Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 06:00
Static task
static1
Behavioral task
behavioral1
Sample
31883190ELECTRICAL.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
31883190ELECTRICAL.exe
Resource
win10v2004-20230220-en
General
-
Target
31883190ELECTRICAL.exe
-
Size
586KB
-
MD5
fe4416331247444c6c57ea58ad78e1ef
-
SHA1
d738112ccfc03f09b5b568e13f34cc02fcd40c73
-
SHA256
ecfc23f618cbfb73fb59ffa9041ef8308eee9cd322c612efcf6e09815eba6851
-
SHA512
3cadbedbe829faf961bba5c06b64f7c494aefc9c18079004b28fdb9f58352e79d041b65846b162789cb651c8a636b413d25101407d966337595dbdc07781cdcb
-
SSDEEP
12288:Vc1TtA2C24kq3x/cxZiDsxJbOcSEcCOkGQUgZLvWAWNCmfsujmZGEQEO:Vk+B24kqF7DsxXLPTXvWHMmUujmTQB
Malware Config
Extracted
remcos
RemoteHost
155.94.136.161:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EN47F6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1932-89-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1932-99-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1932-106-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1200-90-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1200-98-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1200-101-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-89-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1736-91-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1200-90-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1736-92-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1200-98-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1932-99-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1200-101-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1932-106-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 31883190ELECTRICAL.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 31883190ELECTRICAL.exe -
Loads dropped DLL 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 1400 31883190ELECTRICAL.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
31883190ELECTRICAL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 31883190ELECTRICAL.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 468 31883190ELECTRICAL.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exepid process 1400 31883190ELECTRICAL.exe 468 31883190ELECTRICAL.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription pid process target process PID 1400 set thread context of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 set thread context of 1200 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 set thread context of 1932 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 set thread context of 1736 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
31883190ELECTRICAL.exepid process 1200 31883190ELECTRICAL.exe 1200 31883190ELECTRICAL.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exepid process 1400 31883190ELECTRICAL.exe 468 31883190ELECTRICAL.exe 468 31883190ELECTRICAL.exe 468 31883190ELECTRICAL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
31883190ELECTRICAL.exedescription pid process Token: SeDebugPrivilege 1736 31883190ELECTRICAL.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
31883190ELECTRICAL.exepid process 468 31883190ELECTRICAL.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
31883190ELECTRICAL.exe31883190ELECTRICAL.exedescription pid process target process PID 1400 wrote to memory of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 1400 wrote to memory of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 1400 wrote to memory of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 1400 wrote to memory of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 1400 wrote to memory of 468 1400 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1200 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1200 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1200 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1200 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1932 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1932 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1932 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1932 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1736 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1736 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1736 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe PID 468 wrote to memory of 1736 468 31883190ELECTRICAL.exe 31883190ELECTRICAL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\szutracybqywfouxwbpk"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\ccamssnrpyqbiuijfmcloquh"3⤵
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exeC:\Users\Admin\AppData\Local\Temp\31883190ELECTRICAL.exe /stext "C:\Users\Admin\AppData\Local\Temp\nwnwslytdgiosaenwxwfzdpyery"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
188B
MD52e6f0e980a572ff136f603de0bce314f
SHA13e803f797d2f7d0822576bb80ba497be1a12cef1
SHA25632983600614af279e79c92304e223ef36dbc5354c3f1cbc3b7a6ff81032ad8ec
SHA5128c0136e13420fd50126381a97fccf9811e2c9a625c699af35a6638a503c05254c1a95673bd6e89f443ea0ef26d34d4e7b7e7869ef3dba779d8e9cce58f73a7df
-
C:\Users\Admin\AppData\Local\Temp\szutracybqywfouxwbpkFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
\Users\Admin\AppData\Local\Temp\nsd2148.tmp\System.dllFilesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
memory/468-122-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-130-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-69-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-71-0x0000000001470000-0x00000000040C0000-memory.dmpFilesize
44.3MB
-
memory/468-72-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-78-0x0000000001470000-0x00000000040C0000-memory.dmpFilesize
44.3MB
-
memory/468-68-0x0000000001470000-0x00000000040C0000-memory.dmpFilesize
44.3MB
-
memory/468-115-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-126-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-109-0x0000000033BC0000-0x0000000033BD9000-memory.dmpFilesize
100KB
-
memory/468-112-0x0000000033BC0000-0x0000000033BD9000-memory.dmpFilesize
100KB
-
memory/468-119-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-67-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-104-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/468-113-0x0000000033BC0000-0x0000000033BD9000-memory.dmpFilesize
100KB
-
memory/1200-80-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1200-98-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1200-90-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1200-101-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1200-86-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1400-65-0x00000000027A0000-0x00000000053F0000-memory.dmpFilesize
44.3MB
-
memory/1400-66-0x00000000027A0000-0x00000000053F0000-memory.dmpFilesize
44.3MB
-
memory/1736-91-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1736-92-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1736-87-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1736-84-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1932-106-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-99-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-89-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-88-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-82-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB