Overview

overview

10

Static

static

3

Payment Invoice.exe

windows7-x64

10

Payment Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Invoice.exe

  • Size

    910KB

  • MD5

    783addabb1e7dcb48130649faaf852c7

  • SHA1

    c87553da7df62530e9262b35930d6a15aff4949a

  • SHA256

    b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da

  • SHA512

    9f352fd443bd680a71ce1a4ece252baa81c2c293727d520ce57da93d461808f50be6c22f4a6f8e0a18f0857785b47f783f1f3cc6c41442275c12149e067b3c3b

  • SSDEEP

    24576:IsWW2f6w8r89u8TeWMkzIULsHTJMGoMzyc/VdK:IsT2fTC8BSWMkluMMzyctd

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bignight.net:3363

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1XSDBO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4885.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2636
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    d76c181748dee203f540c321c750cceb

    SHA1

    e70056324a82515a3cc5dc65a2513e886574e39c

    SHA256

    97fdec0d133c41990bcf10a129f24bc24cc0c7ba837eb0a711c9a8fe5510328e

    SHA512

    16aa494817a467d6b16af764841aaa7d7423a578678dbf1a85b3c7467bcb5a59bed851df1d3e01b07a370210be1c340c917defdbd7293d43b8b26a083297601d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4885.tmp
    Filesize

    1KB

    MD5

    76b9611483cbc5e345163c1d77e81db5

    SHA1

    2fa97380b020ae3ea43eaf68fd5691fad4560d2a

    SHA256

    d8bbcf4f638d1887592eefcdbf1c2216491ee3d0bcc7bd61334e03cbfdebc14e

    SHA512

    a6f35c5906efb3fc7fe089c22f291de5e03eac11b14c78e57260bded5a916407075cb778a43c6b6f98dd724d580dcf806858a72f95fc329e4786042b427df29d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    de4a4cf3e4da506f8ed44a8941e48d0e

    SHA1

    1741c1531a588d291ac89eb4a28847e42ed0e436

    SHA256

    8532fc0e2c2622fe28a62a66035b1fd575d38650d2f0e252f9120966ec750af5

    SHA512

    dfa076750eee65df2a9767adcb6d04aa72a4550fd3d75bd27c343d289f7fee34d0097b2841965a1f336b815b4902df20dd6d83701a5b714c104ec76d81a986d1

    Download Submit
  • memory/2036-25-0x0000000002740000-0x0000000002780000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2036-45-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2036-33-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2036-29-0x0000000002740000-0x0000000002780000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2036-23-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2584-46-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2584-21-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2584-30-0x00000000029C0000-0x0000000002A00000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2584-27-0x000000006DBE0000-0x000000006E18B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2700-22-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-43-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-19-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-31-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-76-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-32-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-75-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-28-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-26-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-24-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-70-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-34-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2700-37-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-69-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-39-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-41-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-59-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-44-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-58-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-54-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-47-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-48-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-49-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-50-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2700-53-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2844-2-0x0000000000570000-0x00000000005B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2844-3-0x00000000005D0000-0x00000000005E8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2844-0-0x0000000001380000-0x000000000146A000-memory.dmp
    Filesize

    936KB

    Download
  • memory/2844-40-0x0000000074110000-0x00000000747FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2844-4-0x0000000000560000-0x0000000000568000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2844-5-0x0000000000600000-0x000000000060C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2844-6-0x0000000005B30000-0x0000000005BF0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2844-1-0x0000000074110000-0x00000000747FE000-memory.dmp
    Filesize

    6.9MB

    Download