Malware Analysis Report

2024-12-07 22:48

Sample ID 240511-ke7fpahb2y
Target 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe
SHA256 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd
Tags
remcos nuevos persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd

Threat Level: Known bad

The file 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe was found to be: Known bad.

Malicious Activity Summary

remcos nuevos persistence rat

Remcos

Remcos family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:31

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:31

Reported

2024-05-11 08:41

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe C:\Windows\SysWOW64\WScript.exe
PID 2384 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe C:\Windows\SysWOW64\WScript.exe
PID 2384 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe C:\Windows\SysWOW64\WScript.exe
PID 2384 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe C:\Windows\SysWOW64\WScript.exe
PID 2956 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\data\notepads.exe
PID 3004 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\data\notepads.exe
PID 3004 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\data\notepads.exe
PID 3004 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\data\notepads.exe

Processes

C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe

"C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\data\notepads.exe"

C:\Users\Admin\AppData\Roaming\data\notepads.exe

C:\Users\Admin\AppData\Roaming\data\notepads.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 tcp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 1653e8468b0d0cd87a484261da3a898b
SHA1 ab798bd56e8dfebf82b4feda4e1549778d19848b
SHA256 1bf4eaa1b06f079565ca6ea81082736efd1e25d6465c353ad992ba8c38940c3f
SHA512 5df77f64350879e22a6b9f018bdd8fcf90920cc9f4026ed9bf733b5e965214abd8c3643b211b2f814cd2a9e016f0c15762eaee133feef6ed5c37bdd66ff7be2f

\Users\Admin\AppData\Roaming\data\notepads.exe

MD5 27bb3968cc18fb0df5b14e6d1b805552
SHA1 8f44161a7c4e45422a5d179fbd1d1a81657d828c
SHA256 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd
SHA512 c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d

C:\ProgramData\notas\logs.dat

MD5 46f034952dfc0d5b70fe2529c44b1b07
SHA1 834a82a29466705ddc9f9a21528cc7e69604e84c
SHA256 8021172204d92f4fbb15b2f3408942d3d178de5fd7750da880708f428c75ebef
SHA512 0c193e200f3c1af52cd3f7b83d47bcbd3ffe8360c2b454888d59c7664b627d8fa16719717ae84df7ff41395870be1ccf67f25696816799ba8d7ac927372ffd6b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:31

Reported

2024-05-11 08:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Users\\Admin\\AppData\\Roaming\\data\\notepads.exe\"" C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\data\notepads.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe

"C:\Users\Admin\AppData\Local\Temp\215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\data\notepads.exe"

C:\Users\Admin\AppData\Roaming\data\notepads.exe

C:\Users\Admin\AppData\Roaming\data\notepads.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 nuevosremcs.duckdns.org udp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
SE 46.246.80.26:9090 nuevosremcs.duckdns.org tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 1653e8468b0d0cd87a484261da3a898b
SHA1 ab798bd56e8dfebf82b4feda4e1549778d19848b
SHA256 1bf4eaa1b06f079565ca6ea81082736efd1e25d6465c353ad992ba8c38940c3f
SHA512 5df77f64350879e22a6b9f018bdd8fcf90920cc9f4026ed9bf733b5e965214abd8c3643b211b2f814cd2a9e016f0c15762eaee133feef6ed5c37bdd66ff7be2f

C:\Users\Admin\AppData\Roaming\data\notepads.exe

MD5 27bb3968cc18fb0df5b14e6d1b805552
SHA1 8f44161a7c4e45422a5d179fbd1d1a81657d828c
SHA256 215292f9d78604f7d15cae869415f0a0269b7dd43b4986cad6a7d1b0c6cdb7dd
SHA512 c470ab75ae46a7161886b8e334143d373385efeb63afcb6f80317bcc0ed989bd3fbc97e87287a0aed8a4661b72261e1ceb94a2be263f25f00c935bad56bafc5d

C:\ProgramData\notas\logs.dat

MD5 4099e1c9fb5f92b6b217fd389b425cac
SHA1 11ba194a828b9d66980bb3bcaa3ef54fdd243e0d
SHA256 40f85c0d6c739b66505ef1cede6b6ef60c5494c2bf6c707099d5fe52ec2f65f6
SHA512 d2894cb6ee6abbdf6e22471a5b6f9690bf95d459e9840c2dfc9e907d2867d63a47d8850e8001bdb3303c67b835abd3e9f77503cc676948581c14bf66cc87cf14