Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:22

General

  • Target

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

  • Size

    1.0MB

  • MD5

    e5d2981fd9c531b3cfb780cf781bac91

  • SHA1

    aaf7084c369138eb5588051eda8aec9aa3c4ac26

  • SHA256

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

  • SHA512

    ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539

  • SSDEEP

    24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo

Malware Config

Extracted

Family

remcos

Botnet

P2-bin

C2

84.38.132.126:61445

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ANE1CN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 22 IoCs
  • Detects executables built or packed with MPress PE compressor 17 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2824
    • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
      "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
      2⤵
        PID:2948
      • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
        "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
          C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\wpokrvkrkibenajsbxsjzraqjceklyuu"
          3⤵
            PID:2604
          • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
            C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\hjbc"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1892
          • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
            C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\mnizqczqwajrcunokmfiwmghiwmbk"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1772
          • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
            C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\etcmpfayzvphlvygvxnxkktylbj"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2064
          • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
            C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ovifpxlsvdhuobmkmhaznxohmptoyl"
            3⤵
            • Accesses Microsoft Outlook accounts
            PID:2912
          • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
            C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ypnpqpvtjlzzypawvsnsyjayvwkxzvlqno"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1368

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\remcos\logs.dat

              Filesize

              144B

              MD5

              88b695b331a218a4044e812c1d04177f

              SHA1

              0751d114a7d1727a6112b788843b34dcf287066c

              SHA256

              df4f359f83b6cee8f9d52070ec8376a5972c825dc30da3e6aa8f64863ff6c8b5

              SHA512

              64807a63d98683c8361b5549675c30dfefed93e8f61b2cabf06231027a3590ddb1b091ec9bd4530b9e1c1e9d57a2405ec9feaf15014220de8ab970434179b985

            • C:\Users\Admin\AppData\Local\Temp\etcmpfayzvphlvygvxnxkktylbj

              Filesize

              2B

              MD5

              f3b25701fe362ec84616a93a45ce9998

              SHA1

              d62636d8caec13f04e28442a0a6fa1afeb024bbb

              SHA256

              b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

              SHA512

              98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

            • C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp

              Filesize

              1KB

              MD5

              6b3a22c6ef6bb30074e7e34c9703753d

              SHA1

              75e1f437d4dc2bcae9e1a7856d9436e2ac2b13d6

              SHA256

              5b52a128b8e24f54468a2784e64f4111b1a7cdd84aa5bb3b26b32a465beb9832

              SHA512

              6e0ca476e19ec30f091ed0e76f080ab8ae5f042d2fd6b027618d3f7aa464475049a8034cca8111b81db0f748a76b561270521c6efcbae26009dd00019c34cad7

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q8QW4X7VG38MJLMIWINX.temp

              Filesize

              7KB

              MD5

              045f2cdc02568bef0dbe2555a02a7f20

              SHA1

              232d33b6bdef34dde8374bf0a54de8f2a522dfd9

              SHA256

              2fa87f90d737bbe066787fb6bcadb8bcb51df2cb1ec774f9e3aab98046502618

              SHA512

              a5a471513e93eb9d71f81fd233b9fc7f91b646dcb0cc8226f69bd3dad9fadd50c4968448bbec91d4f98fb0434d40ee9ae180efe5a33e784178e4a33fce6ec932

            • memory/1368-116-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/1772-75-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/1772-67-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/1772-95-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/1772-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/1772-71-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/1892-83-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/1892-85-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/1892-86-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/1892-79-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/2064-113-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/2564-29-0x00000000029D0000-0x0000000002A10000-memory.dmp

              Filesize

              256KB

            • memory/2564-19-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2564-31-0x00000000029D0000-0x0000000002A10000-memory.dmp

              Filesize

              256KB

            • memory/2564-37-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2564-53-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2564-23-0x00000000029D0000-0x0000000002A10000-memory.dmp

              Filesize

              256KB

            • memory/2604-72-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/2604-81-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/2604-76-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/2720-26-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2720-35-0x00000000029F0000-0x0000000002A30000-memory.dmp

              Filesize

              256KB

            • memory/2720-33-0x00000000029F0000-0x0000000002A30000-memory.dmp

              Filesize

              256KB

            • memory/2720-54-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2720-27-0x00000000029F0000-0x0000000002A30000-memory.dmp

              Filesize

              256KB

            • memory/2720-21-0x000000006F1F0000-0x000000006F79B000-memory.dmp

              Filesize

              5.7MB

            • memory/2728-32-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-39-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-20-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-48-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-51-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-52-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-50-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-45-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-135-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/2728-56-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-55-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-57-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-60-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-59-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-58-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-62-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-63-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-64-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-43-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-47-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

            • memory/2728-128-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/2728-38-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-36-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-34-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-129-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/2728-28-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-24-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2728-125-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/2896-4-0x0000000000940000-0x000000000094A000-memory.dmp

              Filesize

              40KB

            • memory/2896-5-0x0000000000950000-0x000000000095E000-memory.dmp

              Filesize

              56KB

            • memory/2896-3-0x00000000005B0000-0x00000000005C4000-memory.dmp

              Filesize

              80KB

            • memory/2896-2-0x00000000071F0000-0x0000000007230000-memory.dmp

              Filesize

              256KB

            • memory/2896-6-0x0000000007130000-0x00000000071F6000-memory.dmp

              Filesize

              792KB

            • memory/2896-1-0x0000000074380000-0x0000000074A6E000-memory.dmp

              Filesize

              6.9MB

            • memory/2896-40-0x0000000074380000-0x0000000074A6E000-memory.dmp

              Filesize

              6.9MB

            • memory/2896-0-0x0000000000A80000-0x0000000000B8A000-memory.dmp

              Filesize

              1.0MB

            • memory/2896-46-0x0000000074380000-0x0000000074A6E000-memory.dmp

              Filesize

              6.9MB

            • memory/2912-130-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB