Overview

overview

10

Static

static

10

pacuka.exe

windows7-x64

10

pacuka.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1384s
  • max time network
    1172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pacuka.exe

  • Size

    92KB

  • MD5

    16653b45d28e26bd88f741bd8e62f7a6

  • SHA1

    1bd612b271d4b010ea4f1cab6658afaa15fac347

  • SHA256

    3aae90682e6e388e729b635380876409c38d7fe52a4581d45778258e8378b795

  • SHA512

    bf12f0f4819af831c3b30e4b826167e7e786c75f429fa1434d2c8495d78c2541bf777b00e2205a4eb7b94fc66b72401753ee693ca802a935dac210f7ca00ba0c

  • SSDEEP

    1536:YhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6irT:+hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+9

Score
10/10
remcoshostevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

185.254.97.15:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    packu.exe

  • copy_folder

    skid

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %SystemDrive%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    rukbdcxfoo

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    Discord

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pacuka.exe
    "C:\Users\Admin\AppData\Local\Temp\pacuka.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\SysWOW64\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:4320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:4284
      • C:\skid\packu.exe
        "C:\skid\packu.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2276
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:3916
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          4⤵
            PID:2712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "
            4⤵
              PID:3120

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.bat
        Filesize

        68B

        MD5

        086c6015cf0c1deb685322e0d160d756

        SHA1

        d5d29e7db31ed1443cdf5d881e66851287c03e87

        SHA256

        10b2265ccd77e0536d3a5652a0532228a38123aee20e6aa01e74db491a356544

        SHA512

        cd5c9ba83f7669130bbfdde8681e0174afe2aed932f9f9cee713c6ce77c6c8fa3aad798235e653b5aafc1779b42fff01bf63497bd6dec2a8b93905f5cd500a7d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\uninstall.bat
        Filesize

        110B

        MD5

        98408dd2e8a07956418230602f43bd55

        SHA1

        6680dd5a2a4466f206568eb1856636b527ea8de1

        SHA256

        df6065623a997a9b0bb357f3e20ded4c62576db800ef016d44f05fe85a48f4c6

        SHA512

        b51f2598179d85cadce02196e5c99d5a3d5e7a6e90495730c0c1ac0d888bc69c1b63495fd17c0a8acd0ad1bd241ca8322de982a42817c5386b1c9511cc0fd976

        Download Submit
      • C:\skid\packu.exe
        Filesize

        92KB

        MD5

        16653b45d28e26bd88f741bd8e62f7a6

        SHA1

        1bd612b271d4b010ea4f1cab6658afaa15fac347

        SHA256

        3aae90682e6e388e729b635380876409c38d7fe52a4581d45778258e8378b795

        SHA512

        bf12f0f4819af831c3b30e4b826167e7e786c75f429fa1434d2c8495d78c2541bf777b00e2205a4eb7b94fc66b72401753ee693ca802a935dac210f7ca00ba0c

        Download Submit