Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:08

General

  • Target

    a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe

  • Size

    1.1MB

  • MD5

    6396cf12253c6f9a3ce1607be6df95ca

  • SHA1

    a9525c26f5010f1c149403ab83944a575bfb45b5

  • SHA256

    a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d

  • SHA512

    8c3126ce810f49307dd09b0062c56844a98b7b900fbdf2f7b6f74db9b6a5647f3d3330c3fb7b1664272f485f5d2a2818060b299b0958d9c62ecf0912f9c7276d

  • SSDEEP

    24576:XJDCuMUyddMSoLPAWO0+7y9ZlhuQ19EW9du+NnwEDjTSI44+s4:VCey/oLPa0HAQ1b9du+Nn2I6s4

Malware Config

Extracted

Family

remcos

Botnet

AJANKO

C2

ajanko.duckdns.org:1970

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Z9ICSO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe
    "C:\Users\Admin\AppData\Local\Temp\a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2408
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp45B4.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3560
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Windows security bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4792
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1648
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
          4⤵
            PID:1184
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 24
              5⤵
              • Program crash
              PID:636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1184 -ip 1184
      1⤵
        PID:4060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lv2pn1vc.5l5.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\tmp45B4.tmp.bat

        Filesize

        151B

        MD5

        db3a46a9b69dd2336a2bb763b4a8a7ea

        SHA1

        7b6f18fd9614e819f7eeb4ff48eda983cb6423f8

        SHA256

        e2a83c68235946fe4ad2deca8242b9d8fd615263a3ba1d6df0addbb6fd0f4d2e

        SHA512

        89816b7ad676af6da9242c2c17c85b691037271afc41078cbe2e9458350f2a3b990cc0400ff01255e75857783044f1af242490f7cd5471c0dc52aa29c136e022

      • C:\Users\Admin\AppData\Roaming\svchost.exe

        Filesize

        1.1MB

        MD5

        6396cf12253c6f9a3ce1607be6df95ca

        SHA1

        a9525c26f5010f1c149403ab83944a575bfb45b5

        SHA256

        a34cb7528e3a832e088452e887f7c420699d43c928172bdf7fb344b96ff2e81d

        SHA512

        8c3126ce810f49307dd09b0062c56844a98b7b900fbdf2f7b6f74db9b6a5647f3d3330c3fb7b1664272f485f5d2a2818060b299b0958d9c62ecf0912f9c7276d

      • memory/1184-13-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1648-23-0x000002257C550000-0x000002257C572000-memory.dmp

        Filesize

        136KB

      • memory/4048-0-0x00000240BB8B0000-0x00000240BB90A000-memory.dmp

        Filesize

        360KB

      • memory/4048-1-0x00007FFC73A83000-0x00007FFC73A85000-memory.dmp

        Filesize

        8KB

      • memory/4048-2-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

        Filesize

        10.8MB

      • memory/4048-3-0x00000240D5CF0000-0x00000240D5DC4000-memory.dmp

        Filesize

        848KB

      • memory/4048-8-0x00007FFC73A80000-0x00007FFC74541000-memory.dmp

        Filesize

        10.8MB