945a8acf762df42d5d5ae1a281a2e5c3d9196

          SHA256

          17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

          SHA512

          42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JRPRPPGG\encrypt[1].bin

          Filesize

          483KB

          MD5

          9ff228d096ee65bf9d214b5793bde076

          SHA1

          1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

          SHA256

          3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

          SHA512

          ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

        • C:\Users\Public\vlkkqasyibgdtlsvhzbnyahry.bin

          Filesize

          483KB

          MD5

          9ff228d096ee65bf9d214b5793bde076

          SHA1

          1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

          SHA256

          3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

          SHA512

          ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

        • C:\Users\Public\vlkkqasyibgdtlsvhzbnyahry.bin

          Filesize

          483KB

          MD5

          9ff228d096ee65bf9d214b5793bde076

          SHA1

          1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

          SHA256

          3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

          SHA512

          ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

        • memory/1560-29-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-33-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-44-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-43-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-42-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-28-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-41-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-30-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-31-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-32-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-40-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-34-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-37-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-38-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/1560-39-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4348-10-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4348-6-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4348-7-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4348-8-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4348-21-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/4448-5-0x0000000003720000-0x0000000003723000-memory.dmp

          Filesize

          12KB