Overview

overview

10

Static

static

3

bbbdc832fe...10.exe

windows7-x64

10

bbbdc832fe...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2024 16:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbbdc832fe995e436b6d78b4343ce310.exe

  • Size

    310KB

  • MD5

    bbbdc832fe995e436b6d78b4343ce310

  • SHA1

    55b556d9b81ce7801f48cb2d687b58bf60769e4f

  • SHA256

    16c979a370d8462983333c42c3db84a2d5205f20a6d7ee73adeb873a8858d5fe

  • SHA512

    1574941596632f99c0f062d2b721fde2fdd84c0bf4f315c9c4d7d6790a2aee6a89bd91cc6cdc6fe10384e754516f5fd842346da24e5ff1129fd23b9a66e60fb2

  • SSDEEP

    6144:AvzzpCq0r7QjaxIlq/tsFNdXfgmMD8ARthapNPABPw+P7IDJ0Gla:Wzzpi/bxpUZoOABS10G

Score
10/10
remcoszgrathostpersistencerat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

avira-antivirus.ydns.eu:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    iservice.exe

  • copy_folder

    windows

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_ycggdfmjebakyzc

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    iservice

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detect ZGRat V1 34 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbbdc832fe995e436b6d78b4343ce310.exe
    "C:\Users\Admin\AppData\Local\Temp\bbbdc832fe995e436b6d78b4343ce310.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Users\Admin\AppData\Local\Temp\bbbdc832fe995e436b6d78b4343ce310.exe
      C:\Users\Admin\AppData\Local\Temp\bbbdc832fe995e436b6d78b4343ce310.exe
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:4804
        • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
          "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Users\Admin\AppData\Local\Temp\iservice.exe
            C:\Users\Admin\AppData\Local\Temp\iservice.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:116
              • C:\Windows\SysWOW64\PING.EXE
                PING 127.0.0.1 -n 2
                7⤵
                • Runs ping.exe
                PID:1764
              • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1812
                • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                  C:\Users\Admin\AppData\Local\Temp\iservice.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:3152
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1848
                    • C:\Windows\SysWOW64\PING.EXE
                      PING 127.0.0.1 -n 2
                      10⤵
                      • Runs ping.exe
                      PID:2892
                    • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                      "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2888
                      • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                        C:\Users\Admin\AppData\Local\Temp\iservice.exe
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of WriteProcessMemory
                        PID:3144
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                          12⤵
                            PID:3920
                            • C:\Windows\SysWOW64\PING.EXE
                              PING 127.0.0.1 -n 2
                              13⤵
                              • Runs ping.exe
                              PID:1140
                            • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                              "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2508
                              • C:\Users\Admin\AppData\Local\Temp\iservice.exe
                                C:\Users\Admin\AppData\Local\Temp\iservice.exe
                                14⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Adds Run key to start application
                                PID:2668
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
                                  15⤵
                                    PID:744
                                    • C:\Windows\SysWOW64\PING.EXE
                                      PING 127.0.0.1 -n 2
                                      16⤵
                                      • Runs ping.exe
                                      PID:784
                                    • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
                                      "C:\Users\Admin\AppData\Roaming\windows\iservice.exe"
                                      16⤵
                                      • Executes dropped EXE
                                      PID:3440

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iservice.exe.log
        Filesize

        1KB

        MD5

        7ebe314bf617dc3e48b995a6c352740c

        SHA1

        538f643b7b30f9231a3035c448607f767527a870

        SHA256

        48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

        SHA512

        0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        102B

        MD5

        b0aa76226f9a1f3e68e774b1b92208c3

        SHA1

        fe93a3b569a8afd07e4de7c73acbfcd4f210027c

        SHA256

        b1984164b246a5579a9f334d4ea1a817cbfd2fb69e718a7ab78c008bf9e3df14

        SHA512

        e2282bafb69c5715c0fcabe7c84476d23146d79f43bd82860d518f44c229c9df009f7093f4df972280df834576674268fa8dd0a28be445ad6629600e03590344

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\iservice.exe
        Filesize

        256KB

        MD5

        b6f5d685854a4fcabb94e86d16d26211

        SHA1

        ac663b95374576282e21fe20786eed2a2deb38d4

        SHA256

        79c2c275f56eed9c076ae05643c52e03656c67ee0c442e82c2dfcc52068ba4c2

        SHA512

        153bde61408a4ec30f4822c89d5962e4ede41d0ae8c701a6e5cce9ffdcf02789ab2b079bb68b630e9abc38bb30d388037ba4cf000609f7e772edcae2138689d4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\windows\iservice.exe
        Filesize

        310KB

        MD5

        bbbdc832fe995e436b6d78b4343ce310

        SHA1

        55b556d9b81ce7801f48cb2d687b58bf60769e4f

        SHA256

        16c979a370d8462983333c42c3db84a2d5205f20a6d7ee73adeb873a8858d5fe

        SHA512

        1574941596632f99c0f062d2b721fde2fdd84c0bf4f315c9c4d7d6790a2aee6a89bd91cc6cdc6fe10384e754516f5fd842346da24e5ff1129fd23b9a66e60fb2

        Download Submit
      • memory/116-2452-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/116-2448-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/1812-7348-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1812-6392-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1812-5186-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1812-4910-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1812-4909-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2508-9803-0x0000000004FF0000-0x0000000005000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2508-9802-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2508-10169-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2508-11603-0x0000000004FF0000-0x0000000005000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2508-12241-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2668-12242-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/2668-12245-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/2888-7355-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2888-7356-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2888-7357-0x00000000068D0000-0x0000000006922000-memory.dmp
        Filesize

        328KB

        Download
      • memory/2888-7592-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2888-8872-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2888-9794-0x0000000075210000-0x00000000759C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3144-9799-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/3144-9796-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/3152-7349-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/3152-7352-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/3440-12249-0x0000000005AE0000-0x0000000005AF0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3440-12248-0x0000000075220000-0x00000000759D0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3760-4902-0x0000000075170000-0x0000000075920000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3760-2458-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3760-2457-0x0000000075170000-0x0000000075920000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3760-2459-0x0000000006B00000-0x0000000006B52000-memory.dmp
        Filesize

        328KB

        Download
      • memory/3760-2773-0x0000000075170000-0x0000000075920000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3760-4068-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4784-30-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-34-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-66-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-68-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-71-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-69-0x0000000075180000-0x0000000075930000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4784-73-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-1323-0x0000000005520000-0x0000000005530000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4784-2449-0x0000000075180000-0x0000000075930000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4784-62-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-60-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-58-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-56-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-54-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-52-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-50-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-48-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-46-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-44-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-42-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-40-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-38-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-36-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-64-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-32-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-1-0x0000000075180000-0x0000000075930000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4784-24-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-28-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-26-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-22-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-20-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-18-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-16-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-14-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-10-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-12-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-9-0x0000000006810000-0x0000000006885000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4784-8-0x0000000006810000-0x000000000688C000-memory.dmp
        Filesize

        496KB

        Download
      • memory/4784-7-0x00000000066B0000-0x0000000006702000-memory.dmp
        Filesize

        328KB

        Download
      • memory/4784-6-0x0000000006660000-0x00000000066B2000-memory.dmp
        Filesize

        328KB

        Download
      • memory/4784-5-0x0000000005460000-0x000000000546A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4784-4-0x0000000005520000-0x0000000005530000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4784-3-0x00000000053A0000-0x0000000005432000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4784-2-0x00000000058B0000-0x0000000005E54000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4784-0-0x0000000000960000-0x00000000009B4000-memory.dmp
        Filesize

        336KB

        Download