Employing Dynamic Analysis over a live Remcos RAT malware sample to research and develop counter-detection strategies.

I have shifted some gears from my always-trusted ELK stack as a Central platform to try and run Splunk as a central platform. But this allowed me to also play with Sysmon events in counter to Elastic-EDR events.

This research turned out to be a detailed study and hence posting it on git-books was difficult as it would turn out to be a very long post, I’m utilizing notion here for this toggle headings to collapse content into suitable headings, which readers can expand as per their interests.

Sample Details
Process Tree Exploration
Investigation
- Process Tree Tracing
  - Activities of “1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed.exe”
  - Activities of “SndVol.exe”
  - Activities of “cmd.exe”
  - Activities of “easinvoker.exe”
  - Activities of “Wscript.exe”
- Forensics Artifacts of Interests
- Hunting & Detecting Remcos Malware Infection
  - Remcos Data File creation
  - Illegal Parent-child process relationship
  - Suspicious process running from a suspicious process path
  - Unsigned DLL loaded by a process
  - Command and scripting interpreter - PowerShell
  - Command and scripting interpreter - Windows Command Shell
  - Command and scripting interpreter - Visual Basic - Suspicious VBS file execution via Wscript.exe
  - Ingress Tool Transfer - xcopy.exe
  - Suspicious Files created on the disk

Sample Details

SHA256 hash:	1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed
SHA3-384 hash:	6c15badcee575d385f560feb17bcc24f3af70df0f512969988c68bd4dd9233e6642ad7f9eb83f04550f18cff964dec6b
SHA1 hash:	401280fa30cee123234a93bab119a32202bb489a
MD5 hash:	9ea7decd63da70f9139a3595e0b8dbf6
humanhash:	timing-carpet-tennis-kansas
File name:	9EA7DECD63DA70F9139A3595E0B8DBF6.exe
Download:	download sample
Signature	RemcosRAT Alert
File size:	1'907'712 bytes
First seen:	2023-12-12 03:50:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	18120d8694719867d338985f43d903b4 (1 x DBatLoader, 1 x RemcosRAT)
ssdeep	24576:nxCxAUDAImqXeE8oqGQCbPEzbjvy27w/tmQ4Xl+gWeq9X9VxHfg8IitnJ0MNd:nx6VDNXr1+vzw/tmQA+qq/H48htnOM/
Threatray	24 similar samples on MalwareBazaar
TLSH	T11D95D034A1604C72D23326BC5B2F77D8E8AD7F607914744729E93A4C6F7AE8A3839507
TrID	72.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)15.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)3.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)3.6% (.SCR) Windows screen saver (13097/50/3)1.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):	PE icon
hash icon	1b316f96379786ec (1 x DBatLoader, 1 x RemcosRAT)
Reporter	abuse_ch

Process Tree Exploration

index="win-logs" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 AND NOT elastic
| rex field=ParentImage "\\x5c(?<ParentName>[^\\x5c]+)$"
| rex field=Image "\\x5c(?<ProcessName>[^\\x5c]+)$"
| eval parent = ParentName." (".ParentProcessId.")"
| eval child = ProcessName." (".ProcessId.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
| pstree child=child parent=parent detail=detail spaces=50
| search tree=*1cc7f88b0947e4e27379b47468dd04595e611c550a0ca50954774e32dffbf9ed.exe* 
| table tree

Untitled

index="win-logs" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
| rex field=ParentImage "\\x5c(?<ParentName>[^\\x5c]+)$"
| rex field=Image "\\x5c(?<ProcessName>[^\\x5c]+)$"
| eval parent = ParentName." (".ParentProcessId.")"
| eval child = ProcessName." (".ProcessId.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
| pstree child=child parent=parent detail=detail spaces=50
| search tree=*SndVol.exe*
| table tree

Untitled

Table of Contents

Sample Details

Process Tree Exploration

Investigation

Traversing the tree to identify other events of interest!!