Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 22:41

General

  • Target

    d2729f574a3ba69a10c00a5992986226.exe

  • Size

    1.7MB

  • MD5

    d2729f574a3ba69a10c00a5992986226

  • SHA1

    827b50066bf4509c1f293f2e2170b86070f3bcd6

  • SHA256

    2027658fe07e8ef66d192bf1697cf0d9e91f9813ded69da4408747fb3724b3ec

  • SHA512

    7bc28a41cc7c61dfc1eb205d7b46da0c9453ce7424fe8eceade72fb5429ac08f72b67b77bdc72df3aaac755bb037808f7714a5334c9e5c541d55fead4df279ca

  • SSDEEP

    49152:f4yTKXSSgG7DpdzSzn2Y2+TITsGWgECdytvV9iSkbwrsK+ZTF4ShJtO:AyeSSgG7Dpdzm2YusGW/CqvV94w02iHO

Malware Config

Extracted

Family

remcos

Botnet

clavelse

C2

navegacionseguracol24vip.org:3021

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    registros.dat

  • keylog_flag

    false

  • keylog_folder

    data

  • mouse_option

    false

  • mutex

    mzbxvvcmmzbcbbzmzncbxbx-1YWF5B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Capturas de pantalla

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\d2729f574a3ba69a10c00a5992986226.exe
        "C:\Users\Admin\AppData\Local\Temp\d2729f574a3ba69a10c00a5992986226.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Cab Cab.cmd & Cab.cmd
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2648
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:432
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2176
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 638933
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2344
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "Chosen" Bugs
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2096
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Wichita + ..\Sign + ..\Idol + ..\Lauren + ..\Rice + ..\Bold + ..\Loops + ..\Shore + ..\Marie g
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1916
          • C:\Users\Admin\AppData\Local\Temp\638933\Beth.com
            Beth.com g
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:544
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2392
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "Config" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureScope Dynamics\CyberScope.js'" /sc minute /mo 5 /F
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "Config" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureScope Dynamics\CyberScope.js'" /sc minute /mo 5 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberScope.url" & echo URL="C:\Users\Admin\AppData\Local\SecureScope Dynamics\CyberScope.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberScope.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\data\registros.dat

      Filesize

      184B

      MD5

      fc76bbfab4a07f4c7da415a6a4bcc24d

      SHA1

      de0079bb5fa7957a9528806ee40bd1ac8955174d

      SHA256

      caa2454fa10f9347dda09e78b45957486cbaa17de361026fd144f1a0992da7b6

      SHA512

      1845ae745f6daf809c0db629ed3b15ecd39c20b889712ae365cc50b485935bca93a095c372bd324f6dbdc1ab859c09ad3bfa5a692619a33a40530ed8fc83f2d7

    • C:\Users\Admin\AppData\Local\Temp\638933\g

      Filesize

      688KB

      MD5

      113965f1186bd15cda1811e65b6e617e

      SHA1

      92257a886927d514aa62a33de95eafcbf47b4e73

      SHA256

      484a1f01ca5b64ed9804f008c681621e546a2db7481d182c77ddd33543b933e7

      SHA512

      fe24fdcd84eb35eaffe507e7bd1d8d36014db9067144f0308810770cb06dbbf0d0f8919ef57b8dd2703412f398ea85d1bcf47c3ccd0d03ed224495a992b6d55c

    • C:\Users\Admin\AppData\Local\Temp\Bold

      Filesize

      61KB

      MD5

      154fcc1926f23a7cc005231522018ef9

      SHA1

      3e661eb13b7c61e3e4880ca3ebda7883106c5f83

      SHA256

      c6b562b5d0241c9823116ecf30ff42d3e764755264e26fe32445c4dfb346a6ba

      SHA512

      df382b9255344006a98042fad3bdb3c6dc6d729ccd8af28005623ca9f15ffe18f0697e2db31d652301919b17c6411ef608d4cdcf5a637a1df96c27c597d85a4c

    • C:\Users\Admin\AppData\Local\Temp\Bugs

      Filesize

      228B

      MD5

      fcde92646ff6c8858c7d14c72c9bf637

      SHA1

      6035e678601d7ee7889e7b2b8f08d6c0f0fcc853

      SHA256

      7bef0873884ecee61479fa19c16b8be130f8f3a6632e7db21f64eaa29d1396d3

      SHA512

      d3654cc54b2fac9320d582c0fec712f1ba4cf28638df4308a9ee530ef7f8a65f4e1b0924526a237787dcf49f25f5478285390b1dec14991031cb76297f1072d8

    • C:\Users\Admin\AppData\Local\Temp\Cab

      Filesize

      23KB

      MD5

      84506d06b109d7d9dc0839143b36c73d

      SHA1

      434ad989df76562bf96e5d496e118be25954812e

      SHA256

      76eb7f16f100d734613b4c0dd65a8da8687e483fc70ae22f8d3a098e5d4e310e

      SHA512

      56d0d301ecc17c5d412a26dd54520a51033c00b63aae5b191a7666e007c73ab1b473dea7c154cc9d05d570d008abd39f5b3b720de36f576dec408c8ececc5835

    • C:\Users\Admin\AppData\Local\Temp\Cleveland

      Filesize

      126KB

      MD5

      11bd51fa971c1276ecae00673dd837e5

      SHA1

      7ac636664ae40e11320addc09c9b8b0ce7da4207

      SHA256

      a8d4115cc3cf5f812b7ee9ea1c8e470a43405a5fe2760f691de1176fad08752e

      SHA512

      8ceebe937a987eae6996e7a01b7bcccd0e54d09b89a964546a39e294082ff000f2c81b25d75b71f5695a1e5618558e531b7f454c091e7945d5b5a6085da4a643

    • C:\Users\Admin\AppData\Local\Temp\Closure

      Filesize

      85KB

      MD5

      1a36e317ebeb7f01f600e97f5eb12b30

      SHA1

      a1d60dd976d7329d5b92836ddf320fdf1133e453

      SHA256

      6613609608cc9b0e060b04a697c81ad869f247dbdd8bdfddf73a9e866cadf3cb

      SHA512

      0f219d07d39a903ed346d43e21d5291d3a62ac6309ca5c6cb3caea5f2a698cf051bd047e02d26b012b32ffcdd6764f68089c8f43835b52f4e88f279c20ea0ce2

    • C:\Users\Admin\AppData\Local\Temp\Disagree

      Filesize

      113KB

      MD5

      026a05da4ca3559ccbee96e3e5a0fc27

      SHA1

      4b7a00966c781f275fc28d22a5ef2a1ef225138c

      SHA256

      189664f109f51f6eabe4eadf261ab21ac5ee4c28387bd931bd49501c46973f8c

      SHA512

      ab54b3fa23a6d9cca3f13e42f721fc207c719ff9faba3e067ff2ac02715666793677eb5c616db0c57040055980cc3e653b63064e2240ba874ea2c5495c50aaf6

    • C:\Users\Admin\AppData\Local\Temp\Entering

      Filesize

      134KB

      MD5

      359bca215485f8df98b4e0687a0b3bde

      SHA1

      4122ae38ae0a27f7dd4ee2cb0b9ccf38be3c8524

      SHA256

      f8f4061410eab9a0ba5d7577bdbe74098695e0e43e8f8df5341d742671b1b6fa

      SHA512

      b2ff85f671c89da192b9389284af416aaa3a963adff920dc9e88a6e5b6a60a720a14e2f08bc3e1b691cc9597a788142da19171c181826cf34586297f0f4bedf8

    • C:\Users\Admin\AppData\Local\Temp\Idol

      Filesize

      83KB

      MD5

      664cfa35657a413aef85cc6f643235c6

      SHA1

      316b5c4f887d4f7a69499d73171308b9eeeec7e2

      SHA256

      b60cac283c1f1c121e35d03b9cbf1a79ce754efa7c1b1aabbf6f70980dda1d61

      SHA512

      649fea55bdc2d395b317248c2c30e3276ac6c0ce716e5f842335016caf23338e19a70682b6440d54b7eb4393ff6cc22182850fd98b4ce86c351e76f20463f1ed

    • C:\Users\Admin\AppData\Local\Temp\Lauren

      Filesize

      58KB

      MD5

      2a452fe74151932e5e599994d7c70239

      SHA1

      0f3370406bd21af1d26c73c0d8cf5b10c64afc29

      SHA256

      00a70934b7f5f308e923560d9e16ffdddcc115df336a3998eeca01b7097905f7

      SHA512

      488ce3472485071ac846835f2252e83cd082474bf4d4e7db1800cefac3c67d9a32a8b3c4a9ab6a7a2c081cc6c9f3c8d09fc8656c4d9845296c1f8c659b59d160

    • C:\Users\Admin\AppData\Local\Temp\Loops

      Filesize

      57KB

      MD5

      5055ee8cb0da98c3c39e96c4a4088c0d

      SHA1

      60c6ba91201b7813f674f955cc51ae684a51838f

      SHA256

      221c670740c26cac8eefa85ddb50d9314935b5cb63c857f520ec18053c53dd31

      SHA512

      d73a72bfa3170d435543f8d23794cf674a5d0475701098b756362ebfecf8dc840b1782311b21fba48e398b61b8d8e2c2e3ca1e8e4fa958c83fb319a56806fcec

    • C:\Users\Admin\AppData\Local\Temp\Marie

      Filesize

      89KB

      MD5

      c71881c4532c63effd02808f037de211

      SHA1

      097283dc3bf33937a2bdb348791070e24e132525

      SHA256

      9175d28f49bf4cdd5f91fef049387c8b2d1d4f90f528f75cac67731f0e6e4a77

      SHA512

      a4ef200e4ea6d119dfae7c163629b5ffc72364ae4cb2546665a93d00b37f27206903fca87ce4467648c8ea010ab0249d5197a10d17528e33c33ca91ccd827970

    • C:\Users\Admin\AppData\Local\Temp\Nearby

      Filesize

      123KB

      MD5

      559d4f0dea25fe10e552c77f2e1b716c

      SHA1

      9a67e889666472700d71e783f8e85794d3a9945d

      SHA256

      656587b8ca8c26785b3b59059dc1e3373a1a9bf2b6e253ea8a04c5263e7511c1

      SHA512

      859a4b6ef35f5535c8a0f9b3a26e715668fdd626b953da3a6e0044dbd1012b23ef420cf204c3812710b96ec216c444a269929953abcf9a2c883ba06f239a6c3e

    • C:\Users\Admin\AppData\Local\Temp\Prime

      Filesize

      81KB

      MD5

      48d977581d70b4d8eb274100c5c7ab0b

      SHA1

      8e007ee20bb4e9154f65516dad309d773054cd3d

      SHA256

      cd4a445bdebd3b5cf3425306f0db7fc8f88fc09116fa725101afe66b9c3e3b53

      SHA512

      3b97b910d03acc43823b1d959f06054a96f97561fe0fcba0900ed2d998d928ca64a8edbd04078d438a11b9195ebdaeb6711abbc140eb66187b37b5596875f2f0

    • C:\Users\Admin\AppData\Local\Temp\Rice

      Filesize

      96KB

      MD5

      bdc13282c79460c2ba1e0ef20f4e5e81

      SHA1

      cf8afb3ed54647e5c40e255e10d25b2995d48eed

      SHA256

      599e91b463faaa46f894fdf81f2835bd78317573eb0d68f43a152187fb6e0d4c

      SHA512

      9e54618e9c966b3b6083807c7a3ef524141d5890c00c9e779eef2b632921bb9f7258b91db6854cae0b373637a1989dfe85da98ca680055e1359bc31be00133cd

    • C:\Users\Admin\AppData\Local\Temp\Selection

      Filesize

      102KB

      MD5

      8645ee059f7491c27b56f84f572a1aed

      SHA1

      bee65d077acb41bde50e37dbde02b1b5841fd7b2

      SHA256

      b1a0d20f4ce8bae90d73cf0de11591223e6aa6a147a38fedbb726f43de03b319

      SHA512

      9b12c47e13467ad25b0f88cf6b4546232c48e5178b9dcc59cb909da03338d44c5b92ef64fcc0c98e28908b74e4bf5e299b67b7ca66bc35cfa2639352929167a1

    • C:\Users\Admin\AppData\Local\Temp\Shore

      Filesize

      90KB

      MD5

      55295b4fa65ecdf193b67f66ec43b2d2

      SHA1

      4dc8234a65bb0bd4b53050916479fe46937347d4

      SHA256

      096fb31fbadb5b88a84667c8b697ab4cd879056af190f7b7f6a61ac1c319fab2

      SHA512

      27d93f91351216e6d41756303f7e894ffe50561a544278c7a13fd5e033fcb0edc79657b346bfbb7fe6d25c754e2b5c0ccc6b462167be478c6675d30cb7c88c8d

    • C:\Users\Admin\AppData\Local\Temp\Sign

      Filesize

      76KB

      MD5

      0306260a6bc38aa5dbd8948e5440bf61

      SHA1

      7baf4cec13e1fbb2298252381b11d5526efd27b6

      SHA256

      481ab5460a952bc0b5016d38584bb37e9df49ac8b565b1b9ff58e6f9e479362d

      SHA512

      8d8705d33090717b0c22d28432d71ad384d6157bd6bd91c2f0b130e0ff99b360f6eaf60c61941b76854ecb5040cf369de85d07f6d61557c396a03818d1332991

    • C:\Users\Admin\AppData\Local\Temp\Tables

      Filesize

      92KB

      MD5

      40f119370af8f62616fcb5d6fd9cb7b5

      SHA1

      33c64ec1dffaa51741721a353e05f4b27723dea0

      SHA256

      556fe900a4fc1b0ebdf401d9743c2e74c0ac165b0361c5ef16b597e74ef8111f

      SHA512

      40e9246b536e07740bc0eca56e6774028a679d08163ae9a4ffa03d1321296ac593e8ff9d6e2a30df47c74779359fcec914ad12e9567f463aa1761e445f0909b8

    • C:\Users\Admin\AppData\Local\Temp\Veterans

      Filesize

      68KB

      MD5

      9ca2b08cae1ea5ebdcb5a4883d863c3e

      SHA1

      0dd9890ed8bd7ce9bd577d8f9a3db528aba1088a

      SHA256

      e755fbd1474ccb45aa18c0a97eef322c71bcd6714dfb4d030d5a55b7fa9c3c30

      SHA512

      c3193a8634f8ca91e136cf4b4c094f82f2342134fc4deab6b5cce4ca6f154442a1ef9cc27adb7f8782867b42cdd209dbe3dd76e6fe507acb785fe805fdb57dbe

    • C:\Users\Admin\AppData\Local\Temp\Wichita

      Filesize

      78KB

      MD5

      39bd7cdda87195136f91ecc649988a42

      SHA1

      4e1e70cdf5254d59823aaa0955c518f9a38929c7

      SHA256

      f2aee101cecb321c781e68964e3fb1b2172b2f7494ed040c659988e989264a21

      SHA512

      309ffa953e5ca568989bfa176f797b295c0cdc22c7876861a7f3800cfe7e76edff77c49456c39914cd343a3894ee52e39400fe90e8bcc1edc1845728a12dcac1

    • \Users\Admin\AppData\Local\Temp\638933\Beth.com

      Filesize

      925KB

      MD5

      62d09f076e6e0240548c2f837536a46a

      SHA1

      26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

      SHA256

      1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

      SHA512

      32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    • memory/544-555-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-556-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-557-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-558-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-559-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-560-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-563-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-564-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-566-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-565-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-567-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-573-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-572-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-554-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-581-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-580-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-589-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB

    • memory/544-588-0x0000000003F50000-0x0000000003FCF000-memory.dmp

      Filesize

      508KB