Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 04:31

General

  • Target

    Factura037277283695777055236096556001416634813574290050475660034226497919.exe

  • Size

    235.0MB

  • MD5

    5fbcdbcc0bb08f6e1741cbdde72d73d8

  • SHA1

    44efce93b75de925ae0be0a73011dabef724f5ea

  • SHA256

    15a4367f675522dceb487e74a5c58e6ccf608484899b8f70f43c19b791e47a70

  • SHA512

    ec4c2f58df3ce5bbb8b62e8bc9368ff06c6cbf7f1d00b73844117add1e1982e08c1032377340e71c9d0ed39f4fbea9c57b12983057655aa3fcd2797c89117eca

  • SSDEEP

    12288:uJZh698faB+XA6T/xSpaBjmZmIq0t6E940To:c/6qfYOpSpOmbjP4u

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Start

C2

185.196.9.78:24041

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    log.dat

  • keylog_flag

    false

  • keylog_folder

    System01

  • mouse_option

    false

  • mutex

    Rmcxyz1-AEDW2I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe
    "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
      2⤵
        PID:1912
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2804
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
        2⤵
          PID:2728
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {5CA6BDA4-BDDB-4399-945A-241D81DF93D8} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
          C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
              PID:2580
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
              3⤵
                PID:2568
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2756
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                  4⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1052
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
                3⤵
                  PID:2828
              • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:568
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                  3⤵
                    PID:1464
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
                    3⤵
                      PID:2440
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                      3⤵
                        PID:2372
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                          4⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1208
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
                        3⤵
                          PID:1440
                      • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                        C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1400
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                          3⤵
                            PID:1740
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
                            3⤵
                              PID:2964
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                              3⤵
                                PID:2412
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                                  4⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1408
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
                                3⤵
                                  PID:1032

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\System01\log.dat

                              Filesize

                              144B

                              MD5

                              d4da3093d126c39d40202dcc449b449b

                              SHA1

                              dcdff5864a3c81c6dd96e725988522778b5497f7

                              SHA256

                              c99c7a8578006b80618e1952547d39f30cce4403858590de491c429349f2d612

                              SHA512

                              c029ed02653a621b3f1aca414b10d9d4ab0594b09fdb61f758ca013843be71d1e60de7ca8182ea8bb431437fb14b7387dca72146f5dd03f707c144a0c5814484

                            • memory/568-132-0x0000000001150000-0x0000000001208000-memory.dmp

                              Filesize

                              736KB

                            • memory/1400-223-0x00000000011B0000-0x0000000001268000-memory.dmp

                              Filesize

                              736KB

                            • memory/1504-9-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-7-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-15-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-25-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-29-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-26-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-30-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-20-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-14-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                              Filesize

                              4KB

                            • memory/1504-12-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-11-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-3-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-10-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-13-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-5-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-73-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-34-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-35-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-72-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-67-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-68-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-70-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1504-71-0x0000000000080000-0x0000000000102000-memory.dmp

                              Filesize

                              520KB

                            • memory/1616-33-0x00000000743D0000-0x0000000074ABE000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/1616-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

                              Filesize

                              4KB

                            • memory/1616-2-0x00000000743D0000-0x0000000074ABE000-memory.dmp

                              Filesize

                              6.9MB

                            • memory/1616-1-0x0000000000CE0000-0x0000000000D98000-memory.dmp

                              Filesize

                              736KB

                            • memory/2808-38-0x0000000001090000-0x0000000001148000-memory.dmp

                              Filesize

                              736KB