Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 02:26

General

  • Target

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

  • Size

    1.0MB

  • MD5

    e5d2981fd9c531b3cfb780cf781bac91

  • SHA1

    aaf7084c369138eb5588051eda8aec9aa3c4ac26

  • SHA256

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

  • SHA512

    ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539

  • SSDEEP

    24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo

Malware Config

Extracted

Family

remcos

Botnet

P2-bin

C2

84.38.132.126:61445

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ANE1CN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 27 IoCs
  • Detects executables built or packed with MPress PE compressor 14 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
    "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bZurkfs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bZurkfs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8194.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3376
    • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
      "C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
        C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\yvthuxygzo"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4828
      • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
        C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\krmsviucjfopznjx"
        3⤵
        • Suspicious use of UnmapMainImage
        PID:2064
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 12
          4⤵
          • Program crash
          PID:396
      • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
        C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\krmsviucjfopznjx"
        3⤵
          PID:4292
        • C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe
          C:\Users\Admin\AppData\Local\Temp\3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ixhavqjinwwkp"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
      1⤵
        PID:940

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\remcos\logs.dat

              Filesize

              144B

              MD5

              a3c2ac35ea85dd5e2323f6bf69d36c5f

              SHA1

              cf0555b7629c45a8200a4e731e7f244f10b4c852

              SHA256

              67cabbb16aa3c94ba08c3d17c7eed1b54f441f755726219db1ccf5cc56f0e748

              SHA512

              87f256ea231beb5dbac1f3fd2125df7355413d6d54eb4e8d19980060e2d6b524a29a2ac645525974c034a59e52e7f24696615029c4313b7566a3021163c5d6f5

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              18KB

              MD5

              4250204131d58b738f28c4d96cd47e3f

              SHA1

              874c1e6d46b92be555d64453ab806e0049d2f35d

              SHA256

              453bd4187d52b9dea455476acef0096518fe9d060a98cbc15b048707725f9b9d

              SHA512

              0246e84a760b395b01968df0b095edf27d2864a3d4c74c745bb33045a14c0cf6e4e6e1a56ee16fffd3da4b04310789cbe6a9af09de15871a9170350cb4307c3a

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1b0z3o5.ywf.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\tmp8194.tmp

              Filesize

              1KB

              MD5

              7c80bcb6895d24aaa625a39ce99b769e

              SHA1

              41a615ae2b4f7c2d33c4f177e1b2ae79b5fed5fd

              SHA256

              657c33187ff4076b7bde2a6ceffd3c4828705b46911c0b4157a271b173ea4b99

              SHA512

              11e76a84a9a617227e1d4436c975c39e0de438dee42cc3bc78445cff4a7b2356e21eb1d5e816e0a5bea61ad75a694cb2dac285ad93fa895e2555c224a486652f

            • C:\Users\Admin\AppData\Local\Temp\yvthuxygzo

              Filesize

              4KB

              MD5

              636c8230de66506aa2bdb3deee259503

              SHA1

              244299ce9ed66e9bed0c458c28fa3c417eeabdee

              SHA256

              98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4

              SHA512

              fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e

            • memory/908-110-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/908-115-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/908-123-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/908-124-0x0000000000400000-0x0000000000457000-memory.dmp

              Filesize

              348KB

            • memory/2064-117-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/3036-9-0x000000000A680000-0x000000000A68E000-memory.dmp

              Filesize

              56KB

            • memory/3036-8-0x000000000A670000-0x000000000A67A000-memory.dmp

              Filesize

              40KB

            • memory/3036-10-0x000000000A770000-0x000000000A836000-memory.dmp

              Filesize

              792KB

            • memory/3036-7-0x000000000A280000-0x000000000A294000-memory.dmp

              Filesize

              80KB

            • memory/3036-6-0x000000000A330000-0x000000000A3CC000-memory.dmp

              Filesize

              624KB

            • memory/3036-21-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3036-5-0x0000000007880000-0x000000000788A000-memory.dmp

              Filesize

              40KB

            • memory/3036-4-0x0000000007AB0000-0x0000000007AC0000-memory.dmp

              Filesize

              64KB

            • memory/3036-51-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3036-3-0x00000000078D0000-0x0000000007962000-memory.dmp

              Filesize

              584KB

            • memory/3036-2-0x0000000007DE0000-0x0000000008384000-memory.dmp

              Filesize

              5.6MB

            • memory/3036-0-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3036-1-0x00000000008A0000-0x00000000009AA000-memory.dmp

              Filesize

              1.0MB

            • memory/3852-26-0x00000000055F0000-0x0000000005656000-memory.dmp

              Filesize

              408KB

            • memory/3852-90-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

              Filesize

              64KB

            • memory/3852-15-0x0000000002440000-0x0000000002476000-memory.dmp

              Filesize

              216KB

            • memory/3852-43-0x0000000005810000-0x0000000005B64000-memory.dmp

              Filesize

              3.3MB

            • memory/3852-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3852-17-0x0000000004E00000-0x0000000005428000-memory.dmp

              Filesize

              6.2MB

            • memory/3852-129-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3852-18-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

              Filesize

              64KB

            • memory/3852-19-0x0000000000AC0000-0x0000000000AD0000-memory.dmp

              Filesize

              64KB

            • memory/3852-125-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/3852-20-0x0000000004D90000-0x0000000004DB2000-memory.dmp

              Filesize

              136KB

            • memory/3852-59-0x0000000005D70000-0x0000000005DBC000-memory.dmp

              Filesize

              304KB

            • memory/3852-25-0x0000000005690000-0x00000000056F6000-memory.dmp

              Filesize

              408KB

            • memory/3852-104-0x00000000072C0000-0x00000000072D4000-memory.dmp

              Filesize

              80KB

            • memory/3852-101-0x0000000007280000-0x0000000007291000-memory.dmp

              Filesize

              68KB

            • memory/3852-96-0x00000000070F0000-0x00000000070FA000-memory.dmp

              Filesize

              40KB

            • memory/3852-64-0x00000000711C0000-0x000000007120C000-memory.dmp

              Filesize

              304KB

            • memory/3852-85-0x00000000062E0000-0x00000000062FE000-memory.dmp

              Filesize

              120KB

            • memory/3852-66-0x000000007F9E0000-0x000000007F9F0000-memory.dmp

              Filesize

              64KB

            • memory/3852-95-0x0000000007080000-0x000000000709A000-memory.dmp

              Filesize

              104KB

            • memory/3852-94-0x00000000076C0000-0x0000000007D3A000-memory.dmp

              Filesize

              6.5MB

            • memory/4588-102-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-149-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-93-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-91-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-173-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-172-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-165-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-86-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-164-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-157-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-98-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-99-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-92-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-156-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-48-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-53-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-60-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-148-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-47-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-144-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-142-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/4588-141-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-61-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-140-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/4588-138-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/4588-139-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/4588-57-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-135-0x0000000010000000-0x0000000010019000-memory.dmp

              Filesize

              100KB

            • memory/4588-56-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-55-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-50-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4588-52-0x0000000000400000-0x0000000000482000-memory.dmp

              Filesize

              520KB

            • memory/4820-100-0x0000000007770000-0x0000000007806000-memory.dmp

              Filesize

              600KB

            • memory/4820-89-0x00000000073B0000-0x0000000007453000-memory.dmp

              Filesize

              652KB

            • memory/4820-114-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/4820-58-0x00000000061A0000-0x00000000061BE000-memory.dmp

              Filesize

              120KB

            • memory/4820-22-0x0000000074A00000-0x00000000751B0000-memory.dmp

              Filesize

              7.7MB

            • memory/4820-88-0x0000000004E30000-0x0000000004E40000-memory.dmp

              Filesize

              64KB

            • memory/4820-23-0x0000000004E30000-0x0000000004E40000-memory.dmp

              Filesize

              64KB

            • memory/4820-62-0x0000000007160000-0x0000000007192000-memory.dmp

              Filesize

              200KB

            • memory/4820-24-0x0000000004E30000-0x0000000004E40000-memory.dmp

              Filesize

              64KB

            • memory/4820-84-0x0000000004E30000-0x0000000004E40000-memory.dmp

              Filesize

              64KB

            • memory/4820-106-0x0000000007810000-0x0000000007818000-memory.dmp

              Filesize

              32KB

            • memory/4820-105-0x0000000007830000-0x000000000784A000-memory.dmp

              Filesize

              104KB

            • memory/4820-103-0x0000000007720000-0x000000000772E000-memory.dmp

              Filesize

              56KB

            • memory/4820-63-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

              Filesize

              64KB

            • memory/4820-65-0x00000000711C0000-0x000000007120C000-memory.dmp

              Filesize

              304KB

            • memory/4828-118-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/4828-107-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/4828-113-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

            • memory/4828-131-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB