Overview

overview

10

Static

static

3

Payment Invoice.exe

windows7-x64

10

Payment Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Invoice.exe

  • Size

    910KB

  • MD5

    783addabb1e7dcb48130649faaf852c7

  • SHA1

    c87553da7df62530e9262b35930d6a15aff4949a

  • SHA256

    b162074bf62543007615d08db1dffa75022858944a0ecc5de5ed8d3be561e3da

  • SHA512

    9f352fd443bd680a71ce1a4ece252baa81c2c293727d520ce57da93d461808f50be6c22f4a6f8e0a18f0857785b47f783f1f3cc6c41442275c12149e067b3c3b

  • SSDEEP

    24576:IsWW2f6w8r89u8TeWMkzIULsHTJMGoMzyc/VdK:IsT2fTC8BSWMkluMMzyctd

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bignight.net:3363

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1XSDBO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HFqduGIsFotY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HFqduGIsFotY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2564
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    f929b1b386e2634f5c3fb5e71729ff91

    SHA1

    351b9e86b966097bc4e7756422291ad258e1f4e3

    SHA256

    f64611daf3a98268bbde707ddbb5d30e8890e0a6f182a96191893558844a8866

    SHA512

    38aa8ce999e1ac1c9514b7401b75e8d6a99a2cfc6a872a93ed481cc2f9a8762eb71999b75a59ab6648485b4f810eb68335950664b9e56593b7b7814bba83aabd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp
    Filesize

    1KB

    MD5

    6d346c0718007e5f75cfe3a6f5f9242e

    SHA1

    dc250231e6871c410919a1c3026a5cd3f8dcfb23

    SHA256

    cd80f6c7787f5abbcf702c28706328b0a96fec8f2986293f3d288f4292a26fad

    SHA512

    9101aad66fb3009547353a7d8d602ca8a0e8a56b7ab960791152071bc2fe84d6ef2ae7310ec521fb55e05071f19cf177f8410b301fba2d8f5b0afd2f37051ad0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AL500X42SL2V262XP3TH.temp
    Filesize

    7KB

    MD5

    bfba2c49dbd50ad686105d08e50fb0f5

    SHA1

    36c9e72d750fa3f3da730daaec2ce13a7bc8a0eb

    SHA256

    358a47d83aff1461dc2a66d820e2bd9b2465bc2b309309d11bafe138a7a07001

    SHA512

    fc75c739d668ea33e29859964c73c1d24d004e2df44397fe114a6c6b3c1c527352f241bd8b72b40087765ac24667ca1cec81a5fab2f6d1a49c99d8bdf9073f71

    Download Submit
  • memory/2244-3-0x0000000000820000-0x0000000000838000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2244-4-0x0000000000800000-0x0000000000808000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2244-5-0x0000000000850000-0x000000000085C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2244-6-0x0000000005BE0000-0x0000000005CA0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2244-2-0x0000000000D80000-0x0000000000DC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2244-0-0x0000000001070000-0x000000000115A000-memory.dmp
    Filesize

    936KB

    Download
  • memory/2244-34-0x00000000747A0000-0x0000000074E8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2244-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2464-42-0x0000000002540000-0x0000000002580000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2464-49-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2464-40-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2464-44-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2532-48-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2532-43-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2532-41-0x0000000002770000-0x00000000027B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2532-46-0x0000000002770000-0x00000000027B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2532-39-0x000000006F700000-0x000000006FCAB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2836-25-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-50-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-37-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-33-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-38-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-31-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-28-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-27-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-26-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-45-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-24-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-47-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-23-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-21-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-35-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-51-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-52-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-54-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-55-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-56-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-58-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-59-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-60-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-61-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-62-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-63-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-77-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-78-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-97-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-98-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2836-19-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download