Overview

overview

10

Static

static

3

472a8fbff3...d1.exe

windows7-x64

10

472a8fbff3...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1.exe

  • Size

    1.1MB

  • MD5

    96a62642b79fcb88da4f854b2c46c64c

  • SHA1

    1778d5bad1acb999458092745af2a6ac3fce39a3

  • SHA256

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

  • SHA512

    4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

  • SSDEEP

    24576:+8lmSlcXrLArMThOTAiVOpoUJ3jEDFXF9bo:9mSubfQrVS1xjcFDo

Score
10/10
remcosremotehostcollectionexecutionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.137:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NG20QI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 24 IoCs
  • Detects executables built or packed with MPress PE compressor 12 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1.exe
    "C:\Users\Admin\AppData\Local\Temp\472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4892
    • C:\Users\Admin\AppData\Local\Temp\472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1.exe
      "C:\Users\Admin\AppData\Local\Temp\472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
        "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GxGUIRTmI.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GxGUIRTmI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA25A.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:4876
        • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
          "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\tnqxgyaornsgadyzoqb"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2756
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\wpwqgqlqfvklcjudfaoxtw"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook accounts
            PID:3156
          • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
            C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\gkbjhjwktdcqmpiholizwjksc"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b3444ee4fa31caeac032d03a8f805e3e

    SHA1

    7cf19d7b13217f6a8603c57c8e0cc88354b9ce28

    SHA256

    8079341e15de5cc7a4bcc7fcf45c5b409657a718282579ccf7d940d2d02533fd

    SHA512

    a0163d0e6679bc4d025cffe9c5f9f1dcde62952add3c149844acee49ece954b1eb04c4a2adc243bda840d54c41b88aa38632829162a931f85d9c845b48d47890

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3kat3g0.xkx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp
    Filesize

    1KB

    MD5

    2c102f2bf00ab5b624dda231c7ac78b6

    SHA1

    0e611d4a5d5168153f75e47fd61a42e617baf776

    SHA256

    35e3557a7f81661c5b2adffef1856a55b444caa819b24cb5492980dbaee76d11

    SHA512

    7dc03ee1cba3636113d31887c24abbf279be96ef2b8d0fa6dafa528f09469b8996b50f56bed19b04c9b58053dd93edc1a84d2d2b26e68914db6c9b06811cdf72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tnqxgyaornsgadyzoqb
    Filesize

    4KB

    MD5

    25a7e8d624c2bfdb2facdc50a1d9b965

    SHA1

    bbf90e7e78dcba692d6a35716d72cd1affc8cf9c

    SHA256

    880d0a92fcd2d68631b413e0cc98d71fc68337abb19f59901c075e058c694b47

    SHA512

    35e57b1fd68fd64c325d179323c3383c39cb00e37b42480c0962517eb8ffdffd5d3a95b77122161f651e45ab2fee4a8e5c3f604bd80351a2680f087ea2b9517f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
    Filesize

    1.1MB

    MD5

    96a62642b79fcb88da4f854b2c46c64c

    SHA1

    1778d5bad1acb999458092745af2a6ac3fce39a3

    SHA256

    472a8fbff35cdda49a870d372fa6da50defd8480348438e245f11aad954642d1

    SHA512

    4643ede4706e904a6b6efd4c59d29c5a58c3aa3614de1d4d17e02d8ad33c4ecfd2bfe61de335e726c8ec085717afef77e9146eab4f71fd8a25758a2f3612d457

    Download Submit
  • memory/1092-52-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1092-33-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1092-36-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1092-35-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1092-34-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-120-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-84-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-150-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-148-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-147-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-151-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-146-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-145-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-83-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-149-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-85-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-118-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-110-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-144-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-141-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1784-111-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-143-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-112-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-142-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1784-139-0x0000000010000000-0x0000000010019000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1784-114-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1784-115-0x0000000000400000-0x0000000000482000-memory.dmp
    Filesize

    520KB

    Download
  • memory/2252-8-0x0000000006350000-0x0000000006410000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2252-2-0x0000000005B40000-0x00000000060E4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2252-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2252-3-0x00000000054D0000-0x0000000005562000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2252-4-0x0000000005570000-0x000000000557A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2252-5-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2252-6-0x0000000005680000-0x000000000569A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2252-1-0x00000000009B0000-0x0000000000AD4000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2252-39-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2252-7-0x00000000054C0000-0x00000000054D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2252-9-0x0000000008970000-0x0000000008A0C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2756-125-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/2756-127-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/2756-121-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/3156-126-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/3156-128-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/3156-123-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/4048-113-0x0000000007DB0000-0x0000000007DC1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4048-92-0x00000000061E0000-0x0000000006534000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4048-98-0x00000000068B0000-0x00000000068FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4048-99-0x0000000073610000-0x000000007365C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4048-109-0x0000000007AD0000-0x0000000007B73000-memory.dmp
    Filesize

    652KB

    Download
  • memory/4048-116-0x0000000007DE0000-0x0000000007DF4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4632-70-0x0000000007510000-0x0000000007521000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4632-73-0x0000000007650000-0x000000000766A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4632-67-0x0000000007310000-0x000000000732A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4632-69-0x0000000007590000-0x0000000007626000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4632-66-0x0000000007950000-0x0000000007FCA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4632-65-0x00000000071D0000-0x0000000007273000-memory.dmp
    Filesize

    652KB

    Download
  • memory/4632-77-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4632-71-0x0000000007540000-0x000000000754E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4632-64-0x00000000071B0000-0x00000000071CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4632-14-0x00000000026D0000-0x0000000002706000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4632-16-0x0000000005220000-0x0000000005848000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4632-15-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4632-72-0x0000000007550000-0x0000000007564000-memory.dmp
    Filesize

    80KB

    Download
  • memory/4632-68-0x0000000007380000-0x000000000738A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4632-74-0x0000000007630000-0x0000000007638000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4632-54-0x00000000705A0000-0x00000000705EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4632-53-0x0000000006F70000-0x0000000006FA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4632-49-0x0000000006090000-0x00000000060DC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4632-47-0x0000000005FF0000-0x000000000600E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4632-18-0x0000000005130000-0x0000000005152000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4632-19-0x0000000005900000-0x0000000005966000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4632-20-0x0000000005970000-0x00000000059D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4632-32-0x00000000059E0000-0x0000000005D34000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4632-22-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4632-21-0x0000000074B40000-0x00000000752F0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4872-129-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/4872-131-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/4872-132-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download