Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:14

General

  • Target

    4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe

  • Size

    1.4MB

  • MD5

    995e590a02d494e4bb16ffc0b5f533a6

  • SHA1

    31a8b01b39d68cc539e2431f84154f2aa6eb1823

  • SHA256

    4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5

  • SHA512

    af662e38e0fcac1cf1154ab69f73e578bc33e53721f1089a52a5d706891717ec3c37643c50a7e68ba597a221d8de8562e89047b36f48af66bc7715ccc3239c31

  • SSDEEP

    24576:Ukp96npluaNPZpMc8i7ZxhwBnO3eHpyXEECiQFqVP6UfM4L37xVdMGNR:QnpPdZOc8i7ZLwBO3eHpyRtQ74L3NVdj

Malware Config

Extracted

Family

remcos

Botnet

rmc_fri

C2

101.99.94.64:2404

101.99.94.64:80

101.99.94.64:8080

101.99.94.64:465

101.99.94.64:50000

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    rmc

  • mouse_option

    false

  • mutex

    frijuois6763h-EGU5O0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Remcos family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe
    "C:\Users\Admin\AppData\Local\Temp\4df4fa95ccd5d5dcb8a4e676dcfaf08bac4343b9feb9128288886a0cc1f7bbc5.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Leather Leather.cmd & Leather.cmd
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2836
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 13728
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2572
      • C:\Windows\SysWOW64\extrac32.exe
        extrac32 /Y /E Islands
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "teach" Ventures
        3⤵
        • System Location Discovery: System Language Discovery
        PID:640
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Statement + ..\Inherited + ..\Yu + ..\Handbook + ..\Contests + ..\Socket + ..\Clerk + ..\Emphasis + ..\Desert + ..\Gzip L
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2240
      • C:\Users\Admin\AppData\Local\Temp\13728\Supposed.com
        Supposed.com L
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "FinView" /tr "wscript //B 'C:\Users\Admin\AppData\Local\FinTech Visionary Solutions\FinView.js'" /sc onlogon /F /RL HIGHEST
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1248
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 15
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2528

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\rmc\logs.dat

          Filesize

          144B

          MD5

          eb24118e5963c3388da86ef7fd875a7a

          SHA1

          7d005288afe95ce962f5c5b2692f564898f4ef63

          SHA256

          b232c12af0d36c1f7d29db6f7d7c402a263b479787cb7c8151095d1580968e4c

          SHA512

          ecdc32445ca3257ba3321a594090593bf20ff0f159ae568608a35b984e8c4d43091aed634c0a3520d7b1c677aaf50cd3d4bc0225b11f0611afa8c0937a463941

        • C:\Users\Admin\AppData\Local\Temp\13728\L

          Filesize

          666KB

          MD5

          3816adc3cfdfb1f64ed972f265dd4549

          SHA1

          c842cbe12caa9ad768f08fab53d4984826e1c082

          SHA256

          61bb7562e5ff5b209facd2eb7ebc49475e9901a75b29b9d0e7104c1734eba140

          SHA512

          06a14ff4a384f6a3d223521df57819ced21b3308f8aa469c32d72c610f39269d9734c31709c821e2d1800f7910f1ebc922f161d0128a9e5343b8c7172e915100

        • C:\Users\Admin\AppData\Local\Temp\Cal

          Filesize

          146KB

          MD5

          ec66cd426d99cba80dba356a71bab3e9

          SHA1

          7a27ad5828edb1dd7c60a342de3a764b54b31099

          SHA256

          0f6e289f404aa4979a3d8233586cd33931d8575cde5ba2b0aa7b0cb8c71bef72

          SHA512

          6b1a0f06dc42a8d42b8781aca7e1afb902661799d27b32e26d3fbc7040eb3712ed76f2e71ceafc16711a3beaec64cfab37f964ff8f23595e8cbca5ad27baf2a0

        • C:\Users\Admin\AppData\Local\Temp\Clerk

          Filesize

          64KB

          MD5

          eec769daa4d8b3b702b66b3bb00b57a6

          SHA1

          6ebc9a1d4bf0fb954677c319ce561e8a1fd61056

          SHA256

          0a57e1a0cc5c318846d19bcba4bf2aeaa13230d15478160431ff81751ea6975f

          SHA512

          7a53c6e81cafb74e0d67925767f12fb973aac7cde6b21033bf99efc8ae2144c262f40af9b59479aa7e272b937be407b8c20269fd81414ba9a692644c555a45ba

        • C:\Users\Admin\AppData\Local\Temp\Contests

          Filesize

          54KB

          MD5

          7c8639d59298925dbb44af313c2e6063

          SHA1

          3e51d8ee019082bfa755c838cb8da490dc18fe7b

          SHA256

          7a50aef0f70a5059e150bc55333f43c5ad1d74caf97f59a0e440d72dbda8921d

          SHA512

          2dfb434221b0444978598427a45b187bb58b06dc2ca343a0ce78621447e8ff2bb531ee0e9253eb147d1037b5da6a203688b80061e3cb8f9a1c4c6a1efc4713a6

        • C:\Users\Admin\AppData\Local\Temp\Desert

          Filesize

          75KB

          MD5

          c834c69832c0cac49301b5d8a78c1672

          SHA1

          23e5d46108a1481b8ed0acb7edaf3ff2ef659a72

          SHA256

          f9b959cc49a3df0da6a197d5e74958052bb2bdf69603e376019cd6da6d6fb623

          SHA512

          507aa570412d2a1774fe176df7ec799528d1f791fdb1e92fb70e5945916c173d3b08cbae80f21b62570b07b1fc76ba70bba9862d4a48cc8d51c3d288dcaa34b6

        • C:\Users\Admin\AppData\Local\Temp\Distribution

          Filesize

          123KB

          MD5

          ea6f9be88305980cf7d4e803081ce7c1

          SHA1

          8a15c339d5cb8a8951dcb80068489c1408e73b10

          SHA256

          095d4d26eaa30a7289cfdea6b304fb2e1ad6ef2aa7ddb203ab55f390706991ab

          SHA512

          b3997bf6b5ede358bb6031d0fc4a036e88414744b2391a670b4dbd0212f9375f519141bd9e6ff7af6d9b0b6fb9f3cdd924511333a10927320035201bf29dd116

        • C:\Users\Admin\AppData\Local\Temp\Emphasis

          Filesize

          73KB

          MD5

          78d8249784c1eeeb298e897e0edb2ce9

          SHA1

          09a1999941b67a86bca8c5d9df654980e1ece4ab

          SHA256

          ec7f1a6066f8d15dfafa46d3dfe9ec1fa8f1a16be375616504e386df1201c0f0

          SHA512

          8e41c94550ee31869f01c995b11660aac2abac01dfe1125190aa2568b733c3ac1ebce80a22c19bf384c0589fb0bff36d926a2b11d01c73b6e1f126c70c7113a9

        • C:\Users\Admin\AppData\Local\Temp\Era

          Filesize

          93KB

          MD5

          bcca6d9a41f2fc3dbb70d8a7ee74ed20

          SHA1

          6d9d5095bafc69dec15a93f82614cce7d8ddc5ff

          SHA256

          3630c0ccadbd98290cccb145695b44d045ad0afca19f93792a53aef304a2b00c

          SHA512

          b8298d710d70cb076eb5d2c65a132104e66f7dfc62081bc90ff5c70277703a01cc089c4182fb8dee6979eb705509089ef6a5eba012cf804b3f23bfbefb1c6e91

        • C:\Users\Admin\AppData\Local\Temp\Everything

          Filesize

          143KB

          MD5

          f70929aac338a54dae96918705bebd54

          SHA1

          1023545f1d292be7fa5cadddc324442c27685668

          SHA256

          0f31b9b54ad3dc4abec6a6ca81ba4e8d06d9ce5cb7cc524ac4721e2e92040079

          SHA512

          4d78cfb80a5c0b4f62fbe4b9afc2d14ae94ecd23391aad0d1e022b61d7952c02a5d13c72342a2404b41407f74afd5e8ca04ea0bb6671f7dd04b3ae1e22c0a4d5

        • C:\Users\Admin\AppData\Local\Temp\Gzip

          Filesize

          14KB

          MD5

          708a05da814a21987be83f2f01b6d6fa

          SHA1

          c3fb5f379dfb95933671cb4095424d8e3334d9a5

          SHA256

          3cb2cb525938792c281b10dd7efc896427fa32c893d8691fa5d21e3cf54cc380

          SHA512

          594c2abbfbb5276075e78ef0049c1625f74441330aa280d6b3d760b2c387863a8d4ed42819018ee0b528794530d36b345cfaae10a1c34297fa666f4f77cd9c38

        • C:\Users\Admin\AppData\Local\Temp\Handbook

          Filesize

          78KB

          MD5

          ef20f0a636403f36da61210b100e542f

          SHA1

          5a5f77f431179cd8316e84c5f5b04c1d3c44e861

          SHA256

          fa10aca6fa02c5d4853884736cc5c5b533418c64f21386480d416c39673d993e

          SHA512

          41c090c5aa1482ff25e909da634360bde4004201379115240f544332b974144a080e5a31735c57358f001b8eb551fd6c28022690efdaba38e6942c027817891f

        • C:\Users\Admin\AppData\Local\Temp\Induced

          Filesize

          65KB

          MD5

          5c71cf6bf6dd0dd68cdda92ca0c9d917

          SHA1

          380a2ae1194350327cf83ca869250b64b5a6400f

          SHA256

          980957812bfd0e3bc5a3a1ad8dca9d8e844aaf31aa0d66fad376a90175c5df7d

          SHA512

          cf0db7281bb07897c750d1bded782e3cfe5eadd94ffd0415bdc89ac83c6dff32b4453f805b084f75db56ac319ecaa733939bf1255e6c09899db5c70d1ae36649

        • C:\Users\Admin\AppData\Local\Temp\Inherited

          Filesize

          85KB

          MD5

          3778215c0689810d2d6390071da105a7

          SHA1

          2d38fef5aa8e4ec10b2aea0abe9438c96e7f7531

          SHA256

          0f42663ba69d0383a9668c791178a18960c25f876f3b10e90d6e6a2acbce7326

          SHA512

          6aeb355b339ad0a431c5132e185621ef1a34da69a700c0ee50f42981af1691d3ac52f514c46f89618ef86b0a368f755ac30d80babee1ff828fbcd1eb4a93bd5c

        • C:\Users\Admin\AppData\Local\Temp\Islands

          Filesize

          476KB

          MD5

          6064f38cec772696803c832d698bbdfd

          SHA1

          10be14ac4d14dcba13864270bb7d4f5b37a34821

          SHA256

          df48e4cda40c0a5382ea649f6a357d1c9c902005cfb2a6def62e19f6de99dc2d

          SHA512

          4b0088248be89b6be45e5af4bb7a4af87d5771c66392191d38acbfb17a8dffebed5f597488d875ed5bd2095cc283f999a69bde17f47be8b5b0908f79818b8ba8

        • C:\Users\Admin\AppData\Local\Temp\Leather

          Filesize

          32KB

          MD5

          41a9a63393c651bc508204b3422a8be0

          SHA1

          227bad4fb387c3fe65572b3cc3a4ea44681e4fd4

          SHA256

          45a666c1e2d89cb67dbd26bafd12ce83e7102a297e1489ef928675f9bc572e6d

          SHA512

          fff1c16441e39442b490bf54e5f59b979f54ec2636cd736f0e9299ab6198743d9d8ea8d511124ce59feb43c94a077c5f8cc54d94f8b5bb3912ccf9a4e02bc971

        • C:\Users\Admin\AppData\Local\Temp\Socket

          Filesize

          85KB

          MD5

          780a75442f17fc441590e8075a4096e7

          SHA1

          a1a53f71572b8ebf95cf970e069458ed8edeab9a

          SHA256

          0298a67073b64e028c0c7a264c24d0cb473685e8b71b5dd0f82b13592fdfcda1

          SHA512

          88f0e63ebe66cf729c1a14acfcf554645bbc07b4530f0a3cd0eaa064da6fd6780977b197478974ca5d4683ab49e29e0c2fcad9366688c5cefa4383130ea0eeff

        • C:\Users\Admin\AppData\Local\Temp\Statement

          Filesize

          62KB

          MD5

          064ed87f5b0e77a0cb8f11b44fb64782

          SHA1

          aac79fc8698d1b65867937b44c9ceba9f652d6b4

          SHA256

          396a1e80f368dba73b30d64e87135a33937cdca899528588d5af26fb52811aba

          SHA512

          4503993d97014d11b32c54f8c30fdf981291d1206cefcae01217e239d3c816c6d13aa28c1d3a5291f5de99e8f5989036bbbb08c23b236ac45e391a88f2e37889

        • C:\Users\Admin\AppData\Local\Temp\Strand

          Filesize

          96KB

          MD5

          735ffcca9807233aff339f8a6463ad1e

          SHA1

          da11b2a43a52d3a1c6e9fc0843df0de180d83725

          SHA256

          8c6ce627044432ce0e431f6818c137833d18688819f03fc4adc8447b8aa980bd

          SHA512

          f65ce15a1aff036953cb1b53dbea3de23dae8231cb24d0fdcf2d2d13595954488f34b713cecc10e3cb7b30ada743d4cc3315e9f011bd265fa4cd1e5400375bde

        • C:\Users\Admin\AppData\Local\Temp\Structural

          Filesize

          137KB

          MD5

          905441403203b441e8a45aa48f19287b

          SHA1

          26c97b2055227de96ed97336cc21332efa935c89

          SHA256

          4dd82c681b0cc67fcdbfa53457673581f970eab35bfec92404e3913b0d436bfa

          SHA512

          b2c4bcdf1bb373e18c4801f56e0e24c5a7a2997d5ee425838da36bc0a7e03c144eaa700e6f7d3f3be62ad982dc9d386a4dfdf1f1d486f2a6ec23196496ad6d82

        • C:\Users\Admin\AppData\Local\Temp\Suspension

          Filesize

          120KB

          MD5

          e02abcf3970f383aeadfcb8c2347c4bb

          SHA1

          a1d112b7a9f8e234d6f28c111d639a97e3ef4390

          SHA256

          2a640492be5df8cb312992ee23d80afb4e32c9ef7fc5f830ee089210a41b0608

          SHA512

          bf71b407f3a52e2f26f3480b246c780bc3a53cbfea15b465ea0a30f28ac7f1b44503ffb7f059e8ddd52e3b6fa57c674a616e8537f34c186f87cfb7719da4dce1

        • C:\Users\Admin\AppData\Local\Temp\Ventures

          Filesize

          1KB

          MD5

          f1cc3f9960ab371fe3d7f26beecc7ca7

          SHA1

          e9ad207a52c78ed8a58d58b56b69121540f792a1

          SHA256

          f96237fcb384ea10ada3ed909f5aec43a330d8e7ea1a7f4c5c7744c753d0bd73

          SHA512

          03bbb0f402f075896727859ebd2f523e1afa29efcd17cf30ae2954679344c6503123e71028208cf25709f53cd22697842d05effbafc7f270026c7ed8af475701

        • C:\Users\Admin\AppData\Local\Temp\Yu

          Filesize

          76KB

          MD5

          ead75dceff1cb76a4cbfd86b802ebcf4

          SHA1

          d5337a18bdfeaf39e3ec6bf64782a6e65597c55a

          SHA256

          17ecb803a2fd1dc24164db5eac973579278448c1b5547181f229ce1b2926361b

          SHA512

          210fcaf683d157adf45d9145643a5fae163f3ed0f85d133f52abb42e6be7abefbf9df3c18aa574f9de93784adb929bd778d0714e3fd095f4fbcab034d16fbbae

        • \Users\Admin\AppData\Local\Temp\13728\Supposed.com

          Filesize

          925KB

          MD5

          62d09f076e6e0240548c2f837536a46a

          SHA1

          26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

          SHA256

          1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

          SHA512

          32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

        • memory/2640-86-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-94-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-78-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-77-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-79-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-80-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-83-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-84-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-74-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-90-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-75-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-76-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-98-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-102-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-103-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-106-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-110-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-114-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-118-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-122-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-123-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-126-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB

        • memory/2640-131-0x0000000003520000-0x000000000359F000-memory.dmp

          Filesize

          508KB