Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 14:14
Static task
static1
Behavioral task
behavioral1
Sample
skihejsene.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
skihejsene.exe
Resource
win10v2004-20230220-en
General
-
Target
skihejsene.exe
-
Size
426KB
-
MD5
3d5c45dfc5e4d5e92519baaa10eef55e
-
SHA1
4060970106372cca520182bd6767a372cb1d8881
-
SHA256
0b503c9f8f6f4879b48c019d31ac921f11d62ab469aa0fce0ac309aca525cde2
-
SHA512
a02be1e1b1e3ad70208b781ce6f42e7d61ce275f7330acc834832831a1e7abdb89b06907fe39622649ab1dfa61a6631d147c36b14c7aeaa4dfaf1b671b5a3c8e
-
SSDEEP
12288:oSZkNErxea4TdsqFodI6Ck45qnHY4XfoYX:VZ6Eroa4vFNIPb
Malware Config
Extracted
remcos
RemoteHost
192.3.223.132:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JJJLWY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1468-17131-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1468-17144-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1176-17129-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1176-17126-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1176-17141-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1176-17129-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1468-17131-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1176-17126-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1520-17134-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1520-17135-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1176-17141-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1468-17144-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
skihejsene.exeskihejsene.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe skihejsene.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe skihejsene.exe -
Loads dropped DLL 1 IoCs
Processes:
skihejsene.exepid process 1556 skihejsene.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
skihejsene.exepid process 1136 skihejsene.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
skihejsene.exeskihejsene.exepid process 1556 skihejsene.exe 1136 skihejsene.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
skihejsene.exeskihejsene.exedescription pid process target process PID 1556 set thread context of 1136 1556 skihejsene.exe skihejsene.exe PID 1136 set thread context of 1176 1136 skihejsene.exe skihejsene.exe PID 1136 set thread context of 1468 1136 skihejsene.exe skihejsene.exe PID 1136 set thread context of 1520 1136 skihejsene.exe skihejsene.exe -
Drops file in Windows directory 2 IoCs
Processes:
skihejsene.exedescription ioc process File opened for modification C:\Windows\Fonts\Superdatamat18.ini skihejsene.exe File opened for modification C:\Windows\Ruellia\Tilgangsrettighederne\Scranny.Pat skihejsene.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
skihejsene.exepid process 1176 skihejsene.exe 1176 skihejsene.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
skihejsene.exeskihejsene.exepid process 1556 skihejsene.exe 1136 skihejsene.exe 1136 skihejsene.exe 1136 skihejsene.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
skihejsene.exedescription pid process Token: SeDebugPrivilege 1520 skihejsene.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
skihejsene.exepid process 1136 skihejsene.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
skihejsene.exeskihejsene.exedescription pid process target process PID 1556 wrote to memory of 1136 1556 skihejsene.exe skihejsene.exe PID 1556 wrote to memory of 1136 1556 skihejsene.exe skihejsene.exe PID 1556 wrote to memory of 1136 1556 skihejsene.exe skihejsene.exe PID 1556 wrote to memory of 1136 1556 skihejsene.exe skihejsene.exe PID 1556 wrote to memory of 1136 1556 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1176 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1176 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1176 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1176 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1468 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1468 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1468 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1468 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1520 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1520 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1520 1136 skihejsene.exe skihejsene.exe PID 1136 wrote to memory of 1520 1136 skihejsene.exe skihejsene.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exeC:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\uumncenbiiiqzjacjoyrwvyhta"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exeC:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\eosfdwyuwqavkqwgsylshzkyugxii"3⤵
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exeC:\Users\Admin\AppData\Local\Temp\skihejsene.exe /stext "C:\Users\Admin\AppData\Local\Temp\gixqepiwrysameksbjfmjmfhdngrjiff"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
170B
MD5e046f662848ce179c7f890fed3cc3691
SHA1eca30063e28060d980721db56cfd35fb06780653
SHA256bdfcb8043bb972756ac8c2699b4aad6ceabade35b354e161827672878532b5e0
SHA512cb1c7f2e61809303eab18c22216a1b11edbc540a76706641668fd89ed1031c87ce2873025648025abb3bd505a8c04708c1a092b39e6ce6ea08d863f460af7562
-
C:\Users\Admin\AppData\Local\Temp\uumncenbiiiqzjacjoyrwvyhtaFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Windows\Fonts\Superdatamat18.iniFilesize
42B
MD50efb517a38bad656ca0827dbef67154b
SHA196c246f8d332e42f17ec5d63f73f319fe0c5fa8a
SHA2562a51482adc1ee0a79bff2a3f5ac2e9e300478856ae83d129aceed76f0354926c
SHA512ecea23873e00adbcd2a0a839a6aaaee20bdfc5c72cd22b560564f8e894845a1c840d4d85643f0a3e09a054018273816c4b5d8a41828e3d9a324590d7293e9227
-
\Users\Admin\AppData\Local\Temp\nsj4B74.tmp\System.dllFilesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
memory/1136-17103-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1136-17102-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1136-17101-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1136-17104-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1136-17105-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1136-17111-0x0000000001470000-0x0000000003504000-memory.dmpFilesize
32.6MB
-
memory/1136-17114-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1136-17118-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1136-17146-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1176-17124-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1176-17141-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1176-17121-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1176-17126-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1176-17129-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1468-17131-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1468-17127-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1468-17123-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1468-17144-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1520-17128-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1520-17133-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1520-17134-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1520-17135-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1556-17100-0x0000000003B60000-0x0000000005BF4000-memory.dmpFilesize
32.6MB
-
memory/1556-17099-0x0000000003B60000-0x0000000005BF4000-memory.dmpFilesize
32.6MB