Overview

overview

10

Static

static

3

#Inv_PI_{n...df.exe

windows7-x64

10

#Inv_PI_{n...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #Inv_PI_{number_12}_pdf.exe

  • Size

    1.1MB

  • MD5

    96a62642b79fcb88da4f854b2c46c64c

  • SHA1

    1778d5bad1acb999458092745af2a6ac3fce39a3

  • SHA256

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

  • SHA512

    4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

  • SSDEEP

    24576:+8lmSlcXrLArMThOTAiVOpoUJ3jEDFXF9bo:9mSubfQrVS1xjcFDo

Score
10/10
remcosremotehostcollectionexecutionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.137:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NG20QI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82BD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4460
    • C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4040
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:956
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB045.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3312
        • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
          "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\uxeispdlljligdpmua"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1784
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzrtshomzrdnqjlqdlojq"
            5⤵
            • Executes dropped EXE
            PID:4084
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzrtshomzrdnqjlqdlojq"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:4696
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\htwmtaygvzvztyzcuvbctkluk"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    e3c0fd418ca8df29fa8fe2d759d328cb

    SHA1

    78f9dac7d92fad633632f3b01147d227e8d5d62d

    SHA256

    996418bbd5aaa9e345e5cfab971691ce7a2e03250ed1d3fd8e009072f8599bb8

    SHA512

    de73eed2e906b0a0959956b7a04d849aca54b189fdc4bac5a09e2ce804579b339e3e45bf7ecf82edf6814df907dbc2d0077c1a983432185f74df8113fbcc6112

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zt2okffs.ega.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp82BD.tmp
    Filesize

    1KB

    MD5

    073768ec6fc3a2a772230dd8dafc40bc

    SHA1

    824fcd7baa1f409c35e1a84081129715041ed323

    SHA256

    59097df156f2c7badf3ef6c4ae906c1e03131ce2899a66fd6e1c535ce3e06fd6

    SHA512

    fced8d1dab6399b1bad1750ac141f4647befd02a17259a76fbb2f2545c18dcd6bc136bf49aac7007c5cbba2ea098ff901fb9e79e01acb0d48c17441a3edf192a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxeispdlljligdpmua
    Filesize

    4KB

    MD5

    8651f1ecc401fe73c45d06863467d144

    SHA1

    0150ba4649afe382ae1705552473bba7beb990f4

    SHA256

    51827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8

    SHA512

    c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
    Filesize

    1.1MB

    MD5

    96a62642b79fcb88da4f854b2c46c64c

    SHA1

    1778d5bad1acb999458092745af2a6ac3fce39a3

    SHA256

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

    SHA512

    4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

    Download Submit

  • memory/956-99-0x0000000071280000-0x00000000712CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/956-96-0x0000000005CD0000-0x0000000006024000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/956-110-0x00000000076B0000-0x00000000076C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/956-109-0x00000000073E0000-0x0000000007483000-memory.dmp

    Filesize

    652KB

    Download

  • memory/956-98-0x00000000062D0000-0x000000000631C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1416-6-0x0000000004DF0000-0x0000000004E0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1416-5-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1416-4-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1416-7-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1416-32-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1416-9-0x0000000008140000-0x00000000081DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1416-8-0x0000000005AE0000-0x0000000005BA0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/1416-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1416-2-0x00000000052D0000-0x0000000005874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1416-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1416-1-0x0000000000380000-0x00000000004A4000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1640-150-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-148-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-142-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1640-143-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-144-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-138-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1640-84-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-83-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-151-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-119-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-118-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-116-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-115-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-114-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-113-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-112-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-145-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-147-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-146-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-141-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1640-149-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1640-85-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1784-120-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1784-128-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1784-125-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3396-37-0x0000000005690000-0x00000000056F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3396-46-0x00000000057A0000-0x0000000005AF4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3396-74-0x00000000072C0000-0x00000000072C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3396-73-0x00000000072E0000-0x00000000072FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3396-72-0x00000000071E0000-0x00000000071F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3396-71-0x00000000071D0000-0x00000000071DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3396-70-0x00000000071A0000-0x00000000071B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3396-69-0x0000000007220000-0x00000000072B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3396-68-0x0000000007010000-0x000000000701A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3396-67-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3396-66-0x00000000075E0000-0x0000000007C5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3396-65-0x0000000006CB0000-0x0000000006D53000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3396-64-0x0000000006200000-0x000000000621E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3396-53-0x0000000006C70000-0x0000000006CA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3396-54-0x0000000075320000-0x000000007536C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3396-14-0x00000000046F0000-0x0000000004726000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3396-52-0x00000000061B0000-0x00000000061FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3396-15-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3396-18-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3396-17-0x0000000004D70000-0x0000000005398000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3396-22-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3396-51-0x0000000005C50000-0x0000000005C6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3396-31-0x00000000054F0000-0x0000000005512000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3396-38-0x0000000005700000-0x0000000005766000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3396-77-0x0000000074A90000-0x0000000075240000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4360-129-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4360-131-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4360-132-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/4696-126-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4696-127-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4696-123-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4808-49-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4808-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4808-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4808-25-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4808-20-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download