Overview

overview

10

Static

static

3

ORDER#4510...fs.exe

windows7-x64

7

ORDER#4510...fs.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2024 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe

  • Size

    789KB

  • MD5

    e2889893d75c1ea7bd8982274873b1b8

  • SHA1

    9ebedbf8146b9862503bf3c40239e169b09c67a7

  • SHA256

    5a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd

  • SHA512

    a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275

  • SSDEEP

    24576:hMwhWpdsQpT6q3tmxUgxDEuZ9WI+spi9iCnqV+:hMweskT6q30x4uZ8dr9q4

Score
10/10
remcos2024collectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

2024

C2

72.11.158.94:1604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    vexplorers.exe

  • copy_folder

    vexplorers

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-800RNZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\ProgramData\vexplorers\vexplorers.exe
        "C:\ProgramData\vexplorers\vexplorers.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\ProgramData\vexplorers\vexplorers.exe
          "C:\ProgramData\vexplorers\vexplorers.exe"
          4⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:5084
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
              PID:3528
            • C:\ProgramData\vexplorers\vexplorers.exe
              C:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\ebkekhivroenunnxagbdatjzjnghoos"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3436
            • C:\ProgramData\vexplorers\vexplorers.exe
              C:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\chftjoptdgmijhrlivocpppiizp"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              PID:1048
            • C:\ProgramData\vexplorers\vexplorers.exe
              C:\ProgramData\vexplorers\vexplorers.exe /stext "C:\Users\Admin\AppData\Local\Temp\rfzbjweahyuehtdhzkbimcuz"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1612
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1464
              5⤵
              • Program crash
              PID:412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5084 -ip 5084
      1⤵
        PID:4828

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\vexplorers\vexplorers.exe
        Filesize

        789KB

        MD5

        e2889893d75c1ea7bd8982274873b1b8

        SHA1

        9ebedbf8146b9862503bf3c40239e169b09c67a7

        SHA256

        5a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd

        SHA512

        a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275

        Download Submit
      • C:\ProgramData\vexplorers\vexplorers.exe
        Filesize

        229KB

        MD5

        bb178123aceb34b00c9becaed82e4fb7

        SHA1

        52bc6bc45edbb5ac55f4f611d6d238864207aa77

        SHA256

        dbdbac3f03fd01ca15eb0ea61df0e4a13419bc7d518c87aa87c7a02d3c70bbac

        SHA512

        8b18791b06c6846d53e076330bcdac048ce6b18cbf6e0248c769fe6f00269b4eb63f5b2bfdfa847a542263dd97f9d01dc285ed76fde60048e501bef5afead991

        Download Submit
      • C:\ProgramData\vexplorers\vexplorers.exe
        Filesize

        271KB

        MD5

        e1290ab3ab25a216d078827b99bcc198

        SHA1

        d1651f6df852aaee522e9928f70b83e17bdf6405

        SHA256

        24c4afea6c87450490ec0129de6e8160f79794486864e782d1d8ece19808e1c3

        SHA512

        30bdb25f4c2c51cd120851f8f94000f9c5f4fe6947069b6b406f61212be4e7994eaf81d5162b724cd3296d6ae1ca4441a70a79b655c52449b4ca3ae4e679ca79

        Download Submit
      • C:\ProgramData\vexplorers\vexplorers.exe
        Filesize

        282KB

        MD5

        9923196bad7b3c85ece433901ce927a8

        SHA1

        244de842e35c083072b844a4004e61afb5790ca2

        SHA256

        653d592c0a68c9041d53a240c87dcabf2ebb6ae3e82dfac6cdca43c4017f8828

        SHA512

        86ca8a2cbe7786267f07b32b6f2356bc53fe452c2faf1eba72bd5c7068e72e2a59bfc9d63935341724725040bd38e458112eaeabc76e8ab2f8607cdab1171d0f

        Download Submit
      • C:\Users\Admin\AppData\Local\Petals\Retrousse\Whiffletrees\Elitedivisionen\Fortolde.Xyl
        Filesize

        227KB

        MD5

        934a13585e8f3caa531f139bfbcc1db2

        SHA1

        faccc849e76d81ff45f5660efcbc755c261ff2bf

        SHA256

        98b761f80f1aa385782662756b112087a9a800577f643b50a114a187fd4f6f55

        SHA512

        b5d52a6a6c8427041813c8336607ff3707a5e707a99d87d4cd058864d1161762bf44f136b3878967ebdf0eea7b09b73beb1081965431c403eda979968930c359

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Beleaguering\Opkogs.exe
        Filesize

        789KB

        MD5

        dec4253bf436c01e2fd66353a3ebe3e2

        SHA1

        04fb085611fa43af3e4683bf46d1f0fb35da98a4

        SHA256

        7ce6d64fdef2d053b7ec18a28ac710ab19f815f6b2e84acf49514c2859325039

        SHA512

        55b8484005880e3ada8412a83ca66f40f33ac8e312a00c2d6c7555055b46653233e133c74841a983a900c1085f1b69dcb3fd8881d7016714686a9b6292edcd32

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\nsv48B2.tmp\System.dll
        Filesize

        12KB

        MD5

        564bb0373067e1785cba7e4c24aab4bf

        SHA1

        7c9416a01d821b10b2eef97b80899d24014d6fc1

        SHA256

        7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

        SHA512

        22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\rfzbjweahyuehtdhzkbimcuz
        Filesize

        4KB

        MD5

        a53497fd7bf281f61d7d819a649c64bd

        SHA1

        580d201744bc94c3cf3cb922a79f8313b1011a93

        SHA256

        34f39f0ccb042a848a325458f619fc07b808653c0bebd8cde69d5f8428cfeec7

        SHA512

        1fcedb78352bf040a9a693e8389b9e81aa78f4995c6587b213ac57e813493f94bfa65b5d981e67dc32e59d861bb7c9f2f1d36892deee6d39b8371393b01f35dc

        Download Submit
      • C:\Windows\Fonts\snlig.ini
        Filesize

        43B

        MD5

        75285908e15263897f2fe77cc637ef6e

        SHA1

        cc5a707cae259834b2453a305af9453b7b7412ac

        SHA256

        6fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5

        SHA512

        e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2

        Download Submit
      • memory/624-19-0x0000000077551000-0x0000000077671000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/624-37-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/624-27-0x0000000077551000-0x0000000077671000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/624-22-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/624-21-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/624-18-0x00000000775D8000-0x00000000775D9000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-77-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1048-81-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1048-68-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1048-87-0x0000000000400000-0x0000000000457000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1612-78-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1612-66-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1612-92-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1612-72-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/2412-52-0x0000000075080000-0x0000000075087000-memory.dmp
        Filesize

        28KB

        Download
      • memory/3044-17-0x0000000074240000-0x0000000074247000-memory.dmp
        Filesize

        28KB

        Download
      • memory/3044-16-0x0000000077551000-0x0000000077671000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3436-89-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3436-86-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3436-80-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3436-73-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/3528-61-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/3528-64-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/3528-63-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/3528-100-0x0000000000400000-0x0000000000490000-memory.dmp
        Filesize

        576KB

        Download
      • memory/5084-57-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/5084-98-0x0000000036A20000-0x0000000036A39000-memory.dmp
        Filesize

        100KB

        Download
      • memory/5084-95-0x0000000036A20000-0x0000000036A39000-memory.dmp
        Filesize

        100KB

        Download
      • memory/5084-56-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/5084-99-0x0000000000490000-0x00000000016E4000-memory.dmp
        Filesize

        18.3MB

        Download