Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2024, 15:31

General

  • Target

    r1522024.exe

  • Size

    839KB

  • MD5

    35562de1445f84deee725deefe31b410

  • SHA1

    0e8168206e896875cccad315a2890820cae1cf33

  • SHA256

    7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb

  • SHA512

    a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1

  • SSDEEP

    24576:tMwT8bZSKZ+lKmxUgxDEuZ9WI+spi9iCnqVW:tMwHKi/x4uZ8dr9qI

Malware Config

Extracted

Family

remcos

Botnet

Client

C2

46.183.223.29:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    images.exe

  • copy_folder

    images

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZOAGZI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\r1522024.exe
    "C:\Users\Admin\AppData\Local\Temp\r1522024.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Local\Temp\r1522024.exe
      "C:\Users\Admin\AppData\Local\Temp\r1522024.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\ProgramData\images\images.exe
        "C:\ProgramData\images\images.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\ProgramData\images\images.exe
          "C:\ProgramData\images\images.exe"
          4⤵
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\ProgramData\images\images.exe
            C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\nedfu"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2296
          • C:\ProgramData\images\images.exe
            C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\xzjxvunl"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:2904
          • C:\ProgramData\images\images.exe
            C:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqonynlrx"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4484
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1392
            5⤵
            • Program crash
            PID:2128
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4492 -ip 4492
    1⤵
      PID:528

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\images\images.exe

            Filesize

            839KB

            MD5

            35562de1445f84deee725deefe31b410

            SHA1

            0e8168206e896875cccad315a2890820cae1cf33

            SHA256

            7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb

            SHA512

            a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1

          • C:\Users\Admin\AppData\Local\Petals\Ensand\smrhul\Brdskorpens\Remailed.Kur

            Filesize

            220KB

            MD5

            215f935278cc7c17f5a3c612a1941c0f

            SHA1

            7e38abe1ff045ac3c6b5c10cd645bff54a56ee6d

            SHA256

            1cc384506c84964e72af778b1421866935ebf4d744ab731ecd364af5965e7cf0

            SHA512

            e8af35b72dfd96f6c0d4dc4e2afdbd80174877f45a5d728bffc582459701f5ef8311a7b4cb1ec95f278f56be7a615d35c6a288f3733dcf41271af9a97719e77b

          • C:\Users\Admin\AppData\Local\Temp\nedfu

            Filesize

            4KB

            MD5

            b4329339750e86291d8a7191b0dc7955

            SHA1

            a125e8cf6fec1b6fd003139495a37d68f020254f

            SHA256

            85e5e57100dde581ff37dcd80cbe55643328aaa6518b265ceb788d21ba9d0695

            SHA512

            9bd5d6ae3feca8eaa03a1c3c147fc98aebca41aea976b1deeb9ae158cd4acfbdd45244a727c071a604fed12dcadc568462777597758532c42d28ec480bfc6054

          • C:\Users\Admin\AppData\Local\Temp\nsyA97F.tmp\System.dll

            Filesize

            12KB

            MD5

            564bb0373067e1785cba7e4c24aab4bf

            SHA1

            7c9416a01d821b10b2eef97b80899d24014d6fc1

            SHA256

            7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

            SHA512

            22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

          • C:\Users\Admin\AppData\Roaming\Flockling\Spkbrtter23.exe

            Filesize

            839KB

            MD5

            b57bd2b22ec1ca023b23c4254e317918

            SHA1

            46bcaefb0eda740641f7047c1b27c552e567e37c

            SHA256

            029f17128cc1e4489a7b0eb12e757afb752200faba25d3e4a58270118de0e1ef

            SHA512

            4045c46cf25141118b45624d4a58cdb5349fe7f7c6659be01e1c27c9be08f1afe441f481778f4bdaf6451581a09e1af53ebe021b4d35a70d1229ec618d25d3ee

          • C:\Windows\Fonts\snlig.ini

            Filesize

            43B

            MD5

            75285908e15263897f2fe77cc637ef6e

            SHA1

            cc5a707cae259834b2453a305af9453b7b7412ac

            SHA256

            6fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5

            SHA512

            e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2

          • memory/2008-18-0x0000000077558000-0x0000000077559000-memory.dmp

            Filesize

            4KB

          • memory/2008-19-0x00000000774D1000-0x00000000775F1000-memory.dmp

            Filesize

            1.1MB

          • memory/2008-21-0x00000000004A0000-0x00000000016F4000-memory.dmp

            Filesize

            18.3MB

          • memory/2008-26-0x00000000774D1000-0x00000000775F1000-memory.dmp

            Filesize

            1.1MB

          • memory/2008-36-0x00000000004A0000-0x00000000016F4000-memory.dmp

            Filesize

            18.3MB

          • memory/2296-60-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2296-87-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2296-66-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2296-72-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

          • memory/2904-62-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/2904-69-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/2904-74-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/2904-77-0x0000000000400000-0x0000000000457000-memory.dmp

            Filesize

            348KB

          • memory/4388-16-0x00000000774D1000-0x00000000775F1000-memory.dmp

            Filesize

            1.1MB

          • memory/4388-17-0x00000000741C0000-0x00000000741C7000-memory.dmp

            Filesize

            28KB

          • memory/4476-51-0x0000000075000000-0x0000000075007000-memory.dmp

            Filesize

            28KB

          • memory/4484-67-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/4484-84-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/4484-83-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/4484-76-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

          • memory/4492-55-0x00000000004A0000-0x00000000016F4000-memory.dmp

            Filesize

            18.3MB

          • memory/4492-90-0x0000000037160000-0x0000000037179000-memory.dmp

            Filesize

            100KB

          • memory/4492-93-0x0000000037160000-0x0000000037179000-memory.dmp

            Filesize

            100KB

          • memory/4492-94-0x00000000004A0000-0x00000000016F4000-memory.dmp

            Filesize

            18.3MB

          • memory/4492-95-0x0000000037160000-0x0000000037179000-memory.dmp

            Filesize

            100KB