Overview

overview

10

Static

static

3

Quotation.exe

windows7-x64

10

Quotation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2024 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    899KB

  • MD5

    9704ccf025eb5b76cf9485718a5ae9ba

  • SHA1

    1a50054fb88f8667ea346a9cfd4ffa501ff491fe

  • SHA256

    1c022ec2400c0c5197aa32cef3182a09a13213dedfe1db71fc18c6d399571ed9

  • SHA512

    02a54924f0f6de0b7df557fc0606f372fb52d70dc950e843195aacbf6b1f12f2a0d0a879be79c5c2da4b2bd9a159a0948b1a3dc594ba9227a345cf792c55e038

  • SSDEEP

    12288:qEXIarzS1y2y5bQqTIl7ahRvVDAJU+Ib9/xyDszk1rCMNcEBVhj2MVOEjctICdch:SaaBGvlh1+fIbTZklf32MsactInKkE

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

spacesave.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-RLABK3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wCnzGs.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2656
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wCnzGs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2752
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp
    Filesize

    1KB

    MD5

    58bba3053fac4aabee2c86dbd96f3cca

    SHA1

    2140288fb57a556efb2320e782f4790c36d42579

    SHA256

    963ed0ab08527b2489ba6997d5314c224d2b9162be1f6b8d711f206ba9ec78d4

    SHA512

    d9cd1539e2cd0717654712b8e7972594df117fa0c3ae022484ebfbea6f888643dee624f55b9116e9ba9ec5f2011ac9d938a09a669ec018f795f023408d5f8a66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E0OUYMWIL1N51FMQS5V6.temp
    Filesize

    7KB

    MD5

    50e1a888eebbca54072d99d7a80a5f2f

    SHA1

    c3e19dd6e420c89130e4adaeb30c407c09d892f5

    SHA256

    233289c66337d0d1613e45b2bea5518a6ecf831ca8d449833398dac250849bf1

    SHA512

    05cf6bb01563b57eedd844b94866dc355287fd892fa59b4fe815afd8b9d4c4063049747555d5c7bc0f5adac656e0bbdf19ab0c4717b09451a44a3be0e71dd8b4

    Download Submit

  • memory/2572-25-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-54-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-55-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-52-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-53-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-50-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-24-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2572-33-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-31-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-29-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-27-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-51-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-49-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-42-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-43-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-46-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2572-47-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2824-39-0x0000000074E60000-0x000000007554E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-3-0x0000000000550000-0x0000000000560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2824-6-0x0000000005E20000-0x0000000005EE0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2824-1-0x0000000000A80000-0x0000000000B66000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2824-2-0x0000000074E60000-0x000000007554E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-5-0x0000000074E60000-0x000000007554E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-4-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

    Filesize

    4KB

    Download