Overview

overview

10

Static

static

3

SecuriteIn...73.exe

windows7-x64

10

SecuriteIn...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2024, 12:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATXgen.15616.18273.exe

  • Size

    1.0MB

  • MD5

    f2e67a1bef67fa4f49dce815b93eeefb

  • SHA1

    1b75d6182523dc35cf13e5e9430194196fb44aeb

  • SHA256

    7bdca91211afbb94f733d78892cf0568a79e63ef230b5dfa919966e73b26717d

  • SHA512

    d0b2dd442d20921c63716eb5974fcd450d3ff800bbcb9dae84efc1743f0dcd8784c72debaa86841fa90d8a3c1e727d194adc022b4513484d9820777ceef4b7a0

  • SSDEEP

    24576:R1iZQZd2PbZwVslxyAcM3wpGVkYZPGX2lxxuQQGnI:zUZTl4Ad31VkYhs+QtP

Score
10/10
remcosududiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

udu

C2

UDUM.WORK.GD:2431

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sos

  • mouse_option

    false

  • mutex

    udm-2WYU92

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qmXhNnW.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qmXhNnW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFA2.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1556
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATXgen.15616.18273.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\sos\logs.dat
    Filesize

    274B

    MD5

    da79888d7d2fcfb2b6e74c7111cd25f1

    SHA1

    f175aecf2b3a1698eea4ac3099452ac7b146f4d4

    SHA256

    6338dc3e4e773a68ff0a8c5760fb342afaebcbb3fcd720792611381baeaf3680

    SHA512

    a76871bbe05bfd7dc1c5866efd93b65bbcc0b0e57cedd57025b42a71054ff6afce55d71de004d611786375b3ee298d2cc00da358bc80ac76abd22050f4b6b240

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    d7109117da51b2312a5a93c29348faf1

    SHA1

    6b6c5461403506c5ef18b61e5df47167403f8799

    SHA256

    a2195c817499b6a7e2932e9b7341d94f3c6ff0560760575106946748a5896957

    SHA512

    a060e5f355bd13f5329ea2b32f37d533d17e514c23a53abadf7d48e20df92c4a66a3a77c559240d620c7fb04fd5e82c8378f43cfad7594fd092405a2799289d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wulivyy3.2xh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDFA2.tmp
    Filesize

    1KB

    MD5

    5395be943384063674ada4c9ab932326

    SHA1

    3f7057e54a6ac4ca807f337e91c6bc85b6bab72b

    SHA256

    1998aa295a49f2da79e5002df09c26232e670ed915e46fb0bea1138de0d6ea8e

    SHA512

    f9f5a344a696340f90acb387d18978fe9d2ce972aea25ef91d0682a80b7106ffbeee6c489b9a4a32940e7a68772eb26645d5e7b23efd24056190aa206f53425f

    Download Submit

  • memory/908-91-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-131-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-130-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-123-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-122-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-115-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-114-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-107-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-106-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-102-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-93-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-90-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-58-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-54-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-57-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/908-39-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1308-83-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1308-86-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1308-16-0x00000000051C0000-0x00000000051F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1308-23-0x0000000006000000-0x0000000006022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1308-18-0x00000000058A0000-0x0000000005EC8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1308-51-0x0000000006A50000-0x0000000006A9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1308-17-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1308-50-0x0000000006790000-0x00000000067AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1308-24-0x00000000060E0000-0x0000000006146000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1308-27-0x0000000006150000-0x00000000061B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1308-19-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1308-71-0x0000000007990000-0x0000000007A33000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1308-99-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1308-60-0x000000006EEA0000-0x000000006EEEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1308-20-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1308-59-0x0000000006D70000-0x0000000006DA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1308-92-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1308-70-0x0000000007760000-0x000000000777E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1308-82-0x0000000008110000-0x000000000878A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1308-84-0x0000000007B30000-0x0000000007B3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1308-85-0x0000000007D40000-0x0000000007DD6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1308-36-0x00000000061C0000-0x0000000006514000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1308-87-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1308-88-0x0000000007D00000-0x0000000007D14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2208-100-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2208-21-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2208-37-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2208-72-0x000000006EEA0000-0x000000006EEEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2208-22-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2208-89-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2888-6-0x0000000005C40000-0x0000000005CDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2888-2-0x00000000058F0000-0x0000000005982000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2888-3-0x0000000005FA0000-0x0000000006544000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2888-5-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2888-52-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2888-4-0x0000000005A20000-0x0000000005A2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2888-1-0x0000000000FE0000-0x00000000010E6000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2888-0-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-11-0x0000000006C80000-0x0000000006D40000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2888-10-0x0000000074410000-0x0000000074BC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2888-9-0x000000007441E000-0x000000007441F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2888-8-0x0000000005D50000-0x0000000005D68000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2888-7-0x00000000070C0000-0x000000000719E000-memory.dmp

    Filesize

    888KB

    Download