Overview

overview

10

Static

static

3

INVO98765678000.exe

windows7-x64

10

INVO98765678000.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVO98765678000.exe

  • Size

    656KB

  • MD5

    0058da743288cb67e15afbfcb0ab6e1a

  • SHA1

    99cde8486c006b735d1d5111d493303291a847fb

  • SHA256

    412c4f354965eb514a79001b512c70e8d36e1d443fe599aca0916893eab369ef

  • SHA512

    b0cb8a7279ad0e8e49b8b84738e009e93cc2e1e02a909ac88d929a374ff1e6aaa470c5226fcfe24969b4993a7d989a36432d948e1516635e32a1a79d1c06a966

  • SSDEEP

    12288:RaoPTJIU4nr5Kfe8tNCqrKgj65I9ra/Q/fGHAW3A79hRff/aY:RDPFv4nVB8tNCqmgj6Ua/Q/fL97f6Y

Score
10/10
remcosdollarpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

DOLLAR

C2

107.175.229.139:8087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UZXQ9B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVO98765678000.exe
    "C:\Users\Admin\AppData\Local\Temp\INVO98765678000.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
      "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Local\Temp\deaegyz.exe
        "C:\Users\Admin\AppData\Local\Temp\deaegyz.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2744
        • \??\c:\program files (x86)\internet explorer\iexplore.exe
          "c:\program files (x86)\internet explorer\iexplore.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2688
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            5⤵
              PID:2652
            • \??\c:\program files (x86)\internet explorer\iexplore.exe
              "c:\program files (x86)\internet explorer\iexplore.exe"
              5⤵
              • Suspicious use of SetWindowsHookEx
              PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat
      Filesize

      144B

      MD5

      22abe88125dfbcee091cc96210e2a094

      SHA1

      1b0433d0174398fb8b560230888c069ae4b438f0

      SHA256

      fa50212ce66e681cd0b11c0fad7f82a39dc50d759ccd02761098e1c7075fa781

      SHA512

      e5a3862048c56e7dbd503c89deda32ea8d9457d0e847c173ca4893dfe11754785530f0500e9343c30dd6002b6877638ce6644eb4877f2670e361367304e541bc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\midxwnqijin.ekx
      Filesize

      502KB

      MD5

      7d70dc74b5036e3ff3def409ea47f343

      SHA1

      28bbf40d20d3584e242f457656e21366fc224566

      SHA256

      320e5916c90f41b7405e1be314e9abbbe9fd3177874bbaf9748cc7261e794427

      SHA512

      9556bee30d7f45c94bb25443e4bf0ddfeda9e245fc6b95de6a03e17d11061956e132cbc8774c825b0197f9df4e12f300d406fb3007ce5f1374099b6036205160

      Download Submit

    • \Users\Admin\AppData\Local\Temp\deaegyz.exe
      Filesize

      478KB

      MD5

      49900e1a853294ac5e03deb77c041e08

      SHA1

      0c5b28c9caa6597dd4112772e973faad121aff55

      SHA256

      148662d819b02305d0eb2c78630e218985ce18529a3729ca1aa4d8926b75e5af

      SHA512

      34cb6dce4838bf1b6524e24082f133ceab731198f20af3296ae2103fbaf56e0940164208f17d7bf2593181ade88dd042e29e2fd44d5f4b929606013543b5daf8

      Download Submit

    • memory/2424-6-0x0000000000250000-0x0000000000252000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2472-41-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-34-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-74-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-73-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-58-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-57-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-50-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-27-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-28-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-29-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-31-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-32-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-33-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-49-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-35-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-36-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-38-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2472-42-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2688-24-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2688-23-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2688-19-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2688-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2744-15-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2744-11-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2744-16-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2744-20-0x0000000000400000-0x0000000000482000-memory.dmp

      Filesize

      520KB

      Download