Malware Analysis Report

2024-11-13 18:50

Sample ID 240712-3rp2aawdjq
Target PO 11072024.exe
SHA256 f6bf4471924e9dba31be59f8b96df06d02c69416c4c0518148507ff5b8f7cd48
Tags
remcos 5764576 execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6bf4471924e9dba31be59f8b96df06d02c69416c4c0518148507ff5b8f7cd48

Threat Level: Known bad

The file PO 11072024.exe was found to be: Known bad.

Malicious Activity Summary

remcos 5764576 execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 23:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 23:45

Reported

2024-07-12 23:47

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2472 set thread context of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2472 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2472 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ppUSXdJgAIFILG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppUSXdJgAIFILG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF79E.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
SG 172.93.218.178:45667 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 178.218.93.172.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/2472-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

memory/2472-1-0x0000000000EE0000-0x0000000000FE0000-memory.dmp

memory/2472-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/2472-3-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/2472-4-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/2472-5-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/2472-6-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

memory/2472-7-0x0000000006C90000-0x0000000006C9E000-memory.dmp

memory/2472-8-0x0000000006CF0000-0x0000000006DAE000-memory.dmp

memory/2472-9-0x00000000094A0000-0x000000000953C000-memory.dmp

memory/3468-14-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

memory/3468-15-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/3468-16-0x00000000058A0000-0x0000000005EC8000-memory.dmp

memory/3468-18-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF79E.tmp

MD5 8a95b7f85db23348fd1e456b30fedede
SHA1 89b5304104279657eb8982ad8cd58834c8bfc283
SHA256 0a41df1ae34d3417881f569b1ad05c40384e961cfb992596e49cdd240af644cd
SHA512 94aa7a20c03077738396e47198c374c5a4f80097b0d79fe85dfeea9d3fd31db2928c1dbc942b6b0f647a63c3d7715ef8e13a71a820f0ffaa38ad57a4e0a56977

memory/5100-19-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-20-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3468-25-0x0000000005830000-0x0000000005896000-memory.dmp

memory/3468-27-0x0000000005F80000-0x0000000005FE6000-memory.dmp

memory/5100-23-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3468-22-0x0000000005610000-0x0000000005632000-memory.dmp

memory/3468-28-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/2472-29-0x00000000751A0000-0x0000000075950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3rkogda.svk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5100-21-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3468-42-0x0000000005FF0000-0x0000000006344000-memory.dmp

memory/5100-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3468-45-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/3468-46-0x0000000006620000-0x000000000666C000-memory.dmp

memory/3468-47-0x0000000006BA0000-0x0000000006BD2000-memory.dmp

memory/3468-48-0x0000000071450000-0x000000007149C000-memory.dmp

memory/3468-58-0x0000000007590000-0x00000000075AE000-memory.dmp

memory/3468-59-0x00000000075C0000-0x0000000007663000-memory.dmp

memory/3468-60-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/3468-61-0x0000000007900000-0x000000000791A000-memory.dmp

memory/3468-62-0x0000000007970000-0x000000000797A000-memory.dmp

memory/3468-63-0x0000000007B80000-0x0000000007C16000-memory.dmp

memory/3468-64-0x0000000007B00000-0x0000000007B11000-memory.dmp

memory/3468-65-0x0000000007B30000-0x0000000007B3E000-memory.dmp

memory/3468-66-0x0000000007B40000-0x0000000007B54000-memory.dmp

memory/3468-67-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/3468-68-0x0000000007C20000-0x0000000007C28000-memory.dmp

memory/3468-71-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/5100-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-77-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-78-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5100-80-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 23:45

Reported

2024-07-12 23:47

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe
PID 2636 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ppUSXdJgAIFILG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ppUSXdJgAIFILG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2DA5.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe

"C:\Users\Admin\AppData\Local\Temp\PO 11072024.exe"

Network

N/A

Files

memory/2636-0-0x000000007442E000-0x000000007442F000-memory.dmp

memory/2636-1-0x0000000000310000-0x0000000000410000-memory.dmp

memory/2636-2-0x0000000074420000-0x0000000074B0E000-memory.dmp

memory/2636-3-0x0000000000410000-0x0000000000420000-memory.dmp

memory/2636-4-0x00000000004C0000-0x00000000004CE000-memory.dmp

memory/2636-5-0x0000000005130000-0x00000000051EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2DA5.tmp

MD5 9fc98bc198877c26e2be8d3f1a03ed32
SHA1 53fc43069a5bcdecfeb794df3f161c40ac279bdb
SHA256 372ce861a98ddc07e02643b128f9bfaf93b8e41aa95d2cece27858bd12c1e377
SHA512 8b94dac99b780ebc5dcb7a31a3794ad00e5b35933dbafdcc4ba55cc81cf068a596154975045ce39bcebcaa588af9ec6ccfa11bef10e88dd2a5ac1734d2f565ea

memory/2636-13-0x0000000074420000-0x0000000074B0E000-memory.dmp