Overview

overview

10

Static

static

3

MEMQ098789009000.exe

windows7-x64

10

MEMQ098789009000.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEMQ098789009000.exe

  • Size

    433KB

  • MD5

    a8866d1129bde5e76d54062999935308

  • SHA1

    f96e8c5ca7c3369aea4e9286cc60c96455c0ef81

  • SHA256

    5ed2be2c358988a27a0973273b80c89f3e0cb808b654a2a09b91bcf5a38c46c7

  • SHA512

    bae3ab100553f6a57fa82e0b033a43e576992001fff62f6eea33d7441231bd07541cbb8f981214663a564fa73cd63c39555c4de28df0ce3c7f9e951c3ff4a3ef

  • SSDEEP

    6144:P8LxBsMBAsL9XYtikPb8G1XE2cr9oLN/JM+QlFM2y5FI6uRh41vhgyXKZK4gmn:BIzL9cjp0gNfNI63vhgyTmn

Score
10/10
remcosremotehostcollectionpersistenceratspywarestealerupx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-IZFV1M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEMQ098789009000.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMQ098789009000.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
      "C:\Users\Admin\AppData\Local\Temp\rriyu.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
        "C:\Users\Admin\AppData\Local\Temp\rriyu.exe"
        3⤵
        • Executes dropped EXE
        PID:4748
      • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
        "C:\Users\Admin\AppData\Local\Temp\rriyu.exe"
        3⤵
        • Executes dropped EXE
        PID:4872
      • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
        "C:\Users\Admin\AppData\Local\Temp\rriyu.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
          C:\Users\Admin\AppData\Local\Temp\rriyu.exe /stext "C:\Users\Admin\AppData\Local\Temp\hanszjcwwxqzwxnqiyeiqft"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4976
        • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
          C:\Users\Admin\AppData\Local\Temp\rriyu.exe /stext "C:\Users\Admin\AppData\Local\Temp\jcslabnqkfimgdjurjqkbkoqfz"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          PID:4784
        • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
          C:\Users\Admin\AppData\Local\Temp\rriyu.exe /stext "C:\Users\Admin\AppData\Local\Temp\uwyvbuysynarjsxgauddexihggbgj"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    ae5d2ddc5131d874c754c56d9de9771c

    SHA1

    b5b27d94bc8c4b3f03ff757328ad3aaa5a5efe65

    SHA256

    41108607b0ac0f884ffac20a2d22d4ba23ed46141e4f543fffcce66e34916429

    SHA512

    a2e23b924163c3f1e502435dd140d8c9d20ce759d0dc7c01c1df5f12f0c70cda8bd28e9e5f59aa7482516369f686b0d4b6405f5461e5d4ce9da7f3246c259fc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hanszjcwwxqzwxnqiyeiqft
    Filesize

    4KB

    MD5

    b645998a8fdd6743c0a095bc36ef4b74

    SHA1

    1181e110c9cfb632824da8794afcc3ef8b8de1c7

    SHA256

    7f375fd0c1bf3b4a39e12d3290a97a8dffd1b1d73bbaf3a276fc5d2c2757cdfe

    SHA512

    0e21cd5bd73ab7bd0fbb34fc0b22a7c19e753003b347602466898b7983b38db49037decca1e805b1a5913dacf1f3f72b6b369987c782f15d797848c64f6e98d7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
    Filesize

    298KB

    MD5

    9ed7804f770de113fae310cdaf2be689

    SHA1

    f74338e68e4c0f7febf8d309ea9dc7bd6a07e03d

    SHA256

    78c6bf53430e1e759b0fbaa4ec19f896c8346c8685fc70aa42c41bd54d0e1f80

    SHA512

    02fbaa3cbbd16ca2c276738ecbc9cb0bbe77673e284debd7d5f5ab756e7dcf6155ae7df2f7a21c4dc91a31f8d1b13efa475c92b86ac49d3fc965565df99973d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rriyu.exe
    Filesize

    256KB

    MD5

    e98a07d23b27e68944873bcc2c830c23

    SHA1

    1896ed30d667f73c4e0bc4e8cd21654ce5086964

    SHA256

    3fa9312a993d473c8eecbfce22f64a32e1d96dce446a73cc1e5d97aea0ccc7de

    SHA512

    c0244b2df122b07d87a5b12c92f68c422aac3283b14140a2f8cd02f605265b22bb9a2561d95f3a9ca4c73e931a74874a2e30fce0dccd71bcfcb840c171ce477c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yrhrmxpett.dhv
    Filesize

    252KB

    MD5

    67caf834c6a2ed78267251636f70dd2c

    SHA1

    f95b6fda0c4677abd94b64fac823bebb9d138080

    SHA256

    0d29db7d340aad6e7a08bdf00f001d522bdc8af5ff740151850bb92af6db76c8

    SHA512

    b7a628c5fdbbe49dd6aadd0dffcc64539637826bffece61e3aaccf776fce276e75f2b9d5de8e22efb0f7399c8083da7acca1a0e6c9b62a5864621183d0087ee8

    Download Submit

  • memory/1736-62-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-15-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-14-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-97-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-16-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-18-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-19-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-20-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-21-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-22-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-23-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-24-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-26-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-89-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-88-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-81-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-80-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-72-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-69-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1736-65-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-96-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-13-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-63-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-10-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-60-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-12-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1736-54-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1736-58-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1736-57-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1736-59-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4784-30-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4784-42-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4784-49-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4784-37-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/4796-5-0x0000000000D10000-0x0000000000D12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4976-38-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4976-52-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4976-33-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4976-28-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/5016-43-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5016-50-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5016-35-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/5016-48-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download