Analysis

  • max time kernel
    21s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 12:00

General

  • Target

    69faf17c46cebe65552d692de9ad5e8e558afa10.rtf

  • Size

    163KB

  • MD5

    6404605c3765beb0030c114bc3a377b4

  • SHA1

    69faf17c46cebe65552d692de9ad5e8e558afa10

  • SHA256

    cb52c9e9b94df7b76f7c60dbcc8bf83494852f88fe31b6a351b895340eec5f41

  • SHA512

    ad596340e3aef462855b232a25423cb0d044e3140d3b8e4e798f1736181b6e247716b621aa97f47fe4be60472086b2411be8edc8321678672a848035ce502841

  • SSDEEP

    768:BGwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWj6ntl39f4FHVO8RknN1:BGwAlRkwAlRkwAlRDtl3Z4NknA7f3jXW

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

28PDT

C2

psolver827.ddns.net:1974

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    28pdt

  • mouse_option

    false

  • mutex

    Rmc-9BVBM5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69faf17c46cebe65552d692de9ad5e8e558afa10.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3028
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Roaming\pdtndo33920.scr
      "C:\Users\Admin\AppData\Roaming\pdtndo33920.scr"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pdtndo33920.scr"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2804
      • C:\Users\Admin\AppData\Roaming\pdtndo33920.scr
        "C:\Users\Admin\AppData\Roaming\pdtndo33920.scr"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2940

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\pdtndo33920.scr

          Filesize

          984KB

          MD5

          98e7bfbf542d7b12f7b7614991743557

          SHA1

          9eec15369db22c4bcdf39407042545715466292b

          SHA256

          2320bdd2ef439c3c079ecf8c1c89ff9e8d2c20ed47f459c29186b00c476fa7d4

          SHA512

          2411a485a66d6aafbe59a576afadb78c1cffd13f4b09595155fe2a9e5f03d57eb2f102cf924e8ebf6918449661197f270e7143c7ce938bdd4dfdaaf277a6e5f9

        • memory/2272-32-0x0000000004C80000-0x0000000004CC0000-memory.dmp

          Filesize

          256KB

        • memory/2272-30-0x0000000000AC0000-0x0000000000BB8000-memory.dmp

          Filesize

          992KB

        • memory/2272-31-0x000000006ADE0000-0x000000006B4CE000-memory.dmp

          Filesize

          6.9MB

        • memory/2272-66-0x000000006ADE0000-0x000000006B4CE000-memory.dmp

          Filesize

          6.9MB

        • memory/2272-37-0x0000000000550000-0x000000000056C000-memory.dmp

          Filesize

          112KB

        • memory/2272-38-0x00000000004E0000-0x00000000004E8000-memory.dmp

          Filesize

          32KB

        • memory/2272-39-0x0000000000500000-0x000000000050C000-memory.dmp

          Filesize

          48KB

        • memory/2272-40-0x0000000005BA0000-0x0000000005C60000-memory.dmp

          Filesize

          768KB

        • memory/2804-74-0x0000000001BE0000-0x0000000001C20000-memory.dmp

          Filesize

          256KB

        • memory/2804-75-0x0000000065D70000-0x000000006631B000-memory.dmp

          Filesize

          5.7MB

        • memory/2804-73-0x0000000065D70000-0x000000006631B000-memory.dmp

          Filesize

          5.7MB

        • memory/2804-72-0x0000000001BE0000-0x0000000001C20000-memory.dmp

          Filesize

          256KB

        • memory/2804-71-0x0000000065D70000-0x000000006631B000-memory.dmp

          Filesize

          5.7MB

        • memory/2940-51-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-65-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-41-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-55-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-57-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2940-61-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-64-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-47-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-49-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-68-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-69-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-70-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2940-43-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/3028-0-0x000000002FBF1000-0x000000002FBF2000-memory.dmp

          Filesize

          4KB

        • memory/3028-2-0x0000000070C3D000-0x0000000070C48000-memory.dmp

          Filesize

          44KB

        • memory/3028-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/3028-77-0x0000000070C3D000-0x0000000070C48000-memory.dmp

          Filesize

          44KB