Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 11:40

General

  • Target

    OverdriveNTool_0.2.9/OverdriveNTool.exe

  • Size

    2.9MB

  • MD5

    b64dbdbb60d0edab5bf3608d9973d7b5

  • SHA1

    470ec316274648567965ac7912cb8fbfc5763c47

  • SHA256

    731f26f74722af06e463904102705bc856f20852faecb08b5fda6b7bc0e5539c

  • SHA512

    2d21e148db3e5a60075609ca0b4e5cabba7bf15299ed49ebe81f73844440090f8d935e919e2e7368927890b4d51514518bf9467ab01a1db0a3bbae50153719a9

  • SSDEEP

    49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvM0:cwSi0b67zeCzt0+yO3kSf

Malware Config

Extracted

Family

remcos

Version

2.6.0 Pro

Botnet

�����

C2

37.1.206.16:5757

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Windows.exe

  • copy_folder

    Temp

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    13asdadsSDSSDSDSD12132az-BMS9FK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Defender

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Blocklisted process makes network request 20 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe
    "C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe
      "C:\Users\Admin\AppData\Local\Temp\OverdriveNTool_0.2.9\OverdriveNTool.exe" /VERYSILENT
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe
        "C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4744
      • C:\Program Files (x86)\OverdriveNTool\OnePlus.exe
        "C:\Program Files (x86)\OverdriveNTool\OnePlus.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\system32\notepad.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2220
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
            • Blocklisted process makes network request
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:4540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\OverdriveNTool\OnePlus.exe

    Filesize

    3.3MB

    MD5

    11c4fee0fa8ca33059d0e54e2f968447

    SHA1

    206fc648bfd44ed2a0647665088a7cd240ca2e6f

    SHA256

    67991e6c3dc3ca7eaaa628f3d1349e59d5dcfba88c05c23188fa22ce7f637c5d

    SHA512

    dd61f1de81efb8ae3610d3a95836542c3eec86c7573880ff6790545134a93122457d5eca06cc5586ac70196a5bf8a761c6ad4d1474f2b63b71313d0c1b2f64ca

  • C:\Program Files (x86)\OverdriveNTool\OverdriveNTool9.exe

    Filesize

    3.3MB

    MD5

    9d0b0d3ce4b1479ee0ad3ab659691dc9

    SHA1

    2a7d5add5ade9dbc7b03ab6e28b9085d14579c2e

    SHA256

    0856dd07f6efa48729888ba519e2a3fd4eaa37de3463eb7bc838e45d2b5790e6

    SHA512

    d69235d2e426f4e82337110a3795833e94ef362ffa27c10fd1a4febbc0422038c7d29064da064d565f59532a9a22c6487dc3be595753ea7bd920214cc4f591b9

  • memory/1516-4-0x0000000000D60000-0x0000000000D61000-memory.dmp

    Filesize

    4KB

  • memory/1516-17-0x0000000000400000-0x00000000006F3000-memory.dmp

    Filesize

    2.9MB

  • memory/1628-0-0x0000000002700000-0x0000000002701000-memory.dmp

    Filesize

    4KB

  • memory/1628-5-0x0000000000400000-0x00000000006F3000-memory.dmp

    Filesize

    2.9MB

  • memory/2220-22-0x0000000016790000-0x00000000171B2000-memory.dmp

    Filesize

    10.1MB

  • memory/4540-24-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/4540-30-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

    Filesize

    32KB

  • memory/4540-31-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/4544-19-0x0000000000400000-0x0000000000764000-memory.dmp

    Filesize

    3.4MB

  • memory/4744-18-0x0000000000400000-0x0000000000761000-memory.dmp

    Filesize

    3.4MB