Overview

overview

10

Static

static

3

53893a8c0f...3d.exe

windows7-x64

10

53893a8c0f...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 21:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    53893a8c0f205e7f0c96f045a6f7bce683bde52b4a692fc64075f863cd8f3c3d.exe

  • Size

    1.1MB

  • MD5

    77e3e093c61c0e2ca41f47a470e74f31

  • SHA1

    c1de740d11d19016caa74c6667b63d85bb765a9f

  • SHA256

    53893a8c0f205e7f0c96f045a6f7bce683bde52b4a692fc64075f863cd8f3c3d

  • SHA512

    fe88fc3a873b33e0f3838f5d9067e1166d8b735e2a596f5a166be47bfc6b9fdf002faf459bc088ea11c35c826aff6c0eacc0e560894ee08451d9828a38b99a8f

  • SSDEEP

    24576:XIGqgFOl3M0XmHxT+3A2U8REKt6csqfa+d+Dih:FFOSDt+QuWKvswjX

Score
10/10
remcosaquafinaexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

AQUAFINA

C2

december2n.duckdns.org:6241

december2nd.ddns.net:6241
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5TYRFW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 29 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53893a8c0f205e7f0c96f045a6f7bce683bde52b4a692fc64075f863cd8f3c3d.exe
    "C:\Users\Admin\AppData\Local\Temp\53893a8c0f205e7f0c96f045a6f7bce683bde52b4a692fc64075f863cd8f3c3d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\53893a8c0f205e7f0c96f045a6f7bce683bde52b4a692fc64075f863cd8f3c3d.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UXatlomLO.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UXatlomLO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AA3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:1484

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp8AA3.tmp
            Filesize

            1KB

            MD5

            6f0bf4343d2569ed3f16ee3f97de7eda

            SHA1

            ed4ad7cc53bc5e2d45518d6466bac5c3acc84280

            SHA256

            c2617c405e1e2cd7e366129c7cdebfd3c5d68c3f46a56fdcd1d0ec852a8aa1f0

            SHA512

            b2c06f67d27fe9220aab5a2284ab37b7835a89fa183526832a3b69f94c1de7de4c381d5b0c737782cf622296c9cd068d0e30f001bd37b92f2556f00cdc9a34b1

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IO9JOH0POWVB9C4TIQ1W.temp
            Filesize

            7KB

            MD5

            4578c27ac7d56738730b32c376865934

            SHA1

            4f01acba9a52ddf1d26180481af45fce981f8a62

            SHA256

            683920fe4b6b3a60f8b549d6c8a2669fd9e98115da0907df2c3ee26d0f9111bd

            SHA512

            2fcd2c74f476cb6c3110e96eb82fc227879452648cd2b21b5e877dd764f8355ce195c6a55dcf5d62ec613cfa96b8e1c106305ba5f23db738a6f9c238f400e673

            Download Submit

          • memory/1484-41-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-52-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-42-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-63-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-62-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-61-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-60-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-59-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-26-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-30-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-32-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-20-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-39-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-38-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-37-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1484-34-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-28-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-24-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-22-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-57-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-56-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-55-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-43-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-44-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-45-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-46-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-48-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-49-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-51-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-50-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-54-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1484-53-0x0000000000400000-0x0000000000482000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1924-0-0x000000007495E000-0x000000007495F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-4-0x0000000000500000-0x0000000000510000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1924-40-0x0000000074950000-0x000000007503E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1924-3-0x0000000000520000-0x000000000053A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1924-1-0x0000000000A40000-0x0000000000B66000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1924-2-0x0000000074950000-0x000000007503E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1924-7-0x0000000074950000-0x000000007503E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1924-6-0x000000007495E000-0x000000007495F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1924-5-0x0000000006380000-0x0000000006440000-memory.dmp

            Filesize

            768KB

            Download