Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 01:48

General

  • Target

    fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe

  • Size

    1.0MB

  • MD5

    f8c03f656b356b3477ea05d7427bce3e

  • SHA1

    b20be63658060f9356e90e7846c2091069950682

  • SHA256

    fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5

  • SHA512

    35df2187b512fe1908aae5159741e3d666e078fc0e4bbba17c693fdfffab810f8abaf4fe622de3d5a1c32e70db097c0608bc4b9b7723282cd635638971d888d6

  • SSDEEP

    24576:nIUobyTkpVyd+8OuyBNtpFgX9AB5NHY0hBMfUzvB0JERhM1:d96o7OuyBTqCNHY0r50e41

Malware Config

Extracted

Family

remcos

Botnet

udu

C2

UDUM.WORK.GD:2431

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sos

  • mouse_option

    false

  • mutex

    udm-2WYU92

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
    "C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UvwokF.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UvwokF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36C9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2552
    • C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
      "C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe"
      2⤵
        PID:2436
      • C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
        "C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe"
        2⤵
          PID:2216
        • C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          "C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe"
          2⤵
            PID:2772
          • C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
            "C:\Users\Admin\AppData\Local\Temp\fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:2556

        Network

        • flag-us
          DNS
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          Remote address:
          8.8.8.8:53
          Request
          UDUM.WORK.GD
          IN A
          Response
          UDUM.WORK.GD
          IN A
          103.153.65.56
        • flag-us
          DNS
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          Remote address:
          8.8.8.8:53
          Request
          UDUM.WORK.GD
          IN A
          Response
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          152 B
          3
        • 103.153.65.56:2431
          UDUM.WORK.GD
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          104 B
          2
        • 8.8.8.8:53
          UDUM.WORK.GD
          dns
          fd289f86941e426b8116ead4b68649fac1dc3fc5611da26af9a446f911b30ea5.exe
          116 B
          132 B
          2
          2

          DNS Request

          UDUM.WORK.GD

          DNS Request

          UDUM.WORK.GD

          DNS Response

          103.153.65.56

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\sos\logs.dat

          Filesize

          318B

          MD5

          6e4b1baa28ad239e9972cf6af34dd93f

          SHA1

          656f132bf1d23bde29f7b8ab98f9febe3a491b82

          SHA256

          90f337ff6767cffee04496cb32109902887c07c7529c7be999aad17c287d67d1

          SHA512

          cc998533df4bcaa0b341a96a5c7240c3ed887cf36508afad455f4a56a2d4ba921c40787930b0097dcb3275765f60d31344af1f3323d6714e4bd095a5aa0bc7dc

        • C:\Users\Admin\AppData\Local\Temp\tmp36C9.tmp

          Filesize

          1KB

          MD5

          5aee1485f0539e31cd881caf65aa51df

          SHA1

          83504299c5b4d1a525ba65e78192c699cf710992

          SHA256

          248f8075f6d4f2dcb3344696bedaf323155e42a321c396f0c394ceb45ec029c9

          SHA512

          63dc9cae9982811f6ba750d4273e2580b816787fb9a1502691651320d5f46eb0949b23a50db077a5ef577107c4dd3fcb3bd37d33fe5771f43cdd6986c2592f72

        • memory/1564-0-0x000000007443E000-0x000000007443F000-memory.dmp

          Filesize

          4KB

        • memory/1564-1-0x0000000000020000-0x000000000012E000-memory.dmp

          Filesize

          1.1MB

        • memory/1564-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

          Filesize

          6.9MB

        • memory/1564-3-0x0000000000570000-0x0000000000588000-memory.dmp

          Filesize

          96KB

        • memory/1564-4-0x000000007443E000-0x000000007443F000-memory.dmp

          Filesize

          4KB

        • memory/1564-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

          Filesize

          6.9MB

        • memory/1564-6-0x0000000004770000-0x0000000004830000-memory.dmp

          Filesize

          768KB

        • memory/1564-33-0x0000000074430000-0x0000000074B1E000-memory.dmp

          Filesize

          6.9MB

        • memory/2556-14-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-39-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-26-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-24-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-22-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-20-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-18-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-16-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-29-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-13-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-34-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-35-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-38-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2556-44-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-30-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-50-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-52-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-57-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-58-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-63-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-64-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-70-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-71-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-76-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        • memory/2556-77-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.