Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 07:13

General

  • Target

    f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe

  • Size

    1012KB

  • MD5

    76f0c357433481769888394f7ec8bbf9

  • SHA1

    697d38057244b433fc2ffdd8dfd2c086ed5424dc

  • SHA256

    f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2

  • SHA512

    6134a2b040b0e90da261ac27fc0bea64c8e85ec00f9c9e094b5dffe2b0123361ffe20906ef277bc9fc0df52e43339ea4923e2de9d80eb52b5f2f522f50403499

  • SSDEEP

    12288:lb1QnmdWT07TXFQP5jzXuAJjeHxT6exqDa5ciqDBeVPwbjuWbNa6a14xUzxHV+cm:lb1H/Ha53JCFvrePCIbQ6SjdHUII3

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

31.43.185.8:2202

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LTXXML

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Version

4.9.3 Light

Botnet

RemoteHost

C2

31.43.185.8:2202

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LTXXML

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3460
      • C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
        "C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"
        2⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:956
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3972
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1200
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 4684
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1000
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4684\Travelling.pif
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2496
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Wiki + Pharmacies + Quilt + Either 4684\E
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3228
          • C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif
            4684\Travelling.pif 4684\E
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Deletes itself
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:4284
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 5 127.0.0.1
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:3156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4684\E

      Filesize

      956KB

      MD5

      58cb40a5a8e893df0b75dbf70ed10162

      SHA1

      9bc860f702f5b8f6dc2eb437e23ed41362cfceb1

      SHA256

      4a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43

      SHA512

      3031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7

    • C:\Users\Admin\AppData\Local\Temp\4684\Travelling.pif

      Filesize

      924KB

      MD5

      848164d084384c49937f99d5b894253e

      SHA1

      3055ef803eeec4f175ebf120f94125717ee12444

      SHA256

      f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

      SHA512

      aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

    • C:\Users\Admin\AppData\Local\Temp\Carroll

      Filesize

      276KB

      MD5

      cdf5ce2b2740794fb5638a60c97d6ca7

      SHA1

      68e967c2267b4631fa8f068bdce84db1f02fe0ed

      SHA256

      f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d

      SHA512

      3a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51

    • C:\Users\Admin\AppData\Local\Temp\Cemetery

      Filesize

      110KB

      MD5

      47f942807f5dec3c5107788292d0fecd

      SHA1

      21da1ca4ac2a0dc11c4d30c70f1d7d41025c5116

      SHA256

      423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b

      SHA512

      8622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de

    • C:\Users\Admin\AppData\Local\Temp\Deviant

      Filesize

      170KB

      MD5

      497d3bd5165a8545a5b4dcf3a842f721

      SHA1

      41e3dc37a0eb4b0fdd17bc4aa21503022744de08

      SHA256

      3eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85

      SHA512

      93d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48

    • C:\Users\Admin\AppData\Local\Temp\Either

      Filesize

      206KB

      MD5

      3ce1f10bafb24d85a3b76ea4d5aa70db

      SHA1

      37e31294b91bf67cdce1e1d58342f7f97f284e6a

      SHA256

      c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32

      SHA512

      2c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c

    • C:\Users\Admin\AppData\Local\Temp\Foot

      Filesize

      206KB

      MD5

      7735d4e2e9fd3e829340f06b7a47e0fc

      SHA1

      ade0d827c011e03cd3d3a6b4cd544fc4227c5122

      SHA256

      bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a

      SHA512

      1dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5

    • C:\Users\Admin\AppData\Local\Temp\Nextel

      Filesize

      162KB

      MD5

      fdbd6f9f8d264754709a9a392e5166c2

      SHA1

      a6026b0a6e26427676a7eba319a0fad436fb5a46

      SHA256

      9ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840

      SHA512

      5c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83

    • C:\Users\Admin\AppData\Local\Temp\Pharmacies

      Filesize

      248KB

      MD5

      1bc99d6790ad7980b06e0155053fa85d

      SHA1

      080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d

      SHA256

      2f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d

      SHA512

      38a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80

    • C:\Users\Admin\AppData\Local\Temp\Quilt

      Filesize

      287KB

      MD5

      55a984e33e1bc5af3daa8243b4fcdf41

      SHA1

      a32a48801302c293749a478cbdddde2de3fb56e2

      SHA256

      566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6

      SHA512

      f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f

    • C:\Users\Admin\AppData\Local\Temp\Spending

      Filesize

      12KB

      MD5

      5a1321d892070c60f726edc3e3692ab7

      SHA1

      ecdda384d7aa6e3e0c289fdf44652de169aefde6

      SHA256

      ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713

      SHA512

      2986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b

    • C:\Users\Admin\AppData\Local\Temp\Wiki

      Filesize

      215KB

      MD5

      9a2a73b89ef29c867db353c905ba26b2

      SHA1

      202e2c7d9c9b87957ed0e0a6b6398b9356846ae0

      SHA256

      210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a

      SHA512

      29b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7

    • memory/4284-57-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-62-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-33-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-34-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-35-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-38-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-37-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-36-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-39-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-40-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-41-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-42-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-43-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-44-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-45-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-46-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-47-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-48-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-49-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-50-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-51-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-52-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-53-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-54-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-55-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-56-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-32-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-58-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-59-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-60-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-61-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-31-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-63-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-64-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-65-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-66-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-67-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-68-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-69-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-70-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-71-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-72-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-73-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-74-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-75-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-76-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-77-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-78-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-79-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-80-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-81-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-82-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-83-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-84-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-85-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-86-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-87-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-88-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-89-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-90-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-91-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-92-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-93-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB

    • memory/4284-94-0x0000000000080000-0x00000000000F5000-memory.dmp

      Filesize

      468KB