Malware Analysis Report

2024-12-07 22:54

Sample ID 240510-rhb8aadc89
Target 49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2
SHA256 49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2
Tags
edgeupdater remcos persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2

Threat Level: Known bad

The file 49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2 was found to be: Known bad.

Malicious Activity Summary

edgeupdater remcos persistence rat

Remcos

Remcos family

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 14:11

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 14:11

Reported

2024-05-10 14:13

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe"

Signatures

Remcos

rat remcos

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe

"C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\microsoftEdge\Edgeupdater.exe"

C:\ProgramData\microsoftEdge\Edgeupdater.exe

C:\ProgramData\microsoftEdge\Edgeupdater.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 rornfl12.duckdns.org udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
BE 88.221.83.203:443 www.bing.com tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 rornfl12.duckdns.org udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 52.111.227.11:443 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 rornfl12.duckdns.org udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 19f4614bb43cdf3e42d786d19a92f4ac
SHA1 bd3fa3595e247387810e31b3d3fd4a08b54dacc7
SHA256 1e9cb576fd6e7af381e5e24429a8a514d36aff8ed0f6f579c609cc646cbddcea
SHA512 aa9611fa7d87c2237abeb9d23dd03da4250ba4192bdc276f4c6f3c8747ee8cb6768b160e843012d8c550e8c1744cbfb4746b1d928c66495aa08740f55092bcf4

C:\ProgramData\microsoftEdge\Edgeupdater.exe

MD5 95939f7e0943f1428467c77c293e6036
SHA1 892d0c06a2c9377b716e3e456c15fa0a5c2d070a
SHA256 49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2
SHA512 ad55cf00384915a788343eff3b54811050e3964f4c6598515465dce462bce71116fe52d03057ecf202fa08ef405df70c1bf07dfe65ccf37f3e58f16bf6e64f56

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 14:11

Reported

2024-05-10 14:13

Platform

win11-20240426-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe"

Signatures

Remcos

rat remcos

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Edgeupdater = "\"C:\\ProgramData\\microsoftEdge\\Edgeupdater.exe\"" C:\ProgramData\microsoftEdge\Edgeupdater.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe

"C:\Users\Admin\AppData\Local\Temp\49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\microsoftEdge\Edgeupdater.exe"

C:\ProgramData\microsoftEdge\Edgeupdater.exe

C:\ProgramData\microsoftEdge\Edgeupdater.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rornfl12.duckdns.org udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
US 8.8.8.8:53 rornfl12.duckdns.org udp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
NL 52.111.243.31:443 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp
N/A 127.0.0.1:2405 tcp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 19f4614bb43cdf3e42d786d19a92f4ac
SHA1 bd3fa3595e247387810e31b3d3fd4a08b54dacc7
SHA256 1e9cb576fd6e7af381e5e24429a8a514d36aff8ed0f6f579c609cc646cbddcea
SHA512 aa9611fa7d87c2237abeb9d23dd03da4250ba4192bdc276f4c6f3c8747ee8cb6768b160e843012d8c550e8c1744cbfb4746b1d928c66495aa08740f55092bcf4

C:\ProgramData\microsoftEdge\Edgeupdater.exe

MD5 95939f7e0943f1428467c77c293e6036
SHA1 892d0c06a2c9377b716e3e456c15fa0a5c2d070a
SHA256 49f4cc2bea40cf52315aed5b939de396212e16902e5ea23ff699c372d609cbb2
SHA512 ad55cf00384915a788343eff3b54811050e3964f4c6598515465dce462bce71116fe52d03057ecf202fa08ef405df70c1bf07dfe65ccf37f3e58f16bf6e64f56