bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
28/08/2023, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe
Size

481KB
MD5

afd5059634526a62419420ec64bd3d73
SHA1

45fba7c55c1a7f3631f063a3db09902be00e58eb
SHA256

bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4
SHA512

032d784d2b0f606765f11c3eeef48aace205402a59fd50e323c899e59f8cd21b7daa34d870813134c7781f8eebed20a5cda9d6e9cf494aee9c5b94786940d18c
SSDEEP

12288:JRXxReZj3WZfj/2eSseWFaIe2+f8CL47bs/ZO2ZDU:Jx7cyF2eSsewS8W47eZj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2500	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2532	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2500	2532	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	31
PID 2532 wrote to memory of 2500	2532	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	31
PID 2532 wrote to memory of 2500	2532	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	31
PID 2532 wrote to memory of 2500	2532	bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe	31

C:\Users\Admin\AppData\Local\Temp\bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\bf82f37c4f8fdd3b7572bd60a0f86e7d89356921728708434d07d6a2b0cbf7d4_JC.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\niozld.vbs"
  2⤵
  - Deletes itself
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
40be2935fd5ac983fbccd3464f6870b2

SHA1
4df202ca6945aaae77ea48bdd3bfacc2c07dfb67

SHA256
57a5b8ed3d8ffdd9acd6f8b5a69c7b32082a565aec986659860a72c56d31b235

SHA512
55ad2570f202952b52918803cd47dcfdb8d8c414fb341dcd6810f59e9b54f9faeb23915b29a62cddaf8d6acb0463313f271371958a820003c593d78a535aab62

Download Submit
C:\Users\Admin\AppData\Local\Temp\niozld.vbs

Filesize
740B

MD5
e1f02213c17ad98db7fe76e2d9b53bd1

SHA1
54a80b453bed4d26d3ec33205af396c71ed10098

SHA256
317eff7c5697543803787a20246bc6a2f13496cb73f3e0e69511f6fc00a09dcf

SHA512
8bb12417ea23f389d82192a5663b9ffff3810d6ed5ea5cb6284c62b319d813339a3194abe72861f2a54f08ecdf42ae2e96132ff5bd657bb112a97cb360765fcc

Download Submit