Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 07:25

General

  • Target

    31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe

  • Size

    1.6MB

  • MD5

    983199bbc9855444da45fd3470542c93

  • SHA1

    6358b2bf1dc6e8aff646ad6ab919be865fa19870

  • SHA256

    31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729

  • SHA512

    9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684

  • SSDEEP

    49152:IEnnpprnZS5N5KF+PBoW0Pc2pjzUNjLfy:7nptn+N5KIPBoWnQwJy

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Ene20

C2

amsdkjeduejfhdgerop.duckdns.org:2223

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    AdminShell

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    NQUjfd3E3e5dje-JHD8X5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 64 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
    "C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\plier.exe
      C:\Users\Admin\AppData\Local\Temp\plier.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:7476
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    1⤵
      PID:6860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""
        2⤵
          PID:6164
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:6748

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Cornhusk

              Filesize

              1.5MB

              MD5

              32604f4797fafd34895f707137146e3a

              SHA1

              86bb7be89f74c85a1f77e52879ab1354af5b00be

              SHA256

              f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a

              SHA512

              e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721

            • C:\Users\Admin\AppData\Local\Temp\Umbellule.DLL

              Filesize

              17KB

              MD5

              6000783aeacd1836db8f8d7c10330a3b

              SHA1

              ba0176243cc0568dd0d10a1762ab69498e1dcb44

              SHA256

              573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65

              SHA512

              954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xqhwrhy1.rdc.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\plier.exe

              Filesize

              4KB

              MD5

              11c8f037f0e1a68ff1c74cbcac6e3c6e

              SHA1

              bb50ac196dfd3a194b7b7161947a012a0d49886c

              SHA256

              aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34

              SHA512

              05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b

            • C:\Users\Admin\AppData\Roaming\AdminShell\logs.dat

              Filesize

              74B

              MD5

              e1cf98e0941efad1d6f7e3e1db7d38e0

              SHA1

              da72c520255c8b2851629f8de90cbcfbf016ef33

              SHA256

              2d4bc1b51007671cba479dbb3d50b5635e6c27c7f64edf6f3828a55a4f55b23e

              SHA512

              d9917160c5f883970051728e0c2c4ebd68c300327ad3fe398dde874e586f523a79afaae1a91a35ab4368e17dfb41a17fdffd3864e6b3d5a11160878d46494556

            • C:\Windows\win.ini

              Filesize

              131B

              MD5

              9848e4efb0abd437d65e6d3d1d973adb

              SHA1

              f427ac7c50b19f66658ae7f92cbaf21110b49a47

              SHA256

              c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

              SHA512

              f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

            • memory/1868-30-0x0000000000740000-0x0000000000744000-memory.dmp

              Filesize

              16KB

            • memory/1868-32-0x0000000000750000-0x0000000000751000-memory.dmp

              Filesize

              4KB

            • memory/1868-29-0x0000000000770000-0x0000000000777000-memory.dmp

              Filesize

              28KB

            • memory/1868-10037-0x00000000007E0000-0x0000000000802000-memory.dmp

              Filesize

              136KB

            • memory/6748-10066-0x000000006F1A0000-0x000000006F1EC000-memory.dmp

              Filesize

              304KB

            • memory/6748-10080-0x0000000007460000-0x000000000747A000-memory.dmp

              Filesize

              104KB

            • memory/6748-10046-0x0000000072920000-0x00000000730D0000-memory.dmp

              Filesize

              7.7MB

            • memory/6748-10047-0x0000000002C80000-0x0000000002C90000-memory.dmp

              Filesize

              64KB

            • memory/6748-10048-0x00000000052F0000-0x0000000005918000-memory.dmp

              Filesize

              6.2MB

            • memory/6748-10049-0x0000000005270000-0x0000000005292000-memory.dmp

              Filesize

              136KB

            • memory/6748-10050-0x0000000005A90000-0x0000000005AF6000-memory.dmp

              Filesize

              408KB

            • memory/6748-10090-0x0000000072920000-0x00000000730D0000-memory.dmp

              Filesize

              7.7MB

            • memory/6748-10056-0x0000000005B00000-0x0000000005B66000-memory.dmp

              Filesize

              408KB

            • memory/6748-10061-0x0000000005C80000-0x0000000005FD4000-memory.dmp

              Filesize

              3.3MB

            • memory/6748-10062-0x0000000006120000-0x000000000613E000-memory.dmp

              Filesize

              120KB

            • memory/6748-10063-0x0000000006170000-0x00000000061BC000-memory.dmp

              Filesize

              304KB

            • memory/6748-10064-0x000000007FA90000-0x000000007FAA0000-memory.dmp

              Filesize

              64KB

            • memory/6748-10065-0x0000000006700000-0x0000000006732000-memory.dmp

              Filesize

              200KB

            • memory/6748-10087-0x0000000007780000-0x0000000007788000-memory.dmp

              Filesize

              32KB

            • memory/6748-10072-0x0000000002C80000-0x0000000002C90000-memory.dmp

              Filesize

              64KB

            • memory/6748-10077-0x00000000066E0000-0x00000000066FE000-memory.dmp

              Filesize

              120KB

            • memory/6748-10078-0x0000000007100000-0x00000000071A3000-memory.dmp

              Filesize

              652KB

            • memory/6748-10079-0x0000000007AA0000-0x000000000811A000-memory.dmp

              Filesize

              6.5MB

            • memory/6748-10045-0x0000000002B50000-0x0000000002B86000-memory.dmp

              Filesize

              216KB

            • memory/6748-10081-0x00000000074D0000-0x00000000074DA000-memory.dmp

              Filesize

              40KB

            • memory/6748-10082-0x00000000076E0000-0x0000000007776000-memory.dmp

              Filesize

              600KB

            • memory/6748-10083-0x0000000007660000-0x0000000007671000-memory.dmp

              Filesize

              68KB

            • memory/6748-10084-0x0000000007690000-0x000000000769E000-memory.dmp

              Filesize

              56KB

            • memory/6748-10085-0x00000000076A0000-0x00000000076B4000-memory.dmp

              Filesize

              80KB

            • memory/6748-10086-0x00000000077A0000-0x00000000077BA000-memory.dmp

              Filesize

              104KB

            • memory/7476-10041-0x0000000000340000-0x0000000000343000-memory.dmp

              Filesize

              12KB

            • memory/7476-10042-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10091-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10093-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10095-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10097-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10100-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10038-0x0000000000370000-0x0000000000376000-memory.dmp

              Filesize

              24KB

            • memory/7476-10102-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10104-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10106-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB

            • memory/7476-10110-0x0000000073A00000-0x0000000073C91000-memory.dmp

              Filesize

              2.6MB