Overview

overview

10

Static

static

3

PO904321.exe

windows7-x64

10

PO904321.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO904321.exe

  • Size

    881KB

  • MD5

    a1b7c41a0ef9eb2af3337a97127329d9

  • SHA1

    c94ffbdc29ab82e90b704e33838a1ea6af3cf14a

  • SHA256

    d7b82542403c06b63adcd6c4a46614ebc04d903c9c404097d30cc85e0237c2bc

  • SHA512

    4cd922ffff1940fdea5350b98a54954970f200c3a5c23c2117f8cbcf48bf389c170506b9760b949357d378734e60634512a2801f9a37512f7cf6f12a97147e1e

  • SSDEEP

    24576:5rEmwPVpOaOXAHs2NAZZHy0SUAP2F/cvn:SZtpxOl2NAZ5fD/

Score
10/10
remcosmekusdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

mekus

C2

dpm-sael.com:2017

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    meckus-ODY51K

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO904321.exe
    "C:\Users\Admin\AppData\Local\Temp\PO904321.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO904321.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rxoPEmTYk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rxoPEmTYk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\PO904321.exe
      "C:\Users\Admin\AppData\Local\Temp\PO904321.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    57775968ec5d79648a9172667c20c904

    SHA1

    9a80a3aca4087a0f1be406a82f2d7a8150e6daf0

    SHA256

    d854d05768047693e6407e4546cfc1881bdd71f1eae3b5da6c7ac0094c520299

    SHA512

    517c614159a57c01210f0a553c880e9ddb3f86d5b9b389c728048c05cf2da860d72ed58af17321acec40110fb143d9586fed609659dd58519c632026a729c836

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpBA0C.tmp
    Filesize

    1KB

    MD5

    ff0788e4a1c8845be1645d2e638a10f9

    SHA1

    bc4327fd7840472ba0fb1c13434ef3d9b669644a

    SHA256

    2cea015d233d0f48f62d29acd0b6d220acaebffce08752d530096f5e4bdc4828

    SHA512

    d8cb14abd75057dc5763bc295f575ad61baec019f45511cd39900b035c914ba71cc5c1b9543c1d69906f68339660c6f32f99933c5a99a23b2d6efb29aeba78ef

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITCH6ZVKNVOKB8NJDG74.temp
    Filesize

    7KB

    MD5

    e5e8e98f216dc8108ded65e2724292f3

    SHA1

    7aaab3075ec67d7a006f325ac7473f1db86c38a1

    SHA256

    a0d0acadc96b9b3b6ebbf8189a915196d587fed452583e509f59ab5c929e02e6

    SHA512

    28ce3f816d8dfea90f04aa6cecde9ece482b1ce2aca05cae1895e54f0d8262e7c52dbe483bb812d25f6af1fd1c3b781765f73e7952b8d230f60ca0448081d397

    Download Submit

  • memory/468-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/468-1-0x0000000000910000-0x00000000009F2000-memory.dmp

    Filesize

    904KB

    Download

  • memory/468-2-0x00000000749B0000-0x000000007509E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/468-3-0x0000000000490000-0x00000000004A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/468-4-0x00000000749BE000-0x00000000749BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/468-5-0x00000000749B0000-0x000000007509E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/468-6-0x0000000005030000-0x00000000050F0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/468-39-0x00000000749B0000-0x000000007509E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-21-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-44-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-31-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-29-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-27-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-23-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-25-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-33-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-42-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-43-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-45-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-46-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-51-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-52-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-19-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-59-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-67-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-68-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-76-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-75-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-83-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2568-84-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download