Analysis
-
max time kernel
104s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 15:43
Static task
static1
Behavioral task
behavioral1
Sample
07264199.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07264199.exe
Resource
win10v2004-20230220-en
General
-
Target
07264199.exe
-
Size
363KB
-
MD5
dee45488657ddf8345c2e3b06d7bd97a
-
SHA1
c732e1f57bbd4df5eb074adf0ade814ba0b2ecff
-
SHA256
edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d
-
SHA512
e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66
-
SSDEEP
6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr
Malware Config
Extracted
remcos
SowetoHost
soweto24.sytes.net:2098
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3QH5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
07264199.exe07264199.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 07264199.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 07264199.exe -
Loads dropped DLL 2 IoCs
Processes:
07264199.exepid process 2120 07264199.exe 2120 07264199.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
07264199.exepid process 3416 07264199.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
07264199.exe07264199.exepid process 2120 07264199.exe 3416 07264199.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
07264199.exedescription pid process target process PID 2120 set thread context of 3416 2120 07264199.exe 07264199.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3748 3416 WerFault.exe 07264199.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
07264199.exepid process 2120 07264199.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
07264199.exedescription pid process target process PID 2120 wrote to memory of 3416 2120 07264199.exe 07264199.exe PID 2120 wrote to memory of 3416 2120 07264199.exe 07264199.exe PID 2120 wrote to memory of 3416 2120 07264199.exe 07264199.exe PID 2120 wrote to memory of 3416 2120 07264199.exe 07264199.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07264199.exe"C:\Users\Admin\AppData\Local\Temp\07264199.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\07264199.exe"C:\Users\Admin\AppData\Local\Temp\07264199.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 17923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3416 -ip 34161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
C:\Users\Admin\AppData\Local\Temp\nse793E.tmp\System.dllFilesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Imidazolyl.iniFilesize
37B
MD52e6676d90bd2ad7fc51ad7aa5d517779
SHA1b29f0d8b7a05e60821fd3947597a51c2958de40b
SHA25619c6bfa0180b3b10165d73c608ede7ae408840ce09edbcf77b23626e452f2106
SHA51210eed25590e731b492f0cb875dd7bbad1ffb46726398abc3121b573d9d56c03e643abb049ff8f83319422a39edf0577ea68f31ce2f6e31fdca398e5e6ae9b10b
-
memory/2120-149-0x0000000003330000-0x0000000004604000-memory.dmpFilesize
18.8MB
-
memory/2120-150-0x0000000003330000-0x0000000004604000-memory.dmpFilesize
18.8MB
-
memory/3416-151-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3416-152-0x0000000001660000-0x0000000002934000-memory.dmpFilesize
18.8MB
-
memory/3416-153-0x0000000001660000-0x0000000002934000-memory.dmpFilesize
18.8MB
-
memory/3416-166-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3416-170-0x0000000001660000-0x0000000002934000-memory.dmpFilesize
18.8MB
-
memory/3416-171-0x0000000001660000-0x0000000002934000-memory.dmpFilesize
18.8MB