Analysis
-
max time kernel
195s -
max time network
258s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 20:26
Behavioral task
behavioral1
Sample
Backdoor.exe
Resource
win10-20240404-en
General
-
Target
Backdoor.exe
-
Size
92KB
-
MD5
1ae56ec879a82b9d0b34637cdbb498ef
-
SHA1
523c2d5e3864c0be7593f7cb8d3cc5ef8391eba0
-
SHA256
5abf99b5cb761cf5e1b14a3cf9f0edfff6b932592772aa422e2d1a691fe25432
-
SHA512
4a5d836330d0e3a8451a83b31c9b122f6b0aff27a58ea97f8a07bb9dc22c19835b80e5588957551da645e5c7299193e32945287e709dd8579d30ec89fdb27bf7
-
SSDEEP
1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6XrE:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+D
Malware Config
Extracted
remcos
1.7 Pro
Host
185.254.97.15:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_rukbdcxfoo
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
remcos.exepid process 1740 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Backdoor.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" Backdoor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" Backdoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
remcos.exedescription pid process target process PID 1740 set thread context of 2992 1740 remcos.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2992 iexplore.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Backdoor.execmd.exeremcos.exeiexplore.exedescription pid process target process PID 516 wrote to memory of 200 516 Backdoor.exe cmd.exe PID 516 wrote to memory of 200 516 Backdoor.exe cmd.exe PID 516 wrote to memory of 200 516 Backdoor.exe cmd.exe PID 200 wrote to memory of 1320 200 cmd.exe PING.EXE PID 200 wrote to memory of 1320 200 cmd.exe PING.EXE PID 200 wrote to memory of 1320 200 cmd.exe PING.EXE PID 200 wrote to memory of 1740 200 cmd.exe remcos.exe PID 200 wrote to memory of 1740 200 cmd.exe remcos.exe PID 200 wrote to memory of 1740 200 cmd.exe remcos.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 1740 wrote to memory of 2992 1740 remcos.exe iexplore.exe PID 2992 wrote to memory of 1840 2992 iexplore.exe cmd.exe PID 2992 wrote to memory of 1840 2992 iexplore.exe cmd.exe PID 2992 wrote to memory of 1840 2992 iexplore.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\remcos\remcos.exe"C:\remcos\remcos.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
71B
MD580872ea3cf9abb62f560745ffa9beec3
SHA1eca18379ab1a505c7d762fe3d12ca737d89e1adb
SHA256e59cc939e7c948019a7fa687492222eac769c835c3e7338e16480925431d6948
SHA51213e9c37d3f90ee55ef6783dbdff388aae99bbb1dd6bb7807d6e7ee56b496da2093a7bf28396d559a224134c8124caab52a4525a9d15eb46091bd3dc64f43824d
-
C:\Users\Admin\AppData\Local\Temp\uninstall.batFilesize
118B
MD5f5ccaa15a6b8543e90a34ce7a5cf15e6
SHA10fb02b806e92683fcaf79631450243653f3d227b
SHA2569d05e11bb9f1d4a1c92215232a5a7afe108b0810ffc0e257773e32c23d56e6ea
SHA5126faca43ab1f19ebd8e47af167841be9b3cddab05c56ed13cae8c169ae482769bf9f460397261b7c6baeeb3ae48c4d05bf0d7d811ddd7f1aa931823e0dec562d5
-
C:\Users\Admin\AppData\Roaming\remcos\logs.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\remcos\remcos.exeFilesize
92KB
MD51ae56ec879a82b9d0b34637cdbb498ef
SHA1523c2d5e3864c0be7593f7cb8d3cc5ef8391eba0
SHA2565abf99b5cb761cf5e1b14a3cf9f0edfff6b932592772aa422e2d1a691fe25432
SHA5124a5d836330d0e3a8451a83b31c9b122f6b0aff27a58ea97f8a07bb9dc22c19835b80e5588957551da645e5c7299193e32945287e709dd8579d30ec89fdb27bf7
-
memory/2992-9-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB