Analysis
-
max time kernel
151s -
max time network
164s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE 20211027.exe
Resource
win7-en-20211014
General
-
Target
INVOICE 20211027.exe
-
Size
1.3MB
-
MD5
52687110c85e1388c85a91e500a61ec9
-
SHA1
756f0a1483b7eecdb5b70eb818f5fd569915a334
-
SHA256
80db712c33ffbe9dc0a8a844a8c0e7dcd406db8b6b5d2955c8e60a6395e4f539
-
SHA512
e73e3d7f1a7dcd8550f746e9429ddf99fac94ac9ca25e979430242cef7361ad4b3023d3ee6ce85dc8acec89d70c5e35e717f6f3dd6085fafa73f3a54142831bd
Malware Config
Extracted
remcos
3.3.0 Pro
zara stub
185.140.53.178:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-3B07AK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 1908 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2856-120-0x0000000006580000-0x00000000065A1000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE 20211027.exedescription pid process target process PID 2856 set thread context of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE 20211027.exepid process 2856 INVOICE 20211027.exe 2856 INVOICE 20211027.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICE 20211027.exedescription pid process Token: SeDebugPrivilege 2856 INVOICE 20211027.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
INVOICE 20211027.exedescription pid process target process PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe PID 2856 wrote to memory of 1908 2856 INVOICE 20211027.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE 20211027.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE 20211027.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/1908-127-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1908-130-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1908-128-0x000000000042FC39-mapping.dmp
-
memory/2856-122-0x00000000065E0000-0x00000000065E1000-memory.dmpFilesize
4KB
-
memory/2856-121-0x0000000006620000-0x0000000006621000-memory.dmpFilesize
4KB
-
memory/2856-115-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2856-123-0x0000000005350000-0x000000000584E000-memory.dmpFilesize
5.0MB
-
memory/2856-124-0x0000000005350000-0x000000000584E000-memory.dmpFilesize
5.0MB
-
memory/2856-125-0x0000000006850000-0x000000000685B000-memory.dmpFilesize
44KB
-
memory/2856-126-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/2856-120-0x0000000006580000-0x00000000065A1000-memory.dmpFilesize
132KB
-
memory/2856-119-0x0000000005490000-0x0000000005491000-memory.dmpFilesize
4KB
-
memory/2856-118-0x00000000053F0000-0x00000000053F1000-memory.dmpFilesize
4KB
-
memory/2856-117-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB