Overview

overview

10

Static

static

3

44c0276f4e...7e.exe

windows7-x64

10

44c0276f4e...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe

  • Size

    6.9MB

  • MD5

    4e5d4e845d8151e1763e1778c6802d21

  • SHA1

    d825fab991db7e4b146341adde684e72909f3236

  • SHA256

    44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e

  • SHA512

    4d0656f6b18003416f6bfcab1c0a7664f30c4db723465f9f4f1a6f02c90dec2f794a177e422762538a93df49231d925b4a3d56c2defdac2af92a97830267f12a

  • SSDEEP

    98304:6kUb1rBq5Pfr+u2ZwS0SwZFtv445NdaCT1hkNV95OTpLipdbN1BbkJ9J8OXzxHxz:6kWyKajZFt3VfT1YVX6+R4JHj+

Score
10/10
remcosdlscordpersistenceratupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dlscord

C2

shall-someone.gl.at.ply.gg:60408

dead-reviewer.gl.at.ply.gg:60161
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    10

  • connect_interval

    5

  • copy_file

    Bin.exe

  • copy_folder

    Factorio

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    true

  • keylog_file

    driver.dat

  • keylog_flag

    false

  • keylog_folder

    keyboard drivers

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_bfpmypnbrt

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screen drivers

  • screenshot_path

    %WinDir%\System32

  • screenshot_time

    60

  • startup_value

    Windows.Defender

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • detects Windows exceutables potentially bypassing UAC using eventvwr.exe 2 IoCs
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe
    "C:\Users\Admin\AppData\Local\Temp\44c0276f4eb577c8914ebf18fce806ab20dec017c6dfc553b13b7c6cca0a087e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe
      "C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies WinLogon
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\SysWOW64\PING.EXE
          PING 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:2312
        • C:\Factorio\Bin.exe
          "C:\Factorio\Bin.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies WinLogon
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1360
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of SetWindowsHookEx
            PID:852
    • C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe
      "C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\16AC.tmp\16AD.tmp\16AE.bat C:\Users\Admin\AppData\Local\Temp\Kbwdawuun.exe"
        3⤵
          PID:2492
      • C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
        "C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
          "C:\Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2864

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    4
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    2
    T1547.004

    Privilege Escalation

    Boot or Logon Autostart Execution

    4
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Winlogon Helper DLL

    2
    T1547.004

    Defense Evasion

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\16AC.tmp\16AD.tmp\16AE.bat
      Filesize

      7KB

      MD5

      924adee75529bce582ea2c9f503828a6

      SHA1

      ba8ebd2b7d15d838e1eb6f8d32e4c386f747ced9

      SHA256

      c65f92e2891313070846aa3144f60898c77be960c2a5fffd2ff4a65b70f08f0c

      SHA512

      589158041fb7032c30aae85347c929a5cf1bfb04f4b2342a709a2de03d3c604f3a3a3a64b2af6c9b1e28f7b9e4bdda40b221fe652fae2aefef79c8c3f9a64508

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Slugxquozdp.exe
      Filesize

      92KB

      MD5

      9b5c39b0c84da11eb9ae23d9c4b38c0e

      SHA1

      b70605dd8cfd90ecd04e580406926ff2142e7abf

      SHA256

      dc051fbc6610c4c0d6af4270460a26716b21155b16385febd4984122b1836e4c

      SHA512

      ae9f9831504801fd0fbad0a7538587524130a7df6872c83e00b620f59eada65b818c26250c47b35334bca9426c9359dd1bd65139515e9db41e8050f1f832ac4d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_MEI29002\python311.dll
      Filesize

      1.6MB

      MD5

      5792adeab1e4414e0129ce7a228eb8b8

      SHA1

      e9f022e687b6d88d20ee96d9509f82e916b9ee8c

      SHA256

      7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

      SHA512

      c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.bat
      Filesize

      127B

      MD5

      0d88e0f91440c2d9e1d60be69d830217

      SHA1

      ef1db80b7fc4eecd91a3dae8d3f1933b2dd4c08e

      SHA256

      fa925c11ca705b46d8e233861aa86d29bd81cbe148b60afc94f49518ff5db030

      SHA512

      7bf7794930c4cec95773c8a421ee750564a7bacd25399d7aab32eb54ea7dd3392330fc2520eaf69f0cb9a229f0b81555f3e05099167930e0ab379775c3f9329d

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Atyanjlltndx.exe
      Filesize

      6.9MB

      MD5

      2d07c38a7fe96e2e3beec83fd510b0b6

      SHA1

      8b4c5b3dece5154e3f30aa44223d9cdc693a39e4

      SHA256

      d50a64d36d6f98c3dbdea314d420dbc016344087d6a0cd8201197d83f2fc4377

      SHA512

      9cca2a02706ba9486b27dc594b59a47c5df427624969f1537f0f35b1212c32ff3cd629811abb4a425485573e5d93792c712d839c33ae775787be2386001b99a9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\Kbwdawuun.exe
      Filesize

      129KB

      MD5

      66efe67d3c8f924223583a8130cc86bd

      SHA1

      eff211f2398cc53c26a3dc4b4d1c32f7fd918d73

      SHA256

      64d458cc5792715d89204c0be9d1c4bece43a56d159393a99a21d09f32f14df0

      SHA512

      1359b6601fffc2428e05eda4d94ac9bb8c1ef4e7d1b0e45f4345708489dc54fc13a60a42d86e3e662b61845046e5260d4a3e94f749b7c0012ace5bc65629545b

      Download Submit
    • memory/852-70-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1948-0-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1948-1-0x0000000000EE0000-0x00000000015CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1948-2-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1948-65-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2864-64-0x000007FEEE880000-0x000007FEEEE69000-memory.dmp
      Filesize

      5.9MB

      Download