Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 14:14
Static task
static1
Behavioral task
behavioral1
Sample
skihejsene.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
skihejsene.exe
Resource
win10v2004-20230220-en
General
-
Target
skihejsene.exe
-
Size
426KB
-
MD5
3d5c45dfc5e4d5e92519baaa10eef55e
-
SHA1
4060970106372cca520182bd6767a372cb1d8881
-
SHA256
0b503c9f8f6f4879b48c019d31ac921f11d62ab469aa0fce0ac309aca525cde2
-
SHA512
a02be1e1b1e3ad70208b781ce6f42e7d61ce275f7330acc834832831a1e7abdb89b06907fe39622649ab1dfa61a6631d147c36b14c7aeaa4dfaf1b671b5a3c8e
-
SSDEEP
12288:oSZkNErxea4TdsqFodI6Ck45qnHY4XfoYX:VZ6Eroa4vFNIPb
Malware Config
Extracted
remcos
RemoteHost
192.3.223.132:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-JJJLWY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
skihejsene.exeskihejsene.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe skihejsene.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe skihejsene.exe -
Loads dropped DLL 1 IoCs
Processes:
skihejsene.exepid process 4628 skihejsene.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
skihejsene.exepid process 1760 skihejsene.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
skihejsene.exeskihejsene.exepid process 4628 skihejsene.exe 1760 skihejsene.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
skihejsene.exedescription pid process target process PID 4628 set thread context of 1760 4628 skihejsene.exe skihejsene.exe -
Drops file in Windows directory 2 IoCs
Processes:
skihejsene.exedescription ioc process File opened for modification C:\Windows\Fonts\Superdatamat18.ini skihejsene.exe File opened for modification C:\Windows\Ruellia\Tilgangsrettighederne\Scranny.Pat skihejsene.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
skihejsene.exepid process 4628 skihejsene.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
skihejsene.exepid process 1760 skihejsene.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
skihejsene.exedescription pid process target process PID 4628 wrote to memory of 1760 4628 skihejsene.exe skihejsene.exe PID 4628 wrote to memory of 1760 4628 skihejsene.exe skihejsene.exe PID 4628 wrote to memory of 1760 4628 skihejsene.exe skihejsene.exe PID 4628 wrote to memory of 1760 4628 skihejsene.exe skihejsene.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"C:\Users\Admin\AppData\Local\Temp\skihejsene.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
170B
MD5086a38fef526a3d685b1dc6213e0381f
SHA1b701fb7e881c1d5ba1aebae1c667e2ff6d84b608
SHA25600688574f256be10740f6597d57b68f2b4c8221a01545097f6efa256b9706926
SHA512d88af639d4b678693081628110ed2195d3252b39b9eefd2907546d5d4275cf286d72d53652f951a8ef8378792a7bed437e05d99c3e262704599efba7519e2206
-
C:\Users\Admin\AppData\Local\Temp\nsp87B4.tmp\System.dllFilesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
C:\Windows\Fonts\Superdatamat18.iniFilesize
42B
MD50efb517a38bad656ca0827dbef67154b
SHA196c246f8d332e42f17ec5d63f73f319fe0c5fa8a
SHA2562a51482adc1ee0a79bff2a3f5ac2e9e300478856ae83d129aceed76f0354926c
SHA512ecea23873e00adbcd2a0a839a6aaaee20bdfc5c72cd22b560564f8e894845a1c840d4d85643f0a3e09a054018273816c4b5d8a41828e3d9a324590d7293e9227
-
memory/1760-17179-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17191-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17180-0x0000000001660000-0x00000000036F4000-memory.dmpFilesize
32.6MB
-
memory/1760-17181-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17185-0x0000000001660000-0x00000000036F4000-memory.dmpFilesize
32.6MB
-
memory/1760-17186-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17188-0x0000000001660000-0x00000000036F4000-memory.dmpFilesize
32.6MB
-
memory/1760-17206-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17194-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17203-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17197-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/1760-17200-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4628-17177-0x00000000051C0000-0x0000000007254000-memory.dmpFilesize
32.6MB
-
memory/4628-17178-0x00000000051C0000-0x0000000007254000-memory.dmpFilesize
32.6MB