Overview

overview

10

Static

static

10

explorer.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240214-en
  • resource tags

    arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-03-2024 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    explorer.exe

  • Size

    36KB

  • MD5

    722f70f7c2d8ce48d62723390d7a1898

  • SHA1

    a57fd2bee605c399cf92f21b051479049c4868fb

  • SHA256

    a6f04a175ecb36c0813e7a8d7504709bc3fd633e05622f2f7bab422d096b2077

  • SHA512

    9fa61013ee3f5ae00c96c6d89026fb84122fd0eb4b349582b8d8b911fbd894d4ab44d3221ec26f327eb33dcdb839e443971ef7ec677819c4d879d6d2a48c45d6

  • SSDEEP

    768:55PHyCjmhFdWfLubuZ1kvIaEekM26Jr1:55PHfjGPAKbLVPJr

Score
10/10
remcoshostevasionpersistenceratupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

10.0.2.15:2402

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    U32c.exe

  • copy_folder

    MicrosoftCryptographie

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %UserProfile%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    remcos_idwxrxyimd

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Windows Defender

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:224
      • C:\Users\Admin\MicrosoftCryptographie\U32c.exe
        "C:\Users\Admin\MicrosoftCryptographie\U32c.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:4548

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.bat
      Filesize

      151B

      MD5

      e3f663d9772f7a77ab0f383dfac6ce5f

      SHA1

      cddb0ceb970c3813e4517a5eaaf1317644bb9621

      SHA256

      e684e4aa8c83d2e283ee5af8348a1f447dc6a353f9e8c1178d5d2f7b455ed572

      SHA512

      422c723dd0d6660252e3f7274f124d463078198b31ef4729861bbde00455badde55289f6408c5ea1ca2a01625e5f1fd2d457d5ad45460d6a1748408cccaf1365

      Download Submit
    • C:\Users\Admin\MicrosoftCryptographie\U32c.exe
      Filesize

      36KB

      MD5

      722f70f7c2d8ce48d62723390d7a1898

      SHA1

      a57fd2bee605c399cf92f21b051479049c4868fb

      SHA256

      a6f04a175ecb36c0813e7a8d7504709bc3fd633e05622f2f7bab422d096b2077

      SHA512

      9fa61013ee3f5ae00c96c6d89026fb84122fd0eb4b349582b8d8b911fbd894d4ab44d3221ec26f327eb33dcdb839e443971ef7ec677819c4d879d6d2a48c45d6

      Download Submit
    • memory/2056-12-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/4548-11-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/4932-0-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download
    • memory/4932-6-0x0000000000400000-0x000000000041D000-memory.dmp
      Filesize

      116KB

      Download