Overview

overview

10

Static

static

3

2a0a27371b...65.exe

windows7-x64

10

2a0a27371b...65.exe

windows10-1703-x64

10

2a0a27371b...65.exe

windows10-2004-x64

10

2a0a27371b...65.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 14:18

240409-rmbsbahc53 10

09-04-2024 14:18

240409-rma6sahc52 10

09-04-2024 14:17

240409-rlr3xahc38 10

09-04-2024 14:17

240409-rlrgdacf2x 10

06-04-2024 01:09

240406-bhsl9sgc2t 10

Analysis

  • max time kernel
    297s
  • max time network
    281s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240319-en
  • resource tags

    arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe

  • Size

    548KB

  • MD5

    10a4cb3233c444bcf6211100ab9bad9a

  • SHA1

    2f4a679479fdff9d22226676d7a7eacab84311eb

  • SHA256

    2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65

  • SHA512

    0c847f9723d1e65a03d0e129555160a7730e3ab4625d488540dd82dc968b354e31ab042dd820da6b61662af62d0687696e458440ab66b940e3fa168c09af9303

  • SSDEEP

    12288:FUH8UsiMHGMZY/QZsg4rvpvK9+uH2OG/4RY+ajkrSyxPln+07bSsEAmD:yH8XvHFA6sgyvxK4uHBLRPaArSuPl19

Score
10/10
remcosggrat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

gg

C2

62.102.148.185:9771

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    newstart

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_wgwfvnfssp

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe
    "C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4548
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oFkpbhjTJbn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oFkpbhjTJbn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1308
    • C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe
      "C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe"
      2⤵
        PID:3592
      • C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe
        "C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe"
        2⤵
          PID:1772
        • C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe
          "C:\Users\Admin\AppData\Local\Temp\2a0a27371b6f4d355c3264fcc668d8a0fe1af7ebb8b19dca3b5cdf20a3282d65.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4256

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d0c46cad6c0778401e21910bd6b56b70

        SHA1

        7be418951ea96326aca445b8dfe449b2bfa0dca6

        SHA256

        9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

        SHA512

        057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        759afcd004de48c5885a5573f60b9034

        SHA1

        b9bdf387cd548baa424857883f0e9a52984efaf1

        SHA256

        a97b375cd7e99c6df5570a9ff3c85292c317c64588bf9f3b4060e765b6f0016a

        SHA512

        68243e84d79ce395dedf7feb4a9a7884b22b87ccb0806b860c2c90148e27c204c9f1ea178fb72fde03e96cf461c73397468c7f97eefd770f12ec2fc997cd21e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfi1ye02.qvn.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp
        Filesize

        1KB

        MD5

        ddcbafa4176f2a43d89c5bc76d4e102a

        SHA1

        25d942ddf7f67cf494e961532eb61e1e9fc90561

        SHA256

        7e862fc632668cf3d2b9541525805e99cd110867bf343945809e94902ef6eb7d

        SHA512

        2fe2aff9bdfb884ba3c500083fed0388d8c3ddd0e03ab0dbb8a167efb93f726edc33b99078c5a0272a7b8d91ff4fcdd73d99c50d35e87327cc328b9252749a3d

        Download Submit
      • memory/2404-0-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2404-49-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2404-6-0x0000000004F20000-0x0000000004F30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-7-0x0000000004FC0000-0x0000000004FCC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2404-8-0x0000000006120000-0x0000000006180000-memory.dmp
        Filesize

        384KB

        Download
      • memory/2404-9-0x0000000009AD0000-0x0000000009B6C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2404-10-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2404-11-0x0000000004D20000-0x0000000004D30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-5-0x0000000004C40000-0x0000000004C4A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2404-4-0x0000000004D20000-0x0000000004D30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2404-3-0x0000000004B90000-0x0000000004C22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2404-1-0x0000000000070000-0x00000000000FE000-memory.dmp
        Filesize

        568KB

        Download
      • memory/2404-2-0x0000000005240000-0x00000000057E6000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2544-68-0x0000000007AD0000-0x0000000007B74000-memory.dmp
        Filesize

        656KB

        Download
      • memory/2544-85-0x0000000007E50000-0x0000000007E65000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2544-21-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2544-94-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2544-80-0x0000000007C00000-0x0000000007C1A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2544-27-0x0000000006390000-0x00000000063F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2544-84-0x0000000007E40000-0x0000000007E4E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2544-82-0x0000000007E90000-0x0000000007F26000-memory.dmp
        Filesize

        600KB

        Download
      • memory/2544-88-0x0000000007F40000-0x0000000007F48000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2544-81-0x0000000007C80000-0x0000000007C8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2544-86-0x0000000007F50000-0x0000000007F6A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2544-23-0x0000000003110000-0x0000000003120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2544-24-0x0000000003110000-0x0000000003120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2544-79-0x0000000008250000-0x00000000088CA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/2544-53-0x00000000068E0000-0x00000000068FE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2544-54-0x0000000006980000-0x00000000069CC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2544-55-0x0000000003110000-0x0000000003120000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2544-57-0x0000000006EC0000-0x0000000006EF4000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2544-56-0x000000007EE50000-0x000000007EE60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2544-67-0x0000000006EA0000-0x0000000006EBE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2544-58-0x0000000070650000-0x000000007069C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4256-48-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4256-28-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4256-97-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4256-52-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4256-50-0x0000000000400000-0x0000000000417000-memory.dmp
        Filesize

        92KB

        Download
      • memory/4548-25-0x0000000005390000-0x00000000053B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4548-26-0x00000000054B0000-0x0000000005516000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4548-83-0x00000000077A0000-0x00000000077B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4548-47-0x0000000005D80000-0x00000000060D7000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4548-69-0x000000007FD50000-0x000000007FD60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4548-19-0x0000000005010000-0x0000000005020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4548-20-0x0000000005650000-0x0000000005C7A000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4548-87-0x00000000078D0000-0x00000000078D8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4548-18-0x0000000005010000-0x0000000005020000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4548-17-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4548-16-0x0000000002A30000-0x0000000002A66000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4548-95-0x0000000074300000-0x0000000074AB1000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4548-70-0x0000000070650000-0x000000007069C000-memory.dmp
        Filesize

        304KB

        Download