Overview

overview

10

Static

static

3

ungziped_file.exe

windows7-x64

10

ungziped_file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ungziped_file.exe

  • Size

    2.0MB

  • MD5

    a478422522067fbb67b31099db6668bc

  • SHA1

    749000fbedbc419986a84bd437a5d53c84bd24e6

  • SHA256

    e60532b82799103e53b59fa601e202ede08fe446bd4e7cbf47e5fcbdd332ccc9

  • SHA512

    6f3eddad74ef3ae864c242fc5176a8dbaeb18da09aa1ba9143b96bc89da807c005e1fc25207a9907b91b5cf54275ffb5c5e78a362f6b422e9e1ee2ee049534eb

  • SSDEEP

    24576:bir4EZvZ42XYhAejzefbIWw6BtKjUq4J2Q+2RitBiuHoXMEb8rJ9Mgfmvj9:0W2XiHjzefbSQAPcuIY4mmb9

Score
10/10
remcoszgrat24persistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

24

C2

162.218.122.24:5707

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-A49MY7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect ZGRat V1 34 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
    "C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
      C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
      2⤵
        PID:1848
      • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
        C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
          C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\meljtxnogixrshm"
          3⤵
            PID:4172
          • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
            C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\meljtxnogixrshm"
            3⤵
              PID:536
            • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
              C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\meljtxnogixrshm"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:740
            • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
              C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\oyqctqxicqpeuoayyw"
              3⤵
                PID:2220
              • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
                C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\oyqctqxicqpeuoayyw"
                3⤵
                • Suspicious use of UnmapMainImage
                PID:3304
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 12
                  4⤵
                  • Program crash
                  PID:1564
              • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
                C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe /stext "C:\Users\Admin\AppData\Local\Temp\yavmuiijqyhjfcwchhkid"
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2996
            • C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
              C:\Users\Admin\AppData\Local\Temp\ungziped_file.exe
              2⤵
                PID:2884
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3304 -ip 3304
              1⤵
                PID:3504

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\meljtxnogixrshm
                Filesize

                4KB

                MD5

                a53497fd7bf281f61d7d819a649c64bd

                SHA1

                580d201744bc94c3cf3cb922a79f8313b1011a93

                SHA256

                34f39f0ccb042a848a325458f619fc07b808653c0bebd8cde69d5f8428cfeec7

                SHA512

                1fcedb78352bf040a9a693e8389b9e81aa78f4995c6587b213ac57e813493f94bfa65b5d981e67dc32e59d861bb7c9f2f1d36892deee6d39b8371393b01f35dc

                Download Submit
              • memory/740-971-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/740-979-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/2996-976-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/2996-977-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/4116-952-0x0000000000400000-0x0000000000482000-memory.dmp
                Filesize

                520KB

                Download
              • memory/4116-960-0x0000000000400000-0x0000000000482000-memory.dmp
                Filesize

                520KB

                Download
              • memory/4116-988-0x0000000010000000-0x0000000010019000-memory.dmp
                Filesize

                100KB

                Download
              • memory/5056-62-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-46-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-5-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-8-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-14-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-18-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-22-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-24-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-28-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-36-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-40-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-42-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-50-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-48-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-58-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-68-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-66-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-64-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-3-0x0000000004CF0000-0x0000000004DC6000-memory.dmp
                Filesize

                856KB

                Download
              • memory/5056-60-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-56-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-54-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-52-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-4-0x0000000004DD0000-0x0000000004EA8000-memory.dmp
                Filesize

                864KB

                Download
              • memory/5056-44-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-38-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-34-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-32-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-30-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-26-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-20-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-16-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-12-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-10-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-6-0x0000000004DD0000-0x0000000004EA1000-memory.dmp
                Filesize

                836KB

                Download
              • memory/5056-937-0x0000000004C80000-0x0000000004C81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5056-939-0x00000000051C0000-0x000000000520C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/5056-938-0x0000000004EB0000-0x0000000004F20000-memory.dmp
                Filesize

                448KB

                Download
              • memory/5056-941-0x00000000053B0000-0x0000000005416000-memory.dmp
                Filesize

                408KB

                Download
              • memory/5056-2-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5056-0-0x00000000000C0000-0x00000000002C0000-memory.dmp
                Filesize

                2.0MB

                Download
              • memory/5056-1-0x00000000750E0000-0x0000000075890000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/5056-940-0x0000000005310000-0x00000000053A2000-memory.dmp
                Filesize

                584KB

                Download
              • memory/5056-942-0x0000000005CE0000-0x0000000006284000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/5056-943-0x00000000750E0000-0x0000000075890000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/5056-944-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5056-950-0x00000000750E0000-0x0000000075890000-memory.dmp
                Filesize

                7.7MB

                Download