Overview

overview

10

Static

static

3

TransportL...DF.exe

windows7-x64

10

TransportL...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TransportLabel_9884037820_PDF.exe

  • Size

    1006KB

  • MD5

    61ccd4ff158c603bf2c7b959509a3fba

  • SHA1

    b7266740826165bb2bbd83cc57d68813979d596d

  • SHA256

    b6e31f72fbbe7445c891269043ec0ce2a5de5f68fa48f3d57e35d3614a22c2ea

  • SHA512

    8591a2857720245ba73da3c5ea7c0cb1c079194cf55dc7b6f99fc250e913108ac59866041d5956ba779dfaaf4c99b3c0eea7a4f964b72266c384ebc5fd57febc

  • SSDEEP

    24576:3E+gg3NfP6O/y0dkHxMmegCUHVn+2Vj1qnsKzHF:3LJ3NfP6O/rkHymeCHVnR1us

Score
10/10
remcoscryptedrat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

172.174.245.21:5400

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    noon.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    roooera-7Y8ORO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TransportLabel_9884037820_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\TransportLabel_9884037820_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TransportLabel_9884037820_PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VWrtNh.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VWrtNh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83B1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp83B1.tmp
    Filesize

    1KB

    MD5

    943f25424d2c8c07b25b8231b794cf63

    SHA1

    e8baa63bf939e1adfb3169caf3befdb030590f57

    SHA256

    8bd9506ec15cb1148088eddec373ea271a322e6008b4f57a2d5e96a9a90d62d0

    SHA512

    2ee5fdef010dd3f523535c68b666ab95ca2b43d1ce3b0fafb264c44da342e0adb76025d03e65d29a3e8396ca9e99242847bbeec47efdef5102bcd2abfb51481e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6OWSL4SKQDTXROBFS5MH.temp
    Filesize

    7KB

    MD5

    7e7493c51c54dd94cb728316be2a9214

    SHA1

    890b5ec6ee054d49f177d2936fedb46a75e55129

    SHA256

    ae58db23f0eba065b3d130dfbfa6e026ff1c4205c46063842fc4c53e1ff2b56d

    SHA512

    d93364012c2a2f7007503367326bf755b6d08aec7439b72fd9c53ab59026de4dcf4677dc66feab611ffdbca5b0d583362d8cdd4017f829f787ddf999a3bf76fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7e7493c51c54dd94cb728316be2a9214

    SHA1

    890b5ec6ee054d49f177d2936fedb46a75e55129

    SHA256

    ae58db23f0eba065b3d130dfbfa6e026ff1c4205c46063842fc4c53e1ff2b56d

    SHA512

    d93364012c2a2f7007503367326bf755b6d08aec7439b72fd9c53ab59026de4dcf4677dc66feab611ffdbca5b0d583362d8cdd4017f829f787ddf999a3bf76fa

    Download Submit
  • memory/1212-39-0x00000000749D0000-0x00000000750BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1212-0-0x00000000003C0000-0x00000000004C2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1212-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1212-3-0x00000000008D0000-0x00000000008EA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1212-4-0x00000000008F0000-0x00000000008F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1212-5-0x0000000000900000-0x000000000090A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1212-6-0x0000000005C10000-0x0000000005CCA000-memory.dmp
    Filesize

    744KB

    Download
  • memory/1212-1-0x00000000749D0000-0x00000000750BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2604-52-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-49-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-25-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-27-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-29-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-31-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-33-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2604-36-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-21-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-38-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-66-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-65-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-40-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-45-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-64-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-63-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-23-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-47-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-62-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-61-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-60-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-19-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-59-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-58-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2604-57-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2672-53-0x000000006ED10000-0x000000006F2BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2672-51-0x00000000025B0000-0x00000000025F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2672-48-0x00000000025B0000-0x00000000025F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2672-44-0x000000006ED10000-0x000000006F2BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2672-41-0x000000006ED10000-0x000000006F2BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2848-54-0x000000006ED10000-0x000000006F2BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2848-50-0x0000000002690000-0x00000000026D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2848-46-0x0000000002690000-0x00000000026D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2848-43-0x000000006ED10000-0x000000006F2BB000-memory.dmp
    Filesize

    5.7MB

    Download