Analysis
-
max time kernel
154s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 16:53
Static task
static1
Behavioral task
behavioral1
Sample
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
Resource
win10-en-20211208
General
-
Target
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe
-
Size
1023KB
-
MD5
d748b7636247f497fa69a9b3dac8a1c6
-
SHA1
d1e73e0fd37aa7494b4b7ce9d5627666994eb3f1
-
SHA256
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76
-
SHA512
5384be1c8ea45763c42b43bd46b0a9a48cd22b6f17c8cd111aa69093dc31e69c52e3c30bc810e8d118a52c88fe5daa5998b5fe834f6b7d05f808c5959c230e3b
Malware Config
Extracted
remcos
3.3.2 Light
RemoteHost
91.243.44.75:1703
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-W5VMG1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Nostra.exe.comNostra.exe.comNostra.exe.compid process 1556 Nostra.exe.com 3508 Nostra.exe.com 2108 Nostra.exe.com -
Processes:
resource yara_rule behavioral2/memory/2108-148-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/2108-151-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral2/memory/2108-152-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nostra.exe.comdescription pid process target process PID 3508 set thread context of 2108 3508 Nostra.exe.com Nostra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Nostra.exe.comNostra.exe.compid process 1556 Nostra.exe.com 1556 Nostra.exe.com 1556 Nostra.exe.com 3508 Nostra.exe.com 3508 Nostra.exe.com 3508 Nostra.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Nostra.exe.comNostra.exe.compid process 1556 Nostra.exe.com 1556 Nostra.exe.com 1556 Nostra.exe.com 3508 Nostra.exe.com 3508 Nostra.exe.com 3508 Nostra.exe.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.execmd.execmd.exeNostra.exe.comNostra.exe.comdescription pid process target process PID 3828 wrote to memory of 1340 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe rundll32.exe PID 3828 wrote to memory of 1340 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe rundll32.exe PID 3828 wrote to memory of 1340 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe rundll32.exe PID 3828 wrote to memory of 2024 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe cmd.exe PID 3828 wrote to memory of 2024 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe cmd.exe PID 3828 wrote to memory of 2024 3828 e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe cmd.exe PID 2024 wrote to memory of 732 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 732 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 732 2024 cmd.exe cmd.exe PID 732 wrote to memory of 1068 732 cmd.exe findstr.exe PID 732 wrote to memory of 1068 732 cmd.exe findstr.exe PID 732 wrote to memory of 1068 732 cmd.exe findstr.exe PID 732 wrote to memory of 1556 732 cmd.exe Nostra.exe.com PID 732 wrote to memory of 1556 732 cmd.exe Nostra.exe.com PID 732 wrote to memory of 1556 732 cmd.exe Nostra.exe.com PID 732 wrote to memory of 3340 732 cmd.exe PING.EXE PID 732 wrote to memory of 3340 732 cmd.exe PING.EXE PID 732 wrote to memory of 3340 732 cmd.exe PING.EXE PID 1556 wrote to memory of 3508 1556 Nostra.exe.com Nostra.exe.com PID 1556 wrote to memory of 3508 1556 Nostra.exe.com Nostra.exe.com PID 1556 wrote to memory of 3508 1556 Nostra.exe.com Nostra.exe.com PID 3508 wrote to memory of 2108 3508 Nostra.exe.com Nostra.exe.com PID 3508 wrote to memory of 2108 3508 Nostra.exe.com Nostra.exe.com PID 3508 wrote to memory of 2108 3508 Nostra.exe.com Nostra.exe.com PID 3508 wrote to memory of 2108 3508 Nostra.exe.com Nostra.exe.com PID 3508 wrote to memory of 2108 3508 Nostra.exe.com Nostra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe"C:\Users\Admin\AppData\Local\Temp\e769d1ecf91ef14b51509807b816b148a9a087da59714947951f7e06735b5c76.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll322⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Visibile.xlm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^gEutgGXWMnXZJmmknvCvUSNFjCbgglMYEvVtVrlOMLVHLAYDxdFoQxivQARLpIICMZcjEcfckNJpWuULDT$" Sei.xlm4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comNostra.exe.com F4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com F5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.com6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FMD5
48ea83a3699cebd2dc04d4d76745507d
SHA1fb190b131db81e744afee10e0b30147687cea9be
SHA256dd2f7076c643461467eb387f12d021af01f6cf8ab21aa6baad38bc3082eaab3e
SHA5126d7f6631d178b52aa24dd945fac711bd88aa42c626f049673914bd4939c1a2dbefb7fdb3888b269bd370b620952b2acda7e686fbf6be224eebd74bd6f77ec382
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rimanete.xlmMD5
48ea83a3699cebd2dc04d4d76745507d
SHA1fb190b131db81e744afee10e0b30147687cea9be
SHA256dd2f7076c643461467eb387f12d021af01f6cf8ab21aa6baad38bc3082eaab3e
SHA5126d7f6631d178b52aa24dd945fac711bd88aa42c626f049673914bd4939c1a2dbefb7fdb3888b269bd370b620952b2acda7e686fbf6be224eebd74bd6f77ec382
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sei.xlmMD5
20317feaeccf25a1c7e3574e1cf21c54
SHA196bd936939e9d8562332e9ebe94fe508dfa6a32f
SHA2567a9ee9b92ac033f0df8ccd9bbbf762c79951067b969b179b63272760b974ab0c
SHA5129806ddea506b95d7c5b63237442676bed85b7c3903fd5609417dadfb7b0fc86a659f6b7f520131c45c3a83f48c4adc94f45d35c4767e61708bf88cd173ce1ae4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Visibile.xlmMD5
984186f0c69ca0c120c6e694cbf2f242
SHA1b9da4266b777aed105a55337c6c7158163f16214
SHA2568e84d96f11c7a6eb263678ca6ffa18cd0531c4955504391782e2e228aea10bae
SHA512f8eeb4bd83cbb928216596a9847b8cfa06135df60d333e265301f30bbc3b74d49f8e58bd37e68bdf2ec797dadc88da562be5cd932a48c3c19d3eefb3f8948d97
-
memory/2108-148-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2108-151-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2108-152-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB