Overview

overview

10

Static

static

3

1d818c67cd...0a.exe

windows7-x64

10

1d818c67cd...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d818c67cd7b934a84588a3207b2e50a.exe

  • Size

    879KB

  • MD5

    1d818c67cd7b934a84588a3207b2e50a

  • SHA1

    f143719dafea314eb6ae638e9a7694da54c3a445

  • SHA256

    932c8687387b5fa94ef7b5c11358b0d0dc90ea488729382e09ec126d61457d6d

  • SHA512

    41e68271ed5c52427c1e9953bc3ac9c0562541a186a6a44712602dd88968fdd2d896f3c56dccc39dac512c9885e0eb9c194d26f148ce484418b001d1bf60401e

  • SSDEEP

    24576:Ovd+fC6BjsHpE+dOj+18tyAgajKCzMlTyFjSIi0/:O1+a6NsHp3MlhOGM1mO0/

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.c42staging.com:2404

www.vdoclabs.com:2404

www.ozkol-aluminyum.com:2404
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    dfghj

  • mouse_option

    false

  • mutex

    Rmc-QCH1J0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe
    "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1d818c67cd7b934a84588a3207b2e50a.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2356
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wTTruYPumnUe.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTTruYPumnUe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2608
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2560
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1104
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:2928
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\dfghj\logs.dat
          Filesize

          144B

          MD5

          6bcf083bec6d034e015a17bb0ff40436

          SHA1

          57ecedd952353a95a8e2cdf6458ef50f4dcd9e2c

          SHA256

          23a510ecc92103ae6e47f105634f3c01afff6222951c6c21ce9c704c47490d90

          SHA512

          eed7c52c038e5c666d53a0d1f2a8fe814827fcc2aff728de9e911923a3ff0596077d8bf14c0b922810190f4897640d3628083730caedce20e494d2a3a5f00da0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpAAB1.tmp
          Filesize

          1KB

          MD5

          ad2faadc4e62c92e5cd846d22f99533c

          SHA1

          d0032f6c9768174bb694fe56462a882abe39acb8

          SHA256

          362218ab7a3c1b17b80fe63bf1493663c536bc3c0ecd3b0c3eb556920537b08f

          SHA512

          ca71c7075bea0a3d8e1b999476d91bb7474668e7cecc7868d293a1411b01655bf784fd4b499eecfe47c85fea1ac68a14ee64d9c279c8083c142410159de151a6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          5267018f40accf4062544dd7b8e875ee

          SHA1

          f5e71884a19e1a736c3b94c73af86ae4d7a3ddff

          SHA256

          e8c36c604474a39148ebf2925c219e34c22e34cd13e700710952739939693832

          SHA512

          25f8e6efebc913469cd18446464be03943dbd9341e088812bdfbeeeacc753062062e19f1635c2b7de96324c607f73a5210670258b61c020d6fd2516a5b67092e

          Download Submit

        • memory/2044-28-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-83-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-84-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-24-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-22-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-75-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-76-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-20-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2044-37-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-26-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-42-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-39-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-38-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-34-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-32-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-30-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-68-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-67-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-60-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-44-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-59-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-45-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-46-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-47-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-49-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-52-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2044-51-0x0000000000400000-0x0000000000482000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2140-1-0x0000000000310000-0x00000000003F2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/2140-43-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2140-4-0x0000000000650000-0x0000000000660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-6-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2140-0-0x000000007415E000-0x000000007415F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2140-2-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2140-3-0x0000000004FE0000-0x00000000050BA000-memory.dmp

          Filesize

          872KB

          Download

        • memory/2140-7-0x00000000054E0000-0x00000000055A0000-memory.dmp

          Filesize

          768KB

          Download

        • memory/2140-5-0x000000007415E000-0x000000007415F000-memory.dmp

          Filesize

          4KB

          Download