Overview

overview

10

Static

static

1

MMtool/mm_....0.exe

windows7-x64

10

MMtool/mm_....0.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/10/2024, 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MMtool/mm_aptio_tool_v5.0.exe

  • Size

    3.0MB

  • MD5

    ff950ee78e5673004b9ddcb5450f1f20

  • SHA1

    07feb57f5116d3381d6105ef3ecde9a0e6b8a298

  • SHA256

    ef2b84c9d41c153c31391a9a19721ee3ddba764e03aa2533875ce9d2016e4b55

  • SHA512

    66be3331519e0e541fe82490e48e148f2e6d32b59ed7e5bab1a04ecf60fb3111b82fb36551a0c54a6fc30afa2a683c8778bcb7a2b43a10247ef6ffe646bd5752

  • SSDEEP

    49152:MWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbx333Yq:ItLutqgwh4NYxtJpkxhGG333h

Score
10/10
remcos5000discoveryrat

Malware Config

Extracted

Family

remcos

Botnet

5000

C2

92.255.85.63:5000

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WO26TT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 21 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MMtool\mm_aptio_tool_v5.0.exe
    "C:\Users\Admin\AppData\Local\Temp\MMtool\mm_aptio_tool_v5.0.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\MMtool\mm_aptio_tool_v5.0.exe
      "C:\Users\Admin\AppData\Local\Temp\MMtool\mm_aptio_tool_v5.0.exe" /VERYSILENT
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Users\Admin\AppData\Roaming\mmtool.exe
        "C:\Users\Admin\AppData\Roaming\mmtool.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2804
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\mmtool\StartProg.bat""
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\system32\timeout.exe
          TIMEOUT /T 67 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:2764
        • C:\Users\Admin\AppData\Roaming\PasswordChanger.exe
          C:\Users\Admin\AppData\Roaming\PasswordChanger.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Users\Admin\AppData\Roaming\Quickdemo\PasswordChanger.exe
            C:\Users\Admin\AppData\Roaming\Quickdemo\PasswordChanger.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd.exe
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:584
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\15026c3
    Filesize

    1.2MB

    MD5

    6da23da1c441732ae847fc518fc05e20

    SHA1

    ff67cb1dc5ff0d8b5f9bcb5834bcbcbaf3fd4178

    SHA256

    b4d9b5644edab82ca0d9188628a335b90a062012bb5c923e83e78548dd9066d3

    SHA512

    5055d7d840897ef3190cc13b39385f3319e7c35541507ead3bc68f53a75b1ec9cbe02718a3382fc963466f8d9f5da4f29a3ab66296bc08a0683b7baab16ac0c6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VCRUNTIME140_1.dll
    Filesize

    37KB

    MD5

    75e78e4bf561031d39f86143753400ff

    SHA1

    324c2a99e39f8992459495182677e91656a05206

    SHA256

    1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

    SHA512

    ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ddvn
    Filesize

    947KB

    MD5

    78365fbbb3875e8a9e188c33113f25ef

    SHA1

    69385fe659fd7731ece699aa85366a21948b8ca3

    SHA256

    af718ef23fbd91ec24fe94da9d62155d767ed147c45d9063656cbea4f656fe53

    SHA512

    2168ce85ae8c0ba4b7ad8870c5ae6453f952b87498563b3f34178bb97be4ea30508ed1b81ceb911480ce2fe84b532427bcb5f3200d550e5b3a64dae59d2a57a8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gbrbkln
    Filesize

    73KB

    MD5

    6a18e4720393bbd4b41629414108525f

    SHA1

    3de8a3bfa9124dacd55ad6c381d0e729973cf7b3

    SHA256

    bc486ceda4f81dab04f554f5307a3e0304de0742e834a552c0a5a0a4d7263468

    SHA512

    cf7724b41e5d778b0f08e04ce3314bdda4da6db67d0c4fe8dfe1f09e44d754e4697250fffa980313146ec22461521055626789f0cc49bdcbcab34b04c2a45f66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mmtool\StartProg.bat
    Filesize

    102B

    MD5

    faf30c609a8b4865ed68ac5686ca354e

    SHA1

    f2ba5bf0e0e78c4329a50fc76285cb64fa3507a6

    SHA256

    9da534e4a65c6d489b0708282f32eee4961b03d4cef9344aade776a1d7346ab7

    SHA512

    0dd8486575949420814274280582e2ce73c1828bc9b054ec5a9524aca5e1a48822f80b79998b7b0628bf213eeaf965286dfea5292501d09dca1752f486f6acba

    Download Submit

  • \Users\Admin\AppData\Roaming\PasswordChanger.exe
    Filesize

    2.7MB

    MD5

    8915b9ccb4372a418729166dcedc5a44

    SHA1

    8f6ca11bcb5a53fe90007ec83b638b0c642d2a92

    SHA256

    6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2

    SHA512

    fd7bd3a8d3a8331d4fdd331a41dc1b3efcdbb29062a8d316cf07edccc05e7eb81153f01ec95df68f9d1466ecee0be49684737f6cf895fe6e55ccf163f1058e66

    Download Submit

  • \Users\Admin\AppData\Roaming\Qt5Core.dll
    Filesize

    5.8MB

    MD5

    a69021f31874d4aefec8c3a2bedd4437

    SHA1

    aff85d5df7a4e69303f579b9a5a2ae82e14f3af6

    SHA256

    dc68a1446e829afa5c7e33f4dd2233e096a492bdf3a82eb0eeacfafb69bdecbf

    SHA512

    63fff0338d325f63431004f0fdf9e21a570536c1ac95ccd3f8a33c065d29d35d524ef6e2e5878d3986109e681480c03c2311b2447611003850d381bae4707667

    Download Submit

  • \Users\Admin\AppData\Roaming\Qt5Gui.dll
    Filesize

    6.2MB

    MD5

    34893cb3d9a2250f0edecd68aedb72c7

    SHA1

    37161412df2c1313a54749fe6f33e4dbf41d128a

    SHA256

    ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34

    SHA512

    484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c

    Download Submit

  • \Users\Admin\AppData\Roaming\Qt5Network.dll
    Filesize

    1.3MB

    MD5

    f67158af74ae88a8115392fa850f2295

    SHA1

    09f05b777a9abbc4a0be9526dfa4e064727e7be3

    SHA256

    eb04b4ac38fc535162733401bdf3198ab966f5646c7d27ff5846db0c682b674a

    SHA512

    ecd9881569697866eafc9188467314c5dacc4ad40ea8b2bdd8614885f75eae8be6764b582a47cf202a4e564e513e7e4ca015287f9dae080608dbcd40578a9d5e

    Download Submit

  • \Users\Admin\AppData\Roaming\Qt5PrintSupport.dll
    Filesize

    316KB

    MD5

    d0634933db2745397a603d5976bee8e7

    SHA1

    ddec98433bcfec1d9e38557d803bc73e1ff883b6

    SHA256

    7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1

    SHA512

    9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1

    Download Submit

  • \Users\Admin\AppData\Roaming\Qt5Widgets.dll
    Filesize

    5.3MB

    MD5

    c502bb8a4a7dc3724ab09292cd3c70d6

    SHA1

    ff44fddeec2d335ec0eaa861714b561f899675fd

    SHA256

    4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d

    SHA512

    73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617

    Download Submit

  • \Users\Admin\AppData\Roaming\mmtool.exe
    Filesize

    1.1MB

    MD5

    6be9244f9e5415bf04efbc441d2ccbd8

    SHA1

    a37872d43b01dc39a28bb086ffb066c2f5bf735a

    SHA256

    28049163fd1e3423c42b229a5f6ed877f14e7caf3b794bf7efb970b375e6ff41

    SHA512

    3952c7d52fde8a196561c804bcc660986a01243415ea9aad293c74eac6fbd8d330851a118dd13b48df0ec6cc3999c5f09c696d40763b14ec279139a26ccab639

    Download Submit

  • \Users\Admin\AppData\Roaming\msvcp140.dll
    Filesize

    557KB

    MD5

    7db24201efea565d930b7ec3306f4308

    SHA1

    880c8034b1655597d0eebe056719a6f79b60e03c

    SHA256

    72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

    SHA512

    bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

    Download Submit

  • \Users\Admin\AppData\Roaming\vcruntime140.dll
    Filesize

    96KB

    MD5

    f12681a472b9dd04a812e16096514974

    SHA1

    6fd102eb3e0b0e6eef08118d71f28702d1a9067c

    SHA256

    d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

    SHA512

    7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

    Download Submit

  • memory/584-113-0x0000000077740000-0x00000000778E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/584-160-0x0000000074FC0000-0x0000000075134000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/888-169-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/888-168-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/888-167-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/888-166-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/888-163-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/888-162-0x0000000077740000-0x00000000778E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1352-3-0x0000000000400000-0x0000000000707000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1352-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1632-50-0x0000000000400000-0x0000000000707000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2012-110-0x000007FEF5710000-0x000007FEF5868000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2012-109-0x000007FEF5710000-0x000007FEF5868000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2012-104-0x000007FEF6700000-0x000007FEF6C4E000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2920-74-0x000007FEF5840000-0x000007FEF5998000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2920-69-0x000007FEF6700000-0x000007FEF6C4E000-memory.dmp

    Filesize

    5.3MB

    Download