Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 04:31

General

  • Target

    Factura037277283695777055236096556001416634813574290050475660034226497919.exe

  • Size

    235.0MB

  • MD5

    5fbcdbcc0bb08f6e1741cbdde72d73d8

  • SHA1

    44efce93b75de925ae0be0a73011dabef724f5ea

  • SHA256

    15a4367f675522dceb487e74a5c58e6ccf608484899b8f70f43c19b791e47a70

  • SHA512

    ec4c2f58df3ce5bbb8b62e8bc9368ff06c6cbf7f1d00b73844117add1e1982e08c1032377340e71c9d0ed39f4fbea9c57b12983057655aa3fcd2797c89117eca

  • SSDEEP

    12288:uJZh698faB+XA6T/xSpaBjmZmIq0t6E940To:c/6qfYOpSpOmbjP4u

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Start

C2

185.196.9.78:24041

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    log.dat

  • keylog_flag

    false

  • keylog_folder

    System01

  • mouse_option

    false

  • mutex

    Rmcxyz1-AEDW2I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe
    "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:5980
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
      2⤵
        PID:5904
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1824
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
        2⤵
          PID:4288
      • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
        C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5812
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:6008
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
            2⤵
              PID:5664
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5628
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:5424
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
              2⤵
                PID:5372
            • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
              C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3204
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                2⤵
                  PID:1704
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
                  2⤵
                    PID:4856
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                    2⤵
                      PID:3620
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                        3⤵
                        • Scheduled Task/Job: Scheduled Task
                        PID:1632
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
                      2⤵
                        PID:780
                    • C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                      C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:6084
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                        2⤵
                          PID:5784
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"
                          2⤵
                            PID:5176
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                            2⤵
                              PID:3428
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f
                                3⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:5956
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"
                              2⤵
                                PID:4396

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\System01\log.dat

                              Filesize

                              144B

                              MD5

                              90b77e43bd11c96a07394cfb9546f001

                              SHA1

                              afe6ec3016cb193e120af92083413fe86ca6039c

                              SHA256

                              4bc51671390c40b9ffda53d61ac551f091c0c37966142140ac43fe1acd1df9d8

                              SHA512

                              b79448183f92f1bf1d3d9a7ad5c321a25d57cdd0dcefd03bb4209329289f723a6b7d22336b2dfc58f4e298d291d48511a500190e4e92cc13506da6b0814960e5

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdobeSg.exe.log

                              Filesize

                              425B

                              MD5

                              4eaca4566b22b01cd3bc115b9b0b2196

                              SHA1

                              e743e0792c19f71740416e7b3c061d9f1336bf94

                              SHA256

                              34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                              SHA512

                              bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                            • memory/1704-75-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/3904-15-0x0000000074820000-0x0000000074FD0000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3904-1-0x0000000000480000-0x0000000000538000-memory.dmp

                              Filesize

                              736KB

                            • memory/3904-2-0x0000000074820000-0x0000000074FD0000-memory.dmp

                              Filesize

                              7.7MB

                            • memory/3904-0-0x000000007482E000-0x000000007482F000-memory.dmp

                              Filesize

                              4KB

                            • memory/5980-49-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-91-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-7-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-10-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-16-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-17-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-94-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-52-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-25-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-26-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-27-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-29-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-30-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-32-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-33-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-34-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-35-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-37-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-38-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-39-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-6-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-41-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-42-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-43-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-44-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-46-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-47-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-5-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-50-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-51-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-55-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-11-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-24-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-57-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-58-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-59-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-60-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-62-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-63-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-65-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-66-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-67-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-68-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-70-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-71-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-4-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-3-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-77-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-78-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-79-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-80-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-82-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-83-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-85-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-86-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-87-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-88-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-90-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-54-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/5980-92-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB

                            • memory/6008-21-0x0000000000400000-0x0000000000482000-memory.dmp

                              Filesize

                              520KB