Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 14:37

General

  • Target

    Required order.exe

  • Size

    1.2MB

  • MD5

    76d7147771fb4fcf69838261875d65e3

  • SHA1

    ee0313852c1035ea1f622ebd4212aa6d7ae7f95a

  • SHA256

    3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124

  • SHA512

    9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231

  • SSDEEP

    12288:gl1oeyWwQ0Z570ZE5Uyn0kKcUj9t1PZQSlIGeUf6pI7Z1lVfQvbZPiQ1gBMiZYKS:kYWwQo6UAcajBr1eNMZ1DkbZPi14HBR

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

C2

kamilaczap.myddns.me:8382

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-FDNGIO

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Required order.exe
    "C:\Users\Admin\AppData\Local\Temp\Required order.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 6
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2736
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:2692
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Required order.exe" "C:\Users\Admin\AppData\Roaming\mgtce.exe" && ping 127.0.0.1 -n 8 > nul && "C:\Users\Admin\AppData\Roaming\mgtce.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2028
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2592
      • C:\Users\Admin\AppData\Roaming\mgtce.exe
        "C:\Users\Admin\AppData\Roaming\mgtce.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
          "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2928
        • C:\Users\Admin\AppData\Local\Temp\Murgs.exe
          "C:\Users\Admin\AppData\Local\Temp\Murgs.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Users\Admin\AppData\Local\Temp\Murgs.exe
            "C:\Users\Admin\AppData\Local\Temp\Murgs.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Murgs.txt

    Filesize

    51B

    MD5

    13dec55eb1c27451b26a812b920d2634

    SHA1

    7da9263192c84cf4effcc522bf90e0558255f2c0

    SHA256

    215f89003a7bc877f7640b37538d5ca72cd59b8bd3eb6fa613428a9ff348f549

    SHA512

    c168df2f622321933fb2e1d4ddc7e53c6b40e9172006cd073b6faa9ec98de4a429c9ff7bc56c31b549bab2cfa261308cc08d1db28d451044197a579b27367fe7

  • C:\Users\Admin\AppData\Local\Temp\Murgs.txt

    Filesize

    54B

    MD5

    8f705b207047576f30d5589651c7b19e

    SHA1

    e617bb231bb2a2620ca06f0e72ff4b7e2fef30a9

    SHA256

    911d22fd885e8fa50cfd0331db4f3b6f433758fa97996358bb794cd7f1586f0b

    SHA512

    22944e92a262cdf41579ef80df2400a851e77facbcde7192ea77aabda204047045054da2631350f4ccc224adab69d95a15881a19f523c92f0943778000459f3d

  • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

    Filesize

    148B

    MD5

    668bb6db7d5a4cf50f5c235bf0bfba14

    SHA1

    58d1554d66fc53006e5d9df36c14e65da06e09bb

    SHA256

    ac8210fc4e48bd9579c2e4cdd89a6b560d7bfe55ff2e815111efef20e0770bf4

    SHA512

    4866f505cd46628d064bbd32d9108e3884579690e90cf501887976d62cd09c01c196c401f76480294505c5345bdfb49b51e831502881201291046ffb2e558b8f

  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe

    Filesize

    41KB

    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

  • \Users\Admin\AppData\Local\Temp\Murgs.exe

    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

  • \Users\Admin\AppData\Roaming\mgtce.exe

    Filesize

    1.2MB

    MD5

    76d7147771fb4fcf69838261875d65e3

    SHA1

    ee0313852c1035ea1f622ebd4212aa6d7ae7f95a

    SHA256

    3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124

    SHA512

    9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231

  • memory/2148-4-0x0000000000290000-0x00000000002A6000-memory.dmp

    Filesize

    88KB

  • memory/2148-6-0x0000000074C20000-0x000000007530E000-memory.dmp

    Filesize

    6.9MB

  • memory/2148-3-0x00000000005F0000-0x0000000000622000-memory.dmp

    Filesize

    200KB

  • memory/2148-2-0x0000000074C20000-0x000000007530E000-memory.dmp

    Filesize

    6.9MB

  • memory/2148-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp

    Filesize

    4KB

  • memory/2148-1-0x00000000002B0000-0x00000000003E0000-memory.dmp

    Filesize

    1.2MB

  • memory/2472-57-0x00000000013D0000-0x00000000013EA000-memory.dmp

    Filesize

    104KB

  • memory/2628-14-0x0000000000D40000-0x0000000000E70000-memory.dmp

    Filesize

    1.2MB

  • memory/2628-15-0x00000000009F0000-0x0000000000A22000-memory.dmp

    Filesize

    200KB

  • memory/2628-16-0x0000000000A50000-0x0000000000A6A000-memory.dmp

    Filesize

    104KB

  • memory/2628-17-0x0000000000B00000-0x0000000000B06000-memory.dmp

    Filesize

    24KB

  • memory/2928-22-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-32-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-30-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-28-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-37-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-41-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-42-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-46-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-34-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2928-26-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-24-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

  • memory/2928-20-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB