Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 14:37

General

  • Target

    Required order.exe

  • Size

    1.2MB

  • MD5

    76d7147771fb4fcf69838261875d65e3

  • SHA1

    ee0313852c1035ea1f622ebd4212aa6d7ae7f95a

  • SHA256

    3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124

  • SHA512

    9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231

  • SSDEEP

    12288:gl1oeyWwQ0Z570ZE5Uyn0kKcUj9t1PZQSlIGeUf6pI7Z1lVfQvbZPiQ1gBMiZYKS:kYWwQo6UAcajBr1eNMZ1DkbZPi14HBR

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

C2

kamilaczap.myddns.me:8382

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-FDNGIO

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Required order.exe
    "C:\Users\Admin\AppData\Local\Temp\Required order.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 8
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4288
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\mgtce.exe,"
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:4816
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Required order.exe" "C:\Users\Admin\AppData\Roaming\mgtce.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\mgtce.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 17
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1560
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 17
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:740
      • C:\Users\Admin\AppData\Roaming\mgtce.exe
        "C:\Users\Admin\AppData\Roaming\mgtce.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
          "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
          4⤵
          • Executes dropped EXE
          PID:1736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 500
            5⤵
            • Program crash
            PID:884
        • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
          "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4524
        • C:\Users\Admin\AppData\Local\Temp\Murgs.exe
          "C:\Users\Admin\AppData\Local\Temp\Murgs.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Users\Admin\AppData\Local\Temp\Murgs.exe
            "C:\Users\Admin\AppData\Local\Temp\Murgs.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:916
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1736 -ip 1736
    1⤵
      PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Murgs.exe.log

      Filesize

      1KB

      MD5

      7dca233df92b3884663fa5a40db8d49c

      SHA1

      208b8f27b708c4e06ac37f974471cc7b29c29b60

      SHA256

      90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

      SHA512

      d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

    • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

      Filesize

      42KB

      MD5

      9827ff3cdf4b83f9c86354606736ca9c

      SHA1

      e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

      SHA256

      c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

      SHA512

      8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

    • C:\Users\Admin\AppData\Local\Temp\Murgs.exe

      Filesize

      76KB

      MD5

      0e362e7005823d0bec3719b902ed6d62

      SHA1

      590d860b909804349e0cdc2f1662b37bd62f7463

      SHA256

      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

      SHA512

      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    • C:\Users\Admin\AppData\Local\Temp\Murgs.txt

      Filesize

      51B

      MD5

      bdf5a7baf3244630f282a7959325bf35

      SHA1

      be958393dbb2ca6f2f0b928f2f152788e7f5964f

      SHA256

      d3de8c8f1166f6fee71e6bc14d1330e4f2b50676418c1bd6325389ba388ebdba

      SHA512

      42d43716f6dfca1cf0735ef00185ddcc054426ce18aac79f76f15d1d4a2483d4bed619320d091afa14ab9e2efacf5356b046ba8be599b6b5ce3dd3126c28cc02

    • C:\Users\Admin\AppData\Local\Temp\Murgs.txt

      Filesize

      54B

      MD5

      0292cd8c44f63e84621ab6d8ec760c99

      SHA1

      f682b65c1b6248408c91508376cb4b4077f3d59e

      SHA256

      436cc1210fe07d68523ce4949c8a5571d0c47e5f21281196b7d20ae353d8b3fe

      SHA512

      cd4b264ca28f2769903355974014ec94a47c17a2f9957e14752e42cc297676aaaac276d45aa5844ba2779aa635272fb5e0732db3ec0f4e0f6a9844bfb83d4231

    • C:\Users\Admin\AppData\Local\Temp\Murgs.txt

      Filesize

      53B

      MD5

      9c46a76cae1fb8160df3c9ea7729b6f5

      SHA1

      42972e00b4aa410572f8f74fa1d9a63333d7ad97

      SHA256

      399f713613627652b28782c24d591df9a7b3b0d022ac66a6b94317fd1a0ebd68

      SHA512

      2c4de018866dfc523cf4c61b07e371491a5cd18bd5e86632afd760958b42f5344bcf012f088fd022c70ed333b46d44a988a5cb9066744b322d56fb664000d6d7

    • C:\Users\Admin\AppData\Roaming\mgtce.exe

      Filesize

      1.2MB

      MD5

      76d7147771fb4fcf69838261875d65e3

      SHA1

      ee0313852c1035ea1f622ebd4212aa6d7ae7f95a

      SHA256

      3eda013dd1e1d67954f12f703672f40fe6a9f2be940947dc9091ccca1f82d124

      SHA512

      9f5ce27bfd3ac69bab06a3480d9659f05c1ac26a64652d423dcdcb879269e8b77571464ebb56d3ea60068b88b9939464d6cd4974edf4fe731c7488d1327ba231

    • C:\Users\Admin\AppData\Roaming\remcos\logs.dat

      Filesize

      148B

      MD5

      f15e961df6dbd6ce2d8c794a18dfd375

      SHA1

      27c0752355a57fb35bbf3a106879511174233cab

      SHA256

      4899876fdfcf6a3e1705574a8df12f72ee9315ecd30e0eabbbbcfc8ff0aeefc2

      SHA512

      639484ad0ab2ba8560fbf13d8833ef5862ace6350abefe2be64b3a869992c05b256870438a21231766c09ac4303ef1a86577d9742c296378586f96467de83b6d

    • memory/1468-47-0x0000000000140000-0x000000000015A000-memory.dmp

      Filesize

      104KB

    • memory/1736-35-0x0000000000570000-0x00000000005E9000-memory.dmp

      Filesize

      484KB

    • memory/1736-28-0x0000000000570000-0x00000000005E9000-memory.dmp

      Filesize

      484KB

    • memory/2232-22-0x000000000C410000-0x000000000C416000-memory.dmp

      Filesize

      24KB

    • memory/2232-18-0x0000000075230000-0x00000000759E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2232-19-0x0000000075230000-0x00000000759E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2232-20-0x0000000005510000-0x0000000005542000-memory.dmp

      Filesize

      200KB

    • memory/2232-21-0x0000000002E20000-0x0000000002E3A000-memory.dmp

      Filesize

      104KB

    • memory/2232-69-0x0000000075230000-0x00000000759E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2232-23-0x00000000086C0000-0x0000000008A14000-memory.dmp

      Filesize

      3.3MB

    • memory/2232-24-0x0000000008AC0000-0x0000000008AE2000-memory.dmp

      Filesize

      136KB

    • memory/2232-68-0x0000000075230000-0x00000000759E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2328-7-0x0000000005030000-0x0000000005046000-memory.dmp

      Filesize

      88KB

    • memory/2328-2-0x0000000005560000-0x0000000005B04000-memory.dmp

      Filesize

      5.6MB

    • memory/2328-10-0x0000000075260000-0x0000000075A10000-memory.dmp

      Filesize

      7.7MB

    • memory/2328-6-0x0000000005530000-0x0000000005562000-memory.dmp

      Filesize

      200KB

    • memory/2328-5-0x0000000075260000-0x0000000075A10000-memory.dmp

      Filesize

      7.7MB

    • memory/2328-4-0x00000000050F0000-0x000000000518C000-memory.dmp

      Filesize

      624KB

    • memory/2328-3-0x0000000005050000-0x00000000050E2000-memory.dmp

      Filesize

      584KB

    • memory/2328-8-0x0000000002970000-0x000000000297A000-memory.dmp

      Filesize

      40KB

    • memory/2328-1-0x0000000000500000-0x0000000000630000-memory.dmp

      Filesize

      1.2MB

    • memory/2328-0-0x000000007526E000-0x000000007526F000-memory.dmp

      Filesize

      4KB

    • memory/2328-12-0x0000000075260000-0x0000000075A10000-memory.dmp

      Filesize

      7.7MB

    • memory/4524-63-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

    • memory/4524-59-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

    • memory/4524-58-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB

    • memory/4524-56-0x0000000000400000-0x0000000000479000-memory.dmp

      Filesize

      484KB