Overview

overview

10

Static

static

3

QUOTE #467...CS.exe

windows7-x64

8

QUOTE #467...CS.exe

windows10-2004-x64

10

Chine/Aake.ps1

windows7-x64

3

Chine/Aake.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE #46789-OCT24_JAMEELA TRD LLCS.exe

  • Size

    836KB

  • MD5

    837843cbc8249c71125a2113d1acd71f

  • SHA1

    aa80a680576261190000a9b6c113b4bcef1d8728

  • SHA256

    ec8356a9908aad8b184033c27bc7c94a8332a5c16371d72442a49a86669e57e5

  • SHA512

    2059553ac3c08d5d389c513242a3ee40ea176027c38d25e6d3e3aa6b7349fdf81405da8b453a0107fd1aa3a7435d7209655338ddb51ce4bb1ccb38786485ce4a

  • SSDEEP

    12288:XjWxDtrp10yzIDrOXive++gc4c/xF5IqsEHnz2InxJTuINvhUNmvIiyC7:XjmHErOXiveDgclpDjfnz2gxJKlil

Score
10/10
remcosoctoberdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

OCTOBER

C2

windowxpjoke.duckdns.org:24044

84.38.132.104:1985
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    explorre

  • copy_folder

    explorre

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OAEVAI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Blocklisted process makes network request 5 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTE #46789-OCT24_JAMEELA TRD LLCS.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTE #46789-OCT24_JAMEELA TRD LLCS.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Trusserederi=Get-Content -raw 'C:\Users\Admin\AppData\Local\deporteringer\disaffecting\Duvetinejakkernes\Chine\Aake.omr';$Energids=$Trusserederi.SubString(54101,3);.$Energids($Trusserederi)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:1404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\amazonjunglen.lnk
    Filesize

    1KB

    MD5

    f886923d45d7bd0383b99a38997c079c

    SHA1

    3578635e87a7e31aead96bc12154710a36ecd0f9

    SHA256

    1682041ef24387f8ce10531c7b88fda78437329a13a2f09a2403504eb6cef797

    SHA512

    83472d7a5ee30b0337d386ba8c57eeb722bed385c8f0d6df57b85aaf38e26d5df087c0e057b8f6b106324c4f9598ae713a6af013a89c46e016163e844fd8544e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbxsk523.2yw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\deporteringer\disaffecting\Duvetinejakkernes\Chine\Aake.omr
    Filesize

    52KB

    MD5

    76c2e06efc11f956e4e7a6aad633f3b7

    SHA1

    ac79ab670ddb7874b259d2f0ff5c5283c5ff90ee

    SHA256

    cfbc27159dd8a2ce54dce1125e0cdc2dc27db461e355ad318cefd1f37a452898

    SHA512

    b8582f6559ad0f642a000bf1c7be68c537ef9bc206ee9de0c4da70614d176e11e34b2fba607f6c33942b5200f518c24d04e43957b57c9c09c8aceaecf0f1050b

    Download Submit

  • C:\Users\Admin\AppData\Local\deporteringer\disaffecting\Duvetinejakkernes\Wichtisite.Min
    Filesize

    319KB

    MD5

    d798bc47e69bf01535b9b2381019b48e

    SHA1

    6230415081882f24e9a8ec15c3da9c9f31031287

    SHA256

    98298bed5177b6c4836842828e84b448d4373a004c4e8ac5ce5839d027a33b38

    SHA512

    81c616f2f6e51a962a7647edcfb5aa8bf65c4f0d8ff10d701480605ac539d635bb4b1a0fdcf95e1862adcecbe0f6b3c2f1fffe86d68832a3450cb80bb207c2ad

    Download Submit

  • memory/776-144-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/776-145-0x0000000005170000-0x00000000051A6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/776-146-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-147-0x0000000005870000-0x0000000005E98000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/776-148-0x00000000057A0000-0x00000000057C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/776-149-0x0000000006090000-0x00000000060F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/776-150-0x0000000006100000-0x0000000006166000-memory.dmp

    Filesize

    408KB

    Download

  • memory/776-160-0x0000000006170000-0x00000000064C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/776-161-0x00000000067E0000-0x00000000067FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/776-162-0x0000000006870000-0x00000000068BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/776-165-0x0000000006D40000-0x0000000006D62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/776-164-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/776-163-0x0000000007790000-0x0000000007826000-memory.dmp

    Filesize

    600KB

    Download

  • memory/776-166-0x0000000007E20000-0x00000000083C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/776-168-0x0000000008A50000-0x00000000090CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/776-172-0x0000000070490000-0x00000000707E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/776-182-0x0000000007C50000-0x0000000007C6E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/776-171-0x00000000700C0000-0x000000007010C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/776-170-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-169-0x0000000007C10000-0x0000000007C42000-memory.dmp

    Filesize

    200KB

    Download

  • memory/776-184-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-183-0x0000000007C80000-0x0000000007D23000-memory.dmp

    Filesize

    652KB

    Download

  • memory/776-185-0x0000000007D80000-0x0000000007D8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/776-186-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-187-0x0000000007DC0000-0x0000000007DEA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/776-188-0x0000000007DF0000-0x0000000007E14000-memory.dmp

    Filesize

    144KB

    Download

  • memory/776-189-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-191-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-193-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/776-194-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-195-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-196-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-197-0x00000000090D0000-0x000000000E485000-memory.dmp

    Filesize

    83.7MB

    Download

  • memory/776-198-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-199-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-200-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-201-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/776-203-0x0000000073C30000-0x00000000743E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1404-204-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-205-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-210-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-211-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-212-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-213-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-214-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-215-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-216-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-217-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-218-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-219-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1404-220-0x0000000001280000-0x00000000024D4000-memory.dmp

    Filesize

    18.3MB

    Download