Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 01:09

General

  • Target

    215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe

  • Size

    469KB

  • MD5

    27bb3968cc18fb0df5b14e6d1b805552

  • SHA1

    8f44161a7c4e45422a5d179fbd1d1a81657d828c

  • SHA256

    215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd

  • SHA512

    c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d

  • SSDEEP

    12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSFn9:uiLJbpI7I2WhQqZ7F9

Malware Config

Extracted

Family

remcos

Botnet

Nuevos

C2

nuevosremcs.duckdns.org:9090

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    notepads.exe

  • copy_folder

    data

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    notas

  • mouse_option

    false

  • mutex

    Rmc-WRNU47

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    system32

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • detects Windows exceutables potentially bypassing UAC using eventvwr.exe 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe
    "C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\data\notepads.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Users\Admin\AppData\Roaming\data\notepads.exe
          C:\Users\Admin\AppData\Roaming\data\notepads.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetWindowsHookEx
          PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\notas\logs.dat

    Filesize

    144B

    MD5

    81f6e26b375b8077152da55569eb0606

    SHA1

    799a2db4ebc27c3b700e3f5557a183ff3f86fd4b

    SHA256

    20d546c390b089c10492d2d0f897d2c7f4524df811befb00fda5ab6baf8849f5

    SHA512

    22737f7d86969089686f3533129dad927bd2169bc68c02d8f351b25658bdf7f793fa7fe0390fad5e77e532d577f3f4c006fe0445c855d1b4c71b2252e515c9ab

  • C:\Users\Admin\AppData\Local\Temp\install.vbs

    Filesize

    418B

    MD5

    1653e8468b0d0cd87a484261da3a898b

    SHA1

    ab798bd56e8dfebf82b4feda4e1549778d19848b

    SHA256

    1bf4eaa1b06f079565ca6ea81082736efd1e25d6465c353ad992ba8c38940c3f

    SHA512

    5df77f64350879e22a6b9f018bdd8fcf90920cc9f4026ed9bf733b5e965214abd8c3643b211b2f814cd2a9e016f0c15762eaee133feef6ed5c37bdd66ff7be2f

  • \Users\Admin\AppData\Roaming\data\notepads.exe

    Filesize

    469KB

    MD5

    27bb3968cc18fb0df5b14e6d1b805552

    SHA1

    8f44161a7c4e45422a5d179fbd1d1a81657d828c

    SHA256

    215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd

    SHA512

    c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d