Overview

overview

10

Static

static

3

9c273d9b8a...10.exe

windows7-x64

10

9c273d9b8a...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2024, 05:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10.exe

  • Size

    1.1MB

  • MD5

    6c6dcfc1b71a39e2a1671f20507f4246

  • SHA1

    424defefcf75932443ba4c681db36cdb28f5569d

  • SHA256

    9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10

  • SHA512

    e68db9a496ced68f49fbc4b39e6365813ce8e44d8b11070e76b738788a942268a5d38397440b6fb6e789ff24e05b075682100fb50118c2a4bfe14c96970bbd4d

  • SSDEEP

    24576:NK777777777777Bi1fjBWjE1UOBarHJ0OnXhhcOg7tOX2sBsFzoa:s7777777777770NjkjchMpvXhvgsDiFz

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

azuite.ddns.net:7667

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    stub1-C43YU8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10.exe
    "C:\Users\Admin\AppData\Local\Temp\9c273d9b8a1cee3f64842482dfde7a2bf9e107a7f86a189b56d2571f40838f10.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SSCHSrcP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SSCHSrcP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96B4.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2564
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2372

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp96B4.tmp
          Filesize

          1KB

          MD5

          40e0b19164652ba7aa14ad4e44a8d136

          SHA1

          4f21c7d35394fc34ee7b56a6c4fe3a4879c6bd0e

          SHA256

          3586b6f17ad999ba639b4f4ffeaf60d4b105b45658510e4b823e7f18a45317ed

          SHA512

          ffa4b0c9048f0a09f2a8d8eb49c157351816f1a56a4305a5107f84b7042cc728138cc4a47356a0c9dc88aec1a04c83353c3658661fa88b95722aa8d4d7534326

          Download Submit

        • C:\Users\Admin\AppData\Roaming\remcos\logs.dat
          Filesize

          144B

          MD5

          68617de76e4822b61d5545bb585089c2

          SHA1

          83e4a78525cfd980faeef754199e9c53d1563fc6

          SHA256

          e56a9e175c698c9a6575bd2ab5fcca40b7eb5c91c6c34370ff9b41155ddf4cc4

          SHA512

          de785ce85a688a158f2ac6b325cdc8247be771a882abfbeb07224b99c8d580b648335a7334e37de5ddf95bcbe581705ac64e261e526d0b1badf97bef45764474

          Download Submit

        • memory/2008-0-0x000000007490E000-0x000000007490F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2008-1-0x0000000000260000-0x000000000037C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2008-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2008-3-0x0000000000590000-0x00000000005A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2008-4-0x0000000074900000-0x0000000074FEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2008-5-0x0000000005880000-0x000000000597A000-memory.dmp

          Filesize

          1000KB

          Download

        • memory/2008-11-0x0000000005690000-0x000000000570A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2008-37-0x0000000074900000-0x0000000074FEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2372-36-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-33-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-30-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-27-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-24-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-22-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-20-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-29-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-19-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-16-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-14-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-13-0x0000000000400000-0x000000000047A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2372-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download