Overview

overview

10

Static

static

3

MT103 CIBC...14.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-10-2024 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103 CIBC Ref No EBOTT40930537914.exe

  • Size

    978KB

  • MD5

    3c228f541d5f99e928fc4f9a0993f45c

  • SHA1

    ff3e24330aae208fe5c11ff45a2d913c683e55d9

  • SHA256

    918b9e2ab61a0ef85ed819b7ed4886f3fe23d34059cb87003fc8d73195e5d438

  • SHA512

    caa3a9fcad749eeb1e64f931177b82b7693dc26ee0d6811eb26ef294884e8f853b7c583ed65aad71b24b416e7e954780fcddeb114bb8f10a5a92dc137ec9ac8b

  • SSDEEP

    24576:95EwHjgfwxXUCswKlVV3iSuoili7gGn/4S1:9Sws4xXU9wKlVkSCkgGnwS

Score
10/10
remcosgmall-targetdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

GMAlL-TARGET

C2

milliondollar23.duckdns.org:3984

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3XAFQF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MT103 CIBC Ref No EBOTT40930537914.exe
    "C:\Users\Admin\AppData\Local\Temp\MT103 CIBC Ref No EBOTT40930537914.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MT103 CIBC Ref No EBOTT40930537914.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pvTSOIBBT.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3248
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pvTSOIBBT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3512
    • C:\Users\Admin\AppData\Local\Temp\MT103 CIBC Ref No EBOTT40930537914.exe
      "C:\Users\Admin\AppData\Local\Temp\MT103 CIBC Ref No EBOTT40930537914.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    ce33d1bffcadca6dd47e2c4bd769753a

    SHA1

    89bd918e10d27a360a70b8e1270516ff73f04334

    SHA256

    a82e8330e493a5fa93d5e2207976fa2cd4066367c798749e063559ab899fb479

    SHA512

    b36e2bf3ee1ced9620621a097ba46bb6e5b7b2800237bdbf54ebcb5201ac830b5471f0ccfcd6e54b7332467ec5da6f0c96c93276a91ab636c0b3da73455c6a91

    Download Submit

  • C:\ProgramData\remcos\logs.dat
    Filesize

    224B

    MD5

    a6c49193768e7194ed98c37f37a07f6e

    SHA1

    4004fdf1718247f48d1272b65756162569b396f9

    SHA256

    9dd5e5652089e8c0b7a48b1063486679fb1b9fe87130a4fba95a2ca1d52c77e0

    SHA512

    b796a8a0b402ee6117c3f64ffefc3b6af3b490e2c1ed929a2554ed91eb4b45e3cdf19eb35291778fb7397b93927afb02dd39b616ceb51852efe8cdd590dc5a47

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    db01a2c1c7e70b2b038edf8ad5ad9826

    SHA1

    540217c647a73bad8d8a79e3a0f3998b5abd199b

    SHA256

    413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

    SHA512

    c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    de0d68745839194b0c4ddacfebf3d096

    SHA1

    3578bdbd0d717f52bb9f0e4867046b062039420c

    SHA256

    d8f3144137b63cfedc6e396e38cd72b432cdd591745d08fb09beb0ea0985d3b3

    SHA512

    81b03547ae7f4af376b3efdf18c9025498ee6f8579f3688f663dfe0f2bddc50f1de6f87f62faea715c55d09345e5ab1fb0e6a1b1f16ee30267096781693c1cef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25vvif1d.adm.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp173C.tmp
    Filesize

    1KB

    MD5

    d634ac6bf0a8b4ed968f914275cadbe7

    SHA1

    338c30c22506d7d76249b50b8cf9196c18f73f48

    SHA256

    a80bec025a1a6d42dd459710b3e7e4021df8740f99fb415c5c33082b645940a2

    SHA512

    34602a0a3741a151748214d8606172be5e607ac495fe110d968e4392ffaf667ad940efddc8c65dcb98dcdcd217b1018b0151b42a71b93e5fc87f45c30de9621a

    Download Submit

  • memory/904-9-0x00000000066A0000-0x0000000006762000-memory.dmp

    Filesize

    776KB

    Download

  • memory/904-7-0x00000000735EE000-0x00000000735EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/904-8-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/904-1-0x0000000000590000-0x000000000068C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/904-10-0x0000000008D80000-0x0000000008E1C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/904-2-0x0000000005430000-0x000000000592E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/904-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/904-0-0x00000000735EE000-0x00000000735EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/904-6-0x00000000053D0000-0x00000000053E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/904-38-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/904-5-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/904-4-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-28-0x0000000008220000-0x0000000008286000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3224-17-0x0000000004FE0000-0x0000000005016000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3224-29-0x0000000008290000-0x00000000082F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3224-26-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-522-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-32-0x0000000008400000-0x0000000008750000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3224-521-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-23-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-20-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3224-27-0x0000000007A40000-0x0000000007A62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3224-488-0x0000000009E50000-0x0000000009E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3224-479-0x0000000009E70000-0x0000000009E8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3224-94-0x0000000009F10000-0x0000000009FA4000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3224-89-0x0000000009D00000-0x0000000009DA5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/3224-43-0x0000000008190000-0x00000000081AC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3224-44-0x0000000008810000-0x000000000885B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3224-80-0x0000000009BD0000-0x0000000009C03000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3224-83-0x0000000009B90000-0x0000000009BAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3224-81-0x0000000072100000-0x000000007214B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3248-21-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3248-520-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3248-82-0x0000000072100000-0x000000007214B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3248-45-0x0000000008040000-0x00000000080B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3248-22-0x0000000006FC0000-0x00000000075E8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3248-24-0x00000000735E0000-0x0000000073CCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4340-34-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-39-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-31-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-47-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-41-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-30-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-524-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-525-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-42-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-532-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4340-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download