Overview

overview

10

Static

static

3

b242dea1f8...66.exe

windows7-x64

10

b242dea1f8...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-08-2024 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b242dea1f8658786e7989e8a2ecb65e652167b3077fd9ecd20642e9917adc666.exe

  • Size

    1.2MB

  • MD5

    68306ab0d9af78095917a7d3a71cb955

  • SHA1

    e83aba5a90e4f3033661848ebbc5bfc9776306d0

  • SHA256

    b242dea1f8658786e7989e8a2ecb65e652167b3077fd9ecd20642e9917adc666

  • SHA512

    f084db81e15d8587f2cd97af544de9bab65cd5318e4fff29d636ea291286525f3cd5ef26f197b16ee12e4f8a357db50d2e7588c6fbc8a35aa3d6604897094511

  • SSDEEP

    24576:DBkVdlYAQpTFVWzKAqgzVDvwbwLnLNz567iJVG6zgy:lsvIWzigzVDzhJj9gy

Score
10/10
remcosremotehost12discoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost12

C2

rem24251mr.duckdns.org:24251

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-P0KZ2Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b242dea1f8658786e7989e8a2ecb65e652167b3077fd9ecd20642e9917adc666.exe
    "C:\Users\Admin\AppData\Local\Temp\b242dea1f8658786e7989e8a2ecb65e652167b3077fd9ecd20642e9917adc666.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MyProcess\ascdfv.js"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
        "C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5108
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\MyProcess\REM.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -WindowStyle Hidden -command Start-Process 'C:\Users\Admin\AppData\Roaming\REMJNBHGBVDFC.exe' exit
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Users\Admin\AppData\Roaming\REMJNBHGBVDFC.exe
          "C:\Users\Admin\AppData\Roaming\REMJNBHGBVDFC.exe" exit
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3200
    • C:\MyProcess\remencryp.exe
      "C:\MyProcess\remencryp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\MyProcess\remencryp.exe
        "C:\MyProcess\remencryp.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MyProcess\REM.vbs
    Filesize

    64KB

    MD5

    ffab60b54877eba5219e9ace88003e06

    SHA1

    6401355bf2ceaf825aea9f56e78a7f5be0c6b37a

    SHA256

    794fea30a1ba942d3fad6982f81983623cb36ceb4cbfc4f6666e83db32ecee1a

    SHA512

    05201d116a0e273870db463f0bfb650a36b9a7cac96ad39a013c7f505b8daf2365c0cbe3af707fef4beeff5d3450293266539055b7a8cd9b6b6b794202fc06a2

    Download Submit

  • C:\MyProcess\ascdfv.js
    Filesize

    644KB

    MD5

    87609dfc36ac35f80b4da54f9535a88d

    SHA1

    ea758f9300ed0ec915c287780ffed084c7ea5943

    SHA256

    e866e382495c91465128b284807c321d188a1ca79dd69f48b626901a3bd75b1e

    SHA512

    1fe8fa6b3162ffeb5b1b3623d38dc2b432012ff4b187197e820a66dd88338003382711feb04295dea835109bed3d981bc641edb20bafdc3786f41bfce118c7ba

    Download Submit

  • C:\MyProcess\remencryp.exe
    Filesize

    604KB

    MD5

    fbcf58f9ce64d200379298fcd87aa56b

    SHA1

    74388b7d29b042a1dabfeda00066eda76a9cf348

    SHA256

    303e415db0644366a316524070b046b1b2a5dd2441258d6295859abc74f352ff

    SHA512

    3873f23e8a350b812f7edb6770cc625604a877d658453ddd4f4a84b975d88dbbfb19c071a1f089eeb21fb524edd8bdd395aa5e8b484b87ce29480e9ca39e32df

    Download Submit

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    416b4c4215e9ad7ef31d85cebaf78482

    SHA1

    f0aba96394da46efff7355c9b0c448e7e86a5de4

    SHA256

    8ef6beb1bd8601de9461cf6bfe3b93d7629cde1dc81d9241f9ae05837b8bdce6

    SHA512

    a3d2476f79fdc82a16e710fffe25f65fb8d04b97acb50b30252cbf53bd617c48f4e0f4b601387ebe191eacf03073eb391a7bea6a717645b46877156ff381d645

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ws3urjae.tqu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
    Filesize

    483KB

    MD5

    b0a4175cd9541a154e82efe59daa2b05

    SHA1

    e9ccf2c17da8b0fc2690a5cad0f8067de577b49d

    SHA256

    d6f030194295bdec3c4ec91fbaf7dacd7a9b83edb99c4fd6556eb4eb7d948840

    SHA512

    5f805e6c9be95936d1a78ac58a988dc700f7ae81429edcc46d63f39a056ab756e4ff0f11dcbe74e8ee21c62510b724a9ede9e9b5306bf8948046ee3f0575abdb

    Download Submit

  • memory/1392-75-0x0000000006110000-0x0000000006132000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1392-74-0x00000000060C0000-0x00000000060DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1392-73-0x0000000006140000-0x00000000061D6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1392-72-0x0000000005C10000-0x0000000005C5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1392-71-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1392-70-0x00000000055D0000-0x0000000005924000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1392-58-0x0000000004D20000-0x0000000004D42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1392-60-0x0000000005560000-0x00000000055C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1392-56-0x0000000004600000-0x0000000004636000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1392-57-0x0000000004DD0000-0x00000000053F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1392-59-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2296-32-0x0000000005760000-0x00000000057F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2296-36-0x0000000005910000-0x000000000591A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2296-35-0x0000000005B60000-0x0000000005BFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2296-34-0x0000000005900000-0x000000000590A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2296-33-0x0000000005800000-0x0000000005896000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2296-31-0x0000000005C30000-0x00000000061D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2296-30-0x0000000000E00000-0x0000000000E9C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3304-39-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3304-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3304-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download