Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2023, 07:31
Static task
static1
Behavioral task
behavioral1
Sample
d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
Resource
win10-20230220-en
General
-
Target
d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe
-
Size
1.6MB
-
MD5
993d95f1880cbd2145649f02734b2a94
-
SHA1
fb7b09cf220a19c469b829cb9e856846c924d798
-
SHA256
d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486
-
SHA512
22efe749f49a32f74a0d549c7f5545fd30d4ef93f008eebd30fe87ae52aefe6cd4caf850d0943fa666274d42281be62cd1574ae0f1b5b7e41fc9a54599a1838f
-
SSDEEP
24576:VJWtmlFiP20Rcc3A0BbqzYRTTTAQvLn8AsVZZhLVEwLwNZ/62cZgbLjVxw:zWMlAP2SpA0BbqStvoAq59w3D
Malware Config
Extracted
remcos
RemoteHost
pekonomia.duckdns.org:30861
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B0VP4N
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2468 set thread context of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3164 powershell.exe 3164 powershell.exe 3164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3164 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 66 PID 2468 wrote to memory of 3164 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 66 PID 2468 wrote to memory of 3164 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 66 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68 PID 2468 wrote to memory of 4608 2468 d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe"C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exeC:\Users\Admin\AppData\Local\Temp\d1bf519ef2239d318f3252c8cdf5d4ee96b37473d58e80098724e0837c00e486.exe2⤵PID:4608
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a