Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2024 12:23

General

  • Target

    New Order/New Order.exe

  • Size

    1.2MB

  • MD5

    c0e50e153821fdba68d783254a794c63

  • SHA1

    b99dda8b034c99f4b9b1f3716c12ff6e7b626a85

  • SHA256

    26bda50a50585e0ed397cdb85e4d5d77094d61110e7646d368e5a3a9c26c1873

  • SHA512

    5562fdd982eddb7310aea44b70af3a1a17745b0aba209014e662aeed5bb82b36952a3524edcad902f9903a2fe1a3a8938dbcf245c1f79e14edec1f1a266037d3

  • SSDEEP

    24576:4N/BUBb+tYjBFHTxpZ7pQw6mtgbyi0nKcdDppTs0bydWy2UE43YlLuEwnps:8pUlRhlTlb6mkyDK+llLuEwG

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.246.111:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-K0K14W

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order\New Order.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dwig.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bxiemh.mp2 lbovaq.mp3
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3496
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bxiemh.mp2
          bxiemh.mp2 lbovaq.mp3
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4464
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /renew
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:3716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\FFQXLW~1.SXO

    Filesize

    883KB

    MD5

    c10c854a8423589db438768023b1e50a

    SHA1

    a8daa0ce662bd6747e792c514336c657ca796eb6

    SHA256

    27887abd8791af8b2ffa5082e5de39f7a80d29ec246d565822a725ab3da99f3a

    SHA512

    ccd5b8251c24a20b8fd0bf8405eab46ff617f8c7ecaab8771693dacab701a63c9aefcb8b7c57a177ff69975ddf88d62d09e2987fa411fa5551caad79e81173c2

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bxiemh.mp2

    Filesize

    880KB

    MD5

    31db1d81c80c66640b773c535cdfa762

    SHA1

    9cfffe3e21ab746e18db1447bf339d1af2118570

    SHA256

    7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211

    SHA512

    c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\dwig.vbe

    Filesize

    542B

    MD5

    f6a62aff1a32cf15da018b25c40df683

    SHA1

    f110641e2c689fef91a30b77476caaf89b4ab5c6

    SHA256

    1947a304d1848efa2b22e0483f26ce464851cba279b81891b2bc89711c6751f5

    SHA512

    1d776a84cbde371e83541526127cace787e01af0a318210f7ab2e8f79dd5c90afbfc4bbf99cde5c4ce56aca08548782f2bd9f294f296512ec6c1509ac93b6fe0

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssmwrww.mp3

    Filesize

    33KB

    MD5

    df2a1ccbc3d6feb147c9db6294a082cf

    SHA1

    8a33193642fae235e6ddb2fa863cd51b228f4349

    SHA256

    e58d05087c4e91148306112fe4eee3d65c6bef8b3aa5a2d79c5ddd8196cc8565

    SHA512

    c636c571ddcf0725599528d51cfdfeb04b680ca5144230b3181440f5f78f9188b7fcf2b83cbf78aaa45c140b275484dc1da70ba4eb793772c8b10aef98f2d473

  • memory/2084-77-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-76-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-55-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-56-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-57-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-75-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-53-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-54-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-80-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-81-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-83-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-82-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-85-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-84-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-86-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB

  • memory/2084-87-0x0000000001350000-0x0000000001998000-memory.dmp

    Filesize

    6.3MB