Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 14:01

General

  • Target

    .pdf.exe

  • Size

    1.7MB

  • MD5

    e64509a606fef02334a4b20d3da84ecf

  • SHA1

    4277ab565325593bd91dea95976942f3b636747c

  • SHA256

    94e4256177777422e7ca3282075bb34480c9e235a1c5f3209918abfe1f341697

  • SHA512

    c7c5f8319ffb2a13cc424f8da11f0c0f794fb6496995d90a30222a9da71b882cffbf6d21343713d074cd7e1aaf3c2286998532cda50d77d6380395613a0f2317

  • SSDEEP

    24576:m+e9sK6m7r7RXyzS0MzK8Y82mTn1fLSfl/AQB/Wa5zZtur9THsm7xqEBvBDNis:pe9iG/dyuzHYW14ZAQBlZtur9THNtvj9

Malware Config

Extracted

Family

remcos

Botnet

rmc_fo

C2

101.99.94.64:2404

101.99.94.64:80

101.99.94.64:8080

101.99.94.64:465

101.99.94.64:50000

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    rmc

  • mouse_option

    false

  • mutex

    fojdjjeuJJJnd-LZ12B2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3500
      • C:\Users\Admin\AppData\Local\Temp\.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\.pdf.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "opssvc wrsa"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:5040
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1660
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 159893
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2152
          • C:\Windows\SysWOW64\extrac32.exe
            extrac32 /Y /E Beastiality
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3220
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "Patrick" Episode
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3588
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1108
          • C:\Users\Admin\AppData\Local\Temp\159893\Held.com
            Held.com H
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Deletes itself
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:732
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3200
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\rmc\logs.dat

      Filesize

      144B

      MD5

      6a8c1762fd6101fcc8a79cb47f7d904c

      SHA1

      be57ca8c0ec55c3303b9fe369056c98fc16c1269

      SHA256

      66ea0ae8b471f4892cbdd8d4e8ec9b61815bbda02496236d541ace941115c71f

      SHA512

      8dc54e5a9cb6160eb308c0aa53dd4add91add195f22a4f48b976904890b0aa0cd636adc6af4d409f240be75382fef665d964c8f518b059d273b860c50ed255a4

    • C:\Users\Admin\AppData\Local\Temp\159893\H

      Filesize

      706KB

      MD5

      76bafda97331767c5b8b7a0e43a9599b

      SHA1

      886e0f943fb4db8c3364a17a397248b3fddc0465

      SHA256

      ece19359d4a00f3044836574e0822e68e6a2e998df88d3e520273a57384dd500

      SHA512

      d72ca49b0a6b726da5bd9e443831dfc73faa4d28b95e1dd42a7c4e47c2da1a741760065e6e194bb52eaed5bcfcff4fe728df3518723c6e27a4d540a6df2f8e79

    • C:\Users\Admin\AppData\Local\Temp\159893\Held.com

      Filesize

      925KB

      MD5

      62d09f076e6e0240548c2f837536a46a

      SHA1

      26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

      SHA256

      1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

      SHA512

      32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

    • C:\Users\Admin\AppData\Local\Temp\Beastiality

      Filesize

      476KB

      MD5

      d621fcd09da6814a53b15876ccba0abe

      SHA1

      5ca5cc9205012129fce9113e0ef0b1f61b619afd

      SHA256

      d825c78148de5e945eecf001fb997cd834874629cffc9f50e47281cb55092cf5

      SHA512

      17a8ed82c7682184a8653bd9ca01939ab456deae006cc4e60db1a0586bc36a96ab9a2216f3de761aca4a6d54682ff695f1be96ef52be44af8cb53ff0c8ca91b8

    • C:\Users\Admin\AppData\Local\Temp\Belle

      Filesize

      112KB

      MD5

      8ca9a025294269cfba53e50219a81ac0

      SHA1

      fdf5e3a40f5d7bd4ea9672107479a1f8063b2b74

      SHA256

      802ed1eade5979fa97a2d58f124be2c960b63f5b058f353099f8f8d476b4767c

      SHA512

      7542dc4b8aaf0bf5549242b001eccfbc8deabeea44f7106853ea69a33062b59c0d4c8f0c1d34a98e5b9dd3facd387ddd3f604d944b660213360b9e96bc123ca3

    • C:\Users\Admin\AppData\Local\Temp\Deviation

      Filesize

      50KB

      MD5

      8124f527dbff7a5cc677b149cb356730

      SHA1

      a97b08df47c71280627bb55ab96b23df75c42648

      SHA256

      9457ed336a38e78b4138e6d26f878253da4c307a243e4b139c9e88d727a460ce

      SHA512

      0cc9c801a728f83a37472417da7863f84e3df6b3e0c8b762b15ca795abecbbc840abe2b0cd076ceebfd11ea0a32e89eae7ebdc623f9983ced25f07b888c87940

    • C:\Users\Admin\AppData\Local\Temp\Ds

      Filesize

      93KB

      MD5

      c28da53f6bbf741fe9e0c043e65aaff4

      SHA1

      5c5e9d0d72a438f6a82f5c397cb963f943b32fb1

      SHA256

      9722ae27da0176b101d20c5dc6147568d4444e9787d34fa3cf59590a127dc059

      SHA512

      43ee512b201a97aac7937f7d5d73c1d0fdc435539482e37d0ca003b080b66f983d88dbc6b8e3363dbc5051593251cbb52d894830b008c26e3d31c884cca0ee4a

    • C:\Users\Admin\AppData\Local\Temp\Episode

      Filesize

      1KB

      MD5

      d9e3e192edf72ce767f46fbe896089c4

      SHA1

      79406ba6bb66e5c0c2663986c166efdad0984381

      SHA256

      afc0efd869ea325703a26540f2cf237f20e93172e211994b9f0dd7a276ff7c66

      SHA512

      bdc0909b5a2ebf51560a739f1d10ebf1e583b4e2a0addc8112d693413ebc8fb452daeb0bbc2f57f231de22cc156b2535df36c262743f65b1502bddc0cb49db6a

    • C:\Users\Admin\AppData\Local\Temp\Exam

      Filesize

      125KB

      MD5

      0f4a0ee961c82926d8a1778069855b35

      SHA1

      79114551fd7abef7523a092ab598b60e56ab451b

      SHA256

      f80cf0617f6d4653994c386fb60e27ff609a028f4a4c3cdf21c2d308a94777e2

      SHA512

      1e81d9824231ab2aaba63d433688638655e3f46b51ad6392985d95707ccfba348a5a8c070031e90b4b1ae10278942d55141ab79b4755661be7a393a84aed0fb4

    • C:\Users\Admin\AppData\Local\Temp\Formed

      Filesize

      59KB

      MD5

      9a00f2c2cfbd773f135325f4965ea2a2

      SHA1

      9a9118b81a6fca0384571498a7bf77d6e16c517c

      SHA256

      d227c97e4c1714be49e7435d6dd021b008095c02dd6d89c1d173aec29ba7cf43

      SHA512

      7ed0cff72666081b67ae52b58a6cee74da59fbcd2566e907c7316b2e904e4be5bddac64f04cede064fc6fcc5a827e90a73bbb492e47825972e756b9e31ce2faa

    • C:\Users\Admin\AppData\Local\Temp\Limit

      Filesize

      143KB

      MD5

      395d6096adc5d6406c48e1aafc7fb9b5

      SHA1

      59e054ad78e96f5fefc6490b845ca59b6521bbb3

      SHA256

      e437f86bf1add3f4edb30939dc8c09a0383d82a42311a77499209a3695871731

      SHA512

      4eee1173cafdea958b4c94ffd1f0fac676414e37de0f54c0e85719f9b2d637d3c6ec49b15a1962692e947e4ce340db1515bf4bfe3cc689b180782cc84e9d90e6

    • C:\Users\Admin\AppData\Local\Temp\Lived

      Filesize

      74KB

      MD5

      821b9aa3c5a294a53eb5b4f1372b6b51

      SHA1

      b3505ada427e3e8056db3273ec9e763eda134ac4

      SHA256

      39948232580068ef60262bf6b3a1a71d3e3ea6ea105539cddb09a8f51f576e36

      SHA512

      66850e00173d670ed471dd7013bf67fdb6df3a1b7481f4f3721fc8c18ab50876a35170630ae85a380adf99ca2c8d45127f75b950587c991470bb10559f02d4c5

    • C:\Users\Admin\AppData\Local\Temp\Modes

      Filesize

      18KB

      MD5

      1200e3ecd7a3b7ec27e8e718aca1f694

      SHA1

      9ebb660ee1196bb429e8e99088a949b37b10df05

      SHA256

      88d7cfd10deadf841664fd1b470c35482410e710b1cbe922b6cd39a4a4985cac

      SHA512

      bf1f58316a16122bc3b17588c723bc79e30e37c62d5220dd883f3e61385efb04ecead33519a9360ec8145917da1259fa60c61ae005a0249022b6aa1b456415fa

    • C:\Users\Admin\AppData\Local\Temp\Momentum

      Filesize

      58KB

      MD5

      a995f1e756ba60704a0bc0695b3f6582

      SHA1

      42a9ce336c104c880f9428e47e997c5c1920972b

      SHA256

      400ee81db192007278b3153ab6a3dc8c2a654881a6c86ad1ecb32278e272f816

      SHA512

      e828bc2f302fa278df87e1d521ffe8d965b26c8ce78eba12034cc99f6e86f16c3a41bd20ace2d1484e959039c9c7fce27a588f7e2d8aee3498426e5ad2179098

    • C:\Users\Admin\AppData\Local\Temp\Once

      Filesize

      77KB

      MD5

      b70ab977308aa6edb2ccb7aef8d4f98b

      SHA1

      3e67f9a3f99a296c51c3146c7cba8c42353fe95d

      SHA256

      4a6e7b573c3be4d1c87beceba3a76ad4bc743b8eda49ba9a34e583e33957d311

      SHA512

      ed8ad6321b17fda8f9db45433b2de24e3886b12336fe7dab59c04317a1d1f521773c6f2e4e497216aeea986a2f642eeaad1285330d3d0e3195820564b61bf32c

    • C:\Users\Admin\AppData\Local\Temp\Pounds

      Filesize

      57KB

      MD5

      a73e519bcd9e1580c5e65054bdc226cf

      SHA1

      644ca96c3e8fd9a72d1635ececa35d94b9a8211c

      SHA256

      5319573e7da1f1abb3b7f744503330a281dc718e39e6c4024372fe0ec06f5021

      SHA512

      f2c22a525d9960c25ac45906ddec9f198d641a48920d254fcb6a9cc7f04edbc1ae58943720e6eb70e621cc9ccb3063abd841a6e8cdc32a129806a20310b66c91

    • C:\Users\Admin\AppData\Local\Temp\Proceedings

      Filesize

      81KB

      MD5

      e30687f056039896a1359173b4116e28

      SHA1

      ce6920da90cac568d3bdc099c7fd4c030251b2a8

      SHA256

      a5fbff0d21a6405c2c4ba6a5ac06384b03d410c7a19840b68031dedd75b5e14c

      SHA512

      c196f2190a95aaa431078ae4770166b54362f8d81e43b4b7c5fde72f8a00b0953cbad3d424bc05fadf08af1d073026085d3672987f527e9d6ba8c875448a7022

    • C:\Users\Admin\AppData\Local\Temp\Retrieval

      Filesize

      70KB

      MD5

      278c6dd8e3d5d995fe50eb916d200d02

      SHA1

      7ccc495e12e361bf0bb8dee291628c185d31c6a7

      SHA256

      819a54480238edc0229d4b0205644c29235db953a6131a705e7df1c6b7ae3ec4

      SHA512

      6a64f234db89de007715ff0f590df053f3f615c9148a25c2e9f473b75ed05bb9892722e649af2f7ee1c3ac8385c527c96380ef2c6ef3b9d1e53c91edddc745e0

    • C:\Users\Admin\AppData\Local\Temp\Roland

      Filesize

      49KB

      MD5

      c1620a46fef0bbed59c18556005b1986

      SHA1

      1e1600d89f142bc9cee8fd2f1afe61532db00d35

      SHA256

      ed88e0d31612bdecae0cf831fb04a2ba2869f446ec20071a71972f62dd4b8b30

      SHA512

      6acc752a7f91d5eab8150ba57e8e7263595f1b970acc13dcbd47f6569944f0154d65fad3fa23a823a878e820f8c6b71303b0f69f190ba90cbc948ef21c3bd59c

    • C:\Users\Admin\AppData\Local\Temp\Shoot

      Filesize

      95KB

      MD5

      fe61d20f8ea807d2d28d060a2e6acc1f

      SHA1

      87abd4bde99c223093b91ab0d6dcb6cddb5b5b6e

      SHA256

      1a471aafb9a68e0e4dc26d8f12568634ccdfe008ee97ee3894626b2b30caa3eb

      SHA512

      69dc3ec1e44578d05e926a78950260a3f048ded5db804aab331b1227b2e0baf2d876720cb69a29d25963a904d37533d9723db036759950b70a78456131b7c54d

    • C:\Users\Admin\AppData\Local\Temp\Sure

      Filesize

      17KB

      MD5

      38bef07193b527f40e7e71a0c771055d

      SHA1

      cb8faddaf8ee108f7779490e0f610ccad52b4719

      SHA256

      7cdcd51edaf581b298c0a08de9263bce67f370662dc6ca30ac4b10f4162ca362

      SHA512

      365d6e3ad4a9da5482931c94627bc5c4088acb41c00bb58f4fbf9677f9d38da1c95ac6ed0bd886db3e71f2961e9fb752eb99374fb68da2c52c4d1e6b017c7143

    • C:\Users\Admin\AppData\Local\Temp\This

      Filesize

      149KB

      MD5

      1eeff55b8944b597022edeab744c5cc6

      SHA1

      81cfe19c86b91c7f6c3206ca82a8ece25f47a8ba

      SHA256

      a04705cbdd2094d92f256730c9abda047025c915baa1d849a3d4d34934133b26

      SHA512

      fda32b08ebafffb52d2e64cc9417211353f69e899a6408dd311ec0185750b7aa59aa57a4a64f0e112e25f59a2780167bae03b804f70e0d0feb36f903a0ffa9f1

    • C:\Users\Admin\AppData\Local\Temp\Toll

      Filesize

      101KB

      MD5

      9b06ee62b4075ead9252bca0ab6b8e1f

      SHA1

      c5a46de8ebc0cf59b3e9d853a19d81e46b39db8e

      SHA256

      59e51175f590b56caa0fae3c0ac954fbf640da5cf5115e13acddcd3abcceae58

      SHA512

      d29cc82cfa31d2e1180b6b0b45b3edaf030b743e877468ee6cd4019ef24c893acfab92d9295cc5970d08ccbfd7f28d37ce82074ea24386a7260e58aeb4b82ff7

    • C:\Users\Admin\AppData\Local\Temp\Twiki

      Filesize

      78KB

      MD5

      6ec2d21cf20149100eafe4e40fa64c02

      SHA1

      e5a4642353bbea58657e8dbdf86d6f44daa8770d

      SHA256

      9dd82a22080a518bb655e69cfcafbc0409e6d31cd7314476e781993811e2ec30

      SHA512

      4379014c90b7737a6a8bb0723653091bb717f99730d66ae1f63ee66677a9160c6bd9dc90ebb8d9d8c72ba56de7300a379204e50ee84ad2da04b27a94198eb9c0

    • C:\Users\Admin\AppData\Local\Temp\Verde

      Filesize

      141KB

      MD5

      8db05bac1c4ae27f79f7f2db347b7c78

      SHA1

      a14626d92a263f61d6263c68b99c9c145757ed2a

      SHA256

      bbd7e676f193ba52d8a37acd1e586e69e6b498aeed8d35455141530aa8f61548

      SHA512

      6f8e9787fc3287d2953ffeb1014adc76fba466d3fce0a34a636708c45844be60403e25a45a627068bd60db32f76262474e2cea2e7e48171aa73e9a1c730367b6

    • memory/732-89-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-93-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-82-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-83-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-81-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-84-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-87-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-88-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-78-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-90-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-91-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-80-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-79-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-100-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-99-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-107-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-108-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-115-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-116-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-123-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB

    • memory/732-124-0x0000000007340000-0x00000000073BF000-memory.dmp

      Filesize

      508KB