Analysis
-
max time kernel
599s -
max time network
600s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-07-2024 13:48
Behavioral task
behavioral1
Sample
unpacker.exe
Resource
win10-20240404-en
General
-
Target
unpacker.exe
-
Size
92KB
-
MD5
1ae56ec879a82b9d0b34637cdbb498ef
-
SHA1
523c2d5e3864c0be7593f7cb8d3cc5ef8391eba0
-
SHA256
5abf99b5cb761cf5e1b14a3cf9f0edfff6b932592772aa422e2d1a691fe25432
-
SHA512
4a5d836330d0e3a8451a83b31c9b122f6b0aff27a58ea97f8a07bb9dc22c19835b80e5588957551da645e5c7299193e32945287e709dd8579d30ec89fdb27bf7
-
SSDEEP
1536:ohhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6XrE:uhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+D
Malware Config
Extracted
remcos
1.7 Pro
Host
185.254.97.15:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_rukbdcxfoo
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
remcos.exepid process 788 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
unpacker.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" unpacker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" unpacker.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\remcos\\remcos.exe\"" remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
remcos.exepid process 788 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 788 remcos.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
unpacker.execmd.exeremcos.exedescription pid process target process PID 4704 wrote to memory of 4804 4704 unpacker.exe cmd.exe PID 4704 wrote to memory of 4804 4704 unpacker.exe cmd.exe PID 4704 wrote to memory of 4804 4704 unpacker.exe cmd.exe PID 4804 wrote to memory of 3836 4804 cmd.exe PING.EXE PID 4804 wrote to memory of 3836 4804 cmd.exe PING.EXE PID 4804 wrote to memory of 3836 4804 cmd.exe PING.EXE PID 4804 wrote to memory of 788 4804 cmd.exe remcos.exe PID 4804 wrote to memory of 788 4804 cmd.exe remcos.exe PID 4804 wrote to memory of 788 4804 cmd.exe remcos.exe PID 788 wrote to memory of 3640 788 remcos.exe iexplore.exe PID 788 wrote to memory of 3640 788 remcos.exe iexplore.exe PID 788 wrote to memory of 3640 788 remcos.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpacker.exe"C:\Users\Admin\AppData\Local\Temp\unpacker.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\remcos\remcos.exe"C:\remcos\remcos.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
71B
MD580872ea3cf9abb62f560745ffa9beec3
SHA1eca18379ab1a505c7d762fe3d12ca737d89e1adb
SHA256e59cc939e7c948019a7fa687492222eac769c835c3e7338e16480925431d6948
SHA51213e9c37d3f90ee55ef6783dbdff388aae99bbb1dd6bb7807d6e7ee56b496da2093a7bf28396d559a224134c8124caab52a4525a9d15eb46091bd3dc64f43824d
-
C:\Users\Admin\AppData\Roaming\remcos\logs.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\remcos\remcos.exeFilesize
92KB
MD51ae56ec879a82b9d0b34637cdbb498ef
SHA1523c2d5e3864c0be7593f7cb8d3cc5ef8391eba0
SHA2565abf99b5cb761cf5e1b14a3cf9f0edfff6b932592772aa422e2d1a691fe25432
SHA5124a5d836330d0e3a8451a83b31c9b122f6b0aff27a58ea97f8a07bb9dc22c19835b80e5588957551da645e5c7299193e32945287e709dd8579d30ec89fdb27bf7