Overview

overview

10

Static

static

3

39fe045b17...29.exe

windows7-x64

10

39fe045b17...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 01:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe

  • Size

    1.3MB

  • MD5

    5c44a72a49fe4fbc94f1c1aa8cbf0ab6

  • SHA1

    d0d0903f73b4aa11ee580fb6fd8d80775e6e88de

  • SHA256

    39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129

  • SHA512

    d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

  • SSDEEP

    24576:ctcKivRdWnSyEHyfE75BP/+mgWdm/bTLLK6:LKmXWSy6r2mgxv

Score
10/10
remcosslavesdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

SLAVES

C2

windowslavesclient.duckdns.org:1604

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J3MJAP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
    "C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 19 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 19
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2592
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 18
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2896
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 18
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2788
      • C:\Users\Admin\AppData\Roaming\Images.exe
        "C:\Users\Admin\AppData\Roaming\Images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2472

Network

  • flag-us
    DNS
    windowslavesclient.duckdns.org
    AddInProcess32.exe
    Remote address:
    8.8.8.8:53
    Request
    windowslavesclient.duckdns.org
    IN A
    Response
    windowslavesclient.duckdns.org
    IN A
    192.169.69.26
  • flag-us
    DNS
    windowslavesclient.duckdns.org
    AddInProcess32.exe
    Remote address:
    8.8.8.8:53
    Request
    windowslavesclient.duckdns.org
    IN A
    Response
    windowslavesclient.duckdns.org
    IN A
    192.169.69.26
  • flag-us
    DNS
    windowslavesclient.duckdns.org
    AddInProcess32.exe
    Remote address:
    8.8.8.8:53
    Request
    windowslavesclient.duckdns.org
    IN A
    Response
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    304 B
     88 B
     3
    2
  • 192.169.69.26:1604
    windowslavesclient.duckdns.org
    tls
    AddInProcess32.exe
    404 B
     88 B
     5
    2
  • 8.8.8.8:53
    windowslavesclient.duckdns.org
    dns
    AddInProcess32.exe
    228 B
     260 B
     3
    3

    DNS Request

    windowslavesclient.duckdns.org

    DNS Request

    windowslavesclient.duckdns.org

    DNS Request

    windowslavesclient.duckdns.org

    DNS Response

    192.169.69.26

    DNS Response

    192.169.69.26

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\Images.exe
    Filesize

    1.3MB

    MD5

    5c44a72a49fe4fbc94f1c1aa8cbf0ab6

    SHA1

    d0d0903f73b4aa11ee580fb6fd8d80775e6e88de

    SHA256

    39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129

    SHA512

    d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

    Download Submit

  • memory/2116-17-0x0000000000BC0000-0x0000000000D06000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2116-18-0x0000000000770000-0x000000000078A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2116-19-0x0000000000790000-0x0000000000796000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2472-54-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-56-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-83-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-22-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-28-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-30-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-26-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-24-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-33-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-34-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-35-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-36-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-37-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-38-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-39-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-40-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-41-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-42-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-43-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-44-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-45-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-46-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-47-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-48-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-49-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-50-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-51-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-52-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-53-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-20-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-55-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-82-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-57-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-58-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-59-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-60-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-61-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-62-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-63-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-64-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-65-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-66-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-67-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-68-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-69-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-70-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-71-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-72-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-73-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-74-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-75-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-76-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-77-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-78-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-79-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-80-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2472-81-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/2512-3-0x0000000073CC0000-0x00000000743AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-2-0x0000000000760000-0x00000000007A4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2512-1-0x0000000000150000-0x0000000000296000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2512-0-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-4-0x0000000073CCE000-0x0000000073CCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-5-0x0000000073CC0000-0x00000000743AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-6-0x0000000073CC0000-0x00000000743AE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.