Overview

overview

10

Static

static

3

TransportL...DF.exe

windows7-x64

10

TransportL...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TransportLabel9884037820PDF.exe

  • Size

    1006KB

  • MD5

    61ccd4ff158c603bf2c7b959509a3fba

  • SHA1

    b7266740826165bb2bbd83cc57d68813979d596d

  • SHA256

    b6e31f72fbbe7445c891269043ec0ce2a5de5f68fa48f3d57e35d3614a22c2ea

  • SHA512

    8591a2857720245ba73da3c5ea7c0cb1c079194cf55dc7b6f99fc250e913108ac59866041d5956ba779dfaaf4c99b3c0eea7a4f964b72266c384ebc5fd57febc

  • SSDEEP

    24576:3E+gg3NfP6O/y0dkHxMmegCUHVn+2Vj1qnsKzHF:3LJ3NfP6O/rkHymeCHVnR1us

Score
10/10
remcoscryptedrat

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

172.174.245.21:5400

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    noon.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    roooera-7Y8ORO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TransportLabel9884037820PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\TransportLabel9884037820PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TransportLabel9884037820PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VWrtNh.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VWrtNh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA313.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2228
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2264

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA313.tmp
      Filesize

      1KB

      MD5

      9fe3565627c65d1d6a2081ad739a7577

      SHA1

      110e30c2a3dadfc2a41f7b142d9815be97dba11a

      SHA256

      2a757ec17f569f5770eabdb499688ed0718ab5e32834fa73e9302a1c6144bca3

      SHA512

      b72823ae728e45cd85c17229bd6ce9f4523f726455fb8fabad29d07b1d47c81131b92c05ce7eb79e2c865f229961ffc3d1e76c8e9b0476560973a7cdfbaefac6

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CNEZ82W14GTO1MXS10XB.temp
      Filesize

      7KB

      MD5

      88ec18550e26a96a355746686042daf9

      SHA1

      b0fcae402794b0c1554b98d1181fee86c85ff59e

      SHA256

      ee2db08096a65215a7d4a97930158c1e450c917e59f6e309195ba214eeb62b01

      SHA512

      6065861c936f0e0e7dcf074fe35b25676593060d88c3f1389773eaaa014a35a4033f2a0f40c169e08fdf015226fd45b62c6a90b02a57bc7e72484ef554f00d15

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      88ec18550e26a96a355746686042daf9

      SHA1

      b0fcae402794b0c1554b98d1181fee86c85ff59e

      SHA256

      ee2db08096a65215a7d4a97930158c1e450c917e59f6e309195ba214eeb62b01

      SHA512

      6065861c936f0e0e7dcf074fe35b25676593060d88c3f1389773eaaa014a35a4033f2a0f40c169e08fdf015226fd45b62c6a90b02a57bc7e72484ef554f00d15

      Download Submit
    • memory/2264-28-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-23-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-25-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-26-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2264-32-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-31-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-19-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-20-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-21-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-22-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-47-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2264-24-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2576-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2576-4-0x0000000000580000-0x0000000000588000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2576-2-0x0000000004C30000-0x0000000004C70000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2576-0-0x00000000008E0000-0x00000000009E2000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2576-30-0x00000000747B0000-0x0000000074E9E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2576-3-0x00000000002D0000-0x00000000002EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2576-6-0x0000000005C10000-0x0000000005CCA000-memory.dmp
      Filesize

      744KB

      Download
    • memory/2576-5-0x00000000005A0000-0x00000000005AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2704-36-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2704-35-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2704-42-0x00000000027A0000-0x00000000027E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2704-39-0x00000000027A0000-0x00000000027E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2704-43-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2880-37-0x0000000002130000-0x0000000002170000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2880-40-0x0000000002130000-0x0000000002170000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2880-41-0x0000000002130000-0x0000000002170000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2880-38-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2880-44-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2880-34-0x000000006EAF0000-0x000000006F09B000-memory.dmp
      Filesize

      5.7MB

      Download