Overview

overview

10

Static

static

1

TNT Origin...DF.exe

windows7-x64

10

TNT Origin...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2023 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TNT Original Invoice PDF.exe

  • Size

    1.0MB

  • MD5

    f64fc1f7c9d03819bd76645aab99be48

  • SHA1

    11513e335fefcc3a302aba54ea5f5911f3290b9d

  • SHA256

    8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a

  • SHA512

    5e9ffee587fbb61256b3f531a50c9ec40598a6459f6e2e30d022c84940a7786208a38430cf7a529588ee9be2f23a930d7b87afa6718744a25b26f81c476dc625

  • SSDEEP

    24576:wYXIQ57jS4qoLVNVS9nqi06jz8ajDTEnU6D5RJ:x/5+oxS9nC6rLR6

Score
10/10
hawkeyeremcosremotehostcollectionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-52YOYG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kZskrgQLQwU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZskrgQLQwU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE08.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:992
    • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\dxdiag.exe
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        3⤵
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kieetpavglrfdteuyvqpzqviaunfqup"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
      • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eexhua"
        3⤵
          PID:2032
        • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eexhua"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1500
        • C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe" /stext "C:\Users\Admin\AppData\Local\Temp\uckpthlxutjknzayhglicupzibegrfgugk"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:316
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x570
      1⤵
        PID:1680

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kieetpavglrfdteuyvqpzqviaunfqup
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        Filesize

        15KB

        MD5

        dde3d3eab18a421655efe17e3785162d

        SHA1

        2b5f762ce16adc19a46ccbb69b828d3516c09785

        SHA256

        74d94dfc910a4dd5ee844fe17b5e9e2889265107aeccc6f5ba28cccf7f7a0e69

        SHA512

        03694151565523e9fa38288ef1a27b18cefd663e11f38f8d368a78090e53f8f21ffb7806b25f2508206b886b1c455184b492777ab4b0c78a9528f0a05282e1c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpEE08.tmp
        Filesize

        1KB

        MD5

        cab197c8201f0fe1c03cbde06f6db5c0

        SHA1

        0b95667841ea0d7edccdf28b5f5d177c409d2e90

        SHA256

        5bbee9a33a798022c6b8117959686265e813c3be5d2bc7127365e6b2731fc223

        SHA512

        aefddf1c6cb94568f2bd6239096b2d6635d25836ceebe6af7c4363533390e80f25626ff27affdfe1283040f5c09ede875ede1678d29cff459a4c3a5007ba87d8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        fed4e9a17494ef04d2373c327ab5a36c

        SHA1

        260363a025234b5f625a41a775a03393fb493dbe

        SHA256

        857db978284ca0a68965d333977fe87ec003fa811c8e5c349ab315adb2557b70

        SHA512

        028e8bb38e4434588422270906fc72853b0036215d0a8da1d261c9b247293c63d7f8cba0af57ecb1f7954ff6ead695e3b5cc37e1ac7ce0d898d29704c9eb4174

        Download Submit

      • memory/316-111-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/316-108-0x0000000000400000-0x0000000000457000-memory.dmp

        Filesize

        348KB

        Download

      • memory/316-102-0x0000000000455238-mapping.dmp

        Download

      • memory/556-84-0x000000006EA80000-0x000000006F02B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/556-59-0x0000000000000000-mapping.dmp

        Download

      • memory/556-87-0x000000006EA80000-0x000000006F02B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/992-62-0x0000000000000000-mapping.dmp

        Download

      • memory/1008-68-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-112-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1008-70-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-72-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-73-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-75-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-74-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-77-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-79-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-80-0x0000000000432C26-mapping.dmp

        Download

      • memory/1008-83-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-67-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-117-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1008-86-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1008-115-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1008-116-0x0000000010000000-0x0000000010019000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1008-89-0x0000000000400000-0x000000000047F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/1500-104-0x0000000000422206-mapping.dmp

        Download

      • memory/1500-107-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/1548-100-0x0000000000476274-mapping.dmp

        Download

      • memory/1548-109-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1548-106-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1568-93-0x00000000007F0000-0x00000000007FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1568-97-0x0000000002570000-0x00000000025CC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1568-99-0x00000000007F0000-0x00000000007FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1568-92-0x00000000007F0000-0x00000000007FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1568-95-0x0000000002570000-0x00000000025CC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1568-90-0x0000000000000000-mapping.dmp

        Download

      • memory/1568-94-0x0000000000820000-0x000000000082A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1568-96-0x0000000002570000-0x00000000025CC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1996-61-0x0000000000000000-mapping.dmp

        Download

      • memory/1996-85-0x000000006EA80000-0x000000006F02B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1996-88-0x000000006EA80000-0x000000006F02B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2036-54-0x0000000000D00000-0x0000000000E10000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2036-55-0x0000000076651000-0x0000000076653000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2036-56-0x0000000000440000-0x0000000000454000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2036-57-0x00000000004F0000-0x00000000004FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2036-66-0x0000000005D10000-0x0000000005D8E000-memory.dmp

        Filesize

        504KB

        Download

      • memory/2036-58-0x0000000005830000-0x00000000058F8000-memory.dmp

        Filesize

        800KB

        Download