Overview

overview

10

Static

static

3

Specificat...de.exe

windows7-x64

10

Specificat...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe

  • Size

    926KB

  • MD5

    a5116c0a496d4b011dd2afc12147d1b2

  • SHA1

    967e37264a5e0982b21b267211f9c5ccdc1662cf

  • SHA256

    98b668f7457089866b6364c672e8dd35b12a24899eb80fdfcfc2a5aab8d9aa5b

  • SHA512

    1d1922b3cbd0bc2e3e85ce0e787f63819a8f0a76286f58d590fecc3d5753cf78fe17ce3ecf8253117189a8f994e4b7b167aca394721bf3f1acd708f2702ffe87

  • SSDEEP

    24576:8cKhi13lO4V99LzjUdKc7dJ3iPOgrNiFj2+:NKE1hLzjA7Z8Piz

Score
10/10
remcosjonscollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

JONS

C2

172.245.208.13:4445

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-R7QS5C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification-Glycyrrhetic Acid 3-O-Glucuronide.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:5052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4304
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\System32\svchost.exe
          "C:\Windows\System32\svchost.exe"
          4⤵
            PID:1276
          • C:\Windows\regedit.exe
            "C:\Windows\regedit.exe"
            4⤵
            • Runs regedit.exe
            PID:4380
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\mribrwna"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:548
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\wtomroxcpuk"
              5⤵
                PID:1556
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\wtomroxcpuk"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:4768
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"
                5⤵
                  PID:4032
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"
                  5⤵
                    PID:1144
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"
                    5⤵
                      PID:3128
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\hnteshivdccltek"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:756
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                    4⤵
                      PID:4396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\remcos\logs.dat
                Filesize

                144B

                MD5

                02cebfb459dd19e3e73153c88d19a676

                SHA1

                fd63936dba1755cb1c55ce0c279acc9342285167

                SHA256

                04af763bd342951ff15a53a25fecb7f5a1c650cf5ccc732801998288a0cdf756

                SHA512

                3bae54b66f65c7431968d77add0ab2524e80057fb4a604769545724f9eeba42b1bcb231be44a98c3065741b5feb12a4e76087b79e5c1d93cc31dc70f3530f4b3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\mribrwna
                Filesize

                4KB

                MD5

                32a7b06ba8a0426235849b55b563b06b

                SHA1

                47157e4608ac7375544e6a59c7353f5bea8167f5

                SHA256

                14bb01cde2127abdc8cbef51092d1327d4fc63d40b47ca4621947c0dd8475e52

                SHA512

                0a610acf3ee1abcbb198d0d52de567d8c40d3460897ad9cb53d1a9cc463935b13c13e880b23716a429d8680794d24e1d1ecfce2f386e3861798bd03bbf1f8cf6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\tmp6F73.tmp.bat
                Filesize

                151B

                MD5

                299635827d4a5e18cb9f8bdd9a095e21

                SHA1

                beb54dd886e9ef77c73f2931c5834fba6fdd4b15

                SHA256

                22bbc413b236a919af92367dcf1f54641fc62973c192cf684796d827cedc3086

                SHA512

                0175c40926f4792088ebd5d697f4ca0220b7738854576561834388c48e81791e9f6407c8fbe3f43af8b263b846ef0981243d8156e04d798db6739ca095bbbe83

                Download Submit

              • C:\Users\Admin\AppData\Roaming\svchost.exe
                Filesize

                926KB

                MD5

                a5116c0a496d4b011dd2afc12147d1b2

                SHA1

                967e37264a5e0982b21b267211f9c5ccdc1662cf

                SHA256

                98b668f7457089866b6364c672e8dd35b12a24899eb80fdfcfc2a5aab8d9aa5b

                SHA512

                1d1922b3cbd0bc2e3e85ce0e787f63819a8f0a76286f58d590fecc3d5753cf78fe17ce3ecf8253117189a8f994e4b7b167aca394721bf3f1acd708f2702ffe87

                Download Submit

              • memory/548-51-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/548-28-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/548-31-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/548-37-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/548-35-0x0000000000400000-0x0000000000478000-memory.dmp

                Filesize

                480KB

                Download

              • memory/756-49-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/756-47-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/756-46-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/756-43-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/756-39-0x0000000000400000-0x0000000000424000-memory.dmp

                Filesize

                144KB

                Download

              • memory/1720-56-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/1720-60-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/1720-23-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-24-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-25-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-26-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-92-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-21-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-33-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-20-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-18-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-91-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-17-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-84-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-16-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-83-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-15-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-14-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-76-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-75-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-68-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-67-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-64-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-53-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/1720-57-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/1720-22-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-59-0x0000000000400000-0x0000000000482000-memory.dmp

                Filesize

                520KB

                Download

              • memory/1720-58-0x0000000010000000-0x0000000010019000-memory.dmp

                Filesize

                100KB

                Download

              • memory/2120-0-0x000002042FB90000-0x000002042FBAC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2120-2-0x000002042FF60000-0x000002042FF70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2120-1-0x00007FFD2A2E0000-0x00007FFD2ADA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2120-3-0x000002044AFC0000-0x000002044B094000-memory.dmp

                Filesize

                848KB

                Download

              • memory/2120-8-0x00007FFD2A2E0000-0x00007FFD2ADA1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2444-13-0x00007FFD29BD0000-0x00007FFD2A691000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2444-27-0x00007FFD29BD0000-0x00007FFD2A691000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4768-48-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4768-40-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4768-30-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download

              • memory/4768-36-0x0000000000400000-0x0000000000462000-memory.dmp

                Filesize

                392KB

                Download