Overview

overview

10

Static

static

3

#Inv_PI_{n...df.exe

windows7-x64

10

#Inv_PI_{n...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #Inv_PI_{number_12}_pdf.exe

  • Size

    1.1MB

  • MD5

    96a62642b79fcb88da4f854b2c46c64c

  • SHA1

    1778d5bad1acb999458092745af2a6ac3fce39a3

  • SHA256

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

  • SHA512

    4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

  • SSDEEP

    24576:+8lmSlcXrLArMThOTAiVOpoUJ3jEDFXF9bo:9mSubfQrVS1xjcFDo

Score
10/10
remcosremotehostcollectionexecutionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.137:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NG20QI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 24 IoCs
  • Detects executables built or packed with MPress PE compressor 12 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66F7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1708
    • C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe"
      2⤵
        PID:3664
      • C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\#Inv_PI_{number_12}_pdf.exe"
        2⤵
        • Checks computer location settings
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
          "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4344
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2732
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95E7.tmp"
            4⤵
            • Creates scheduled task(s)
            PID:2100
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
            4⤵
            • Executes dropped EXE
            PID:2180
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2356
            • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\gqroutuvtoyrcc"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1916
            • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\qkfhvlfxpwqwmqqls"
              5⤵
              • Executes dropped EXE
              • Accesses Microsoft Outlook accounts
              PID:1708
            • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\tmkroepqdeiipwfxbeyya"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      059288a00f68ae5b12ec1c09c963d9a3

      SHA1

      1c2a2133f1ad76737ba973af8f7e9678d77b4e22

      SHA256

      4a502fc775922679ba1af34fdf2399b2fc2b891b3191aa96a4d31261dc298c25

      SHA512

      0a4d0259e7649131d17507a83f84503a34a833b787fb7d1f3e095de07e1906a70e5cf5ecc1d41b5bb310d141e8db9f33c92242831185f3a8e724c65a6a80006e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gzo451rg.1tk.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\gqroutuvtoyrcc
      Filesize

      4KB

      MD5

      25a7e8d624c2bfdb2facdc50a1d9b965

      SHA1

      bbf90e7e78dcba692d6a35716d72cd1affc8cf9c

      SHA256

      880d0a92fcd2d68631b413e0cc98d71fc68337abb19f59901c075e058c694b47

      SHA512

      35e57b1fd68fd64c325d179323c3383c39cb00e37b42480c0962517eb8ffdffd5d3a95b77122161f651e45ab2fee4a8e5c3f604bd80351a2680f087ea2b9517f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp66F7.tmp
      Filesize

      1KB

      MD5

      2c102f2bf00ab5b624dda231c7ac78b6

      SHA1

      0e611d4a5d5168153f75e47fd61a42e617baf776

      SHA256

      35e3557a7f81661c5b2adffef1856a55b444caa819b24cb5492980dbaee76d11

      SHA512

      7dc03ee1cba3636113d31887c24abbf279be96ef2b8d0fa6dafa528f09469b8996b50f56bed19b04c9b58053dd93edc1a84d2d2b26e68914db6c9b06811cdf72

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
      Filesize

      1.1MB

      MD5

      96a62642b79fcb88da4f854b2c46c64c

      SHA1

      1778d5bad1acb999458092745af2a6ac3fce39a3

      SHA256

      472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

      SHA512

      4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

      Download Submit
    • memory/1708-124-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/1708-129-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/1708-127-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/1916-126-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1916-128-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1916-122-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2356-143-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2356-117-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-142-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2356-144-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-145-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-146-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-148-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-147-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-149-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-150-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-121-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-151-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-120-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-139-0x0000000010000000-0x0000000010019000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2356-116-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-115-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-114-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-113-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-85-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-84-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-86-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2356-152-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2732-99-0x0000000005C90000-0x0000000005CDC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2732-100-0x00000000736D0000-0x000000007371C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2732-97-0x0000000005570000-0x00000000058C4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2732-110-0x0000000006E60000-0x0000000006F03000-memory.dmp
      Filesize

      652KB

      Download
    • memory/2732-111-0x0000000007130000-0x0000000007141000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2732-112-0x0000000007180000-0x0000000007194000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3724-26-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3724-8-0x0000000006760000-0x0000000006820000-memory.dmp
      Filesize

      768KB

      Download
    • memory/3724-1-0x0000000000DB0000-0x0000000000ED4000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3724-2-0x0000000005F90000-0x0000000006534000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3724-3-0x0000000005920000-0x00000000059B2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3724-5-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3724-4-0x00000000058A0000-0x00000000058AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3724-6-0x00000000058B0000-0x00000000058CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3724-7-0x0000000005890000-0x00000000058A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3724-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3724-9-0x0000000008D80000-0x0000000008E1C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3992-130-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3992-136-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/3992-132-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4924-21-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4924-25-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4924-19-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4924-52-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4924-18-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/4932-28-0x0000000005970000-0x0000000005992000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4932-17-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4932-73-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4932-41-0x0000000006230000-0x0000000006296000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4932-46-0x00000000063A0000-0x00000000066F4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4932-47-0x0000000006830000-0x000000000684E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4932-48-0x0000000006880000-0x00000000068CC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4932-53-0x0000000007800000-0x0000000007832000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4932-54-0x00000000704B0000-0x00000000704FC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4932-64-0x0000000006DE0000-0x0000000006DFE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4932-65-0x0000000007A40000-0x0000000007AE3000-memory.dmp
      Filesize

      652KB

      Download
    • memory/4932-23-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4932-20-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4932-40-0x00000000061C0000-0x0000000006226000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4932-16-0x0000000005A90000-0x00000000060B8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4932-14-0x0000000005280000-0x00000000052B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4932-66-0x00000000081A0000-0x000000000881A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4932-67-0x0000000007B60000-0x0000000007B7A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4932-68-0x0000000007BD0000-0x0000000007BDA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4932-69-0x0000000007DE0000-0x0000000007E76000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4932-70-0x0000000007D60000-0x0000000007D71000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4932-71-0x0000000007D90000-0x0000000007D9E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4932-72-0x0000000007DA0000-0x0000000007DB4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4932-77-0x0000000074C00000-0x00000000753B0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4932-74-0x0000000007E80000-0x0000000007E88000-memory.dmp
      Filesize

      32KB

      Download