Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
15/10/2023, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
a8675b7771b427cbe2c487a42b9eace0_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a8675b7771b427cbe2c487a42b9eace0_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
a8675b7771b427cbe2c487a42b9eace0_exe32.exe
-
Size
583KB
-
MD5
a8675b7771b427cbe2c487a42b9eace0
-
SHA1
b9287d8b2c6fc60e751f1d07f21e9e93b548d01d
-
SHA256
04344db47249ed5be999f50ca0e356a81fbb95a3480259b22be739896205d885
-
SHA512
b9c3357cdea4c1605af62f2a447fb82b72262f42745b079a15afe4df6c5101738d51a48163674a2f3eda47b2dc8041e506d3bde83c549757d783f7d9915d1015
-
SSDEEP
12288:IXSP7r9r/+ppppppppppppppppppppppppppppp0YubSkenVeUQnoOMHi0VcbPa:IXS1Mu+1nVeEija
Malware Config
Extracted
remcos
RemoteHost
80.76.51.172:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B8L4R0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2636-49-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2636-75-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2864-45-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2864-64-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/memory/2864-45-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2636-49-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2544-52-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2544-54-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2544-55-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2864-64-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2636-75-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 2228 xyazripk.exe 3036 xyazripk.exe 2864 xyazripk.exe 2636 xyazripk.exe 2544 xyazripk.exe -
Loads dropped DLL 6 IoCs
pid Process 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 2228 xyazripk.exe 3036 xyazripk.exe 3036 xyazripk.exe 3036 xyazripk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3036-14-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-17-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-18-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-19-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-20-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-21-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-23-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-24-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-25-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-26-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-27-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-29-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-31-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-53-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-58-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-59-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-74-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-78-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-81-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-84-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-87-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-88-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-89-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-93-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-96-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-98-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-99-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-101-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-104-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-106-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-109-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-110-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-111-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-114-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-117-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-120-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-121-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-123-0x0000000000400000-0x000000000048A000-memory.dmp upx behavioral1/memory/3036-126-0x0000000000400000-0x000000000048A000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts xyazripk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\ookttdyyir = "C:\\Users\\Admin\\AppData\\Roaming\\hddmvvq\\aajf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xyazripk.exe\" " xyazripk.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2228 set thread context of 3036 2228 xyazripk.exe 28 PID 3036 set thread context of 2864 3036 xyazripk.exe 30 PID 3036 set thread context of 2636 3036 xyazripk.exe 31 PID 3036 set thread context of 2544 3036 xyazripk.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2864 xyazripk.exe 2864 xyazripk.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2228 xyazripk.exe 3036 xyazripk.exe 3036 xyazripk.exe 3036 xyazripk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 xyazripk.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 xyazripk.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2228 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 27 PID 2160 wrote to memory of 2228 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 27 PID 2160 wrote to memory of 2228 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 27 PID 2160 wrote to memory of 2228 2160 a8675b7771b427cbe2c487a42b9eace0_exe32.exe 27 PID 2228 wrote to memory of 3036 2228 xyazripk.exe 28 PID 2228 wrote to memory of 3036 2228 xyazripk.exe 28 PID 2228 wrote to memory of 3036 2228 xyazripk.exe 28 PID 2228 wrote to memory of 3036 2228 xyazripk.exe 28 PID 2228 wrote to memory of 3036 2228 xyazripk.exe 28 PID 3036 wrote to memory of 2864 3036 xyazripk.exe 30 PID 3036 wrote to memory of 2864 3036 xyazripk.exe 30 PID 3036 wrote to memory of 2864 3036 xyazripk.exe 30 PID 3036 wrote to memory of 2864 3036 xyazripk.exe 30 PID 3036 wrote to memory of 2636 3036 xyazripk.exe 31 PID 3036 wrote to memory of 2636 3036 xyazripk.exe 31 PID 3036 wrote to memory of 2636 3036 xyazripk.exe 31 PID 3036 wrote to memory of 2636 3036 xyazripk.exe 31 PID 3036 wrote to memory of 2544 3036 xyazripk.exe 32 PID 3036 wrote to memory of 2544 3036 xyazripk.exe 32 PID 3036 wrote to memory of 2544 3036 xyazripk.exe 32 PID 3036 wrote to memory of 2544 3036 xyazripk.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8675b7771b427cbe2c487a42b9eace0_exe32.exe"C:\Users\Admin\AppData\Local\Temp\a8675b7771b427cbe2c487a42b9eace0_exe32.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\xyazripk.exe"C:\Users\Admin\AppData\Local\Temp\xyazripk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\xyazripk.exe"C:\Users\Admin\AppData\Local\Temp\xyazripk.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\xyazripk.exeC:\Users\Admin\AppData\Local\Temp\xyazripk.exe /stext "C:\Users\Admin\AppData\Local\Temp\ayfwvhtydhcrgsghwhil"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\xyazripk.exeC:\Users\Admin\AppData\Local\Temp\xyazripk.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbtowaezrpuwqyulnrumoef"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\xyazripk.exeC:\Users\Admin\AppData\Local\Temp\xyazripk.exe /stext "C:\Users\Admin\AppData\Local\Temp\vvyzxsotfxmbtmipxchgrrzsbg"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD593e0464c392f6f142e86af15388ffa11
SHA1b03ea9eb540fd60738c064b45bb0a38410ba483f
SHA256287b640701c55a8b659eb5a86a646947044d98993b37748f226ee9e94811e019
SHA5128e72a1f1e12f41cb1fa802e77175fdde3db9f6872b266b9a926e0ef2e9dc06f7131115a37d0b3bbe465734af0f534710452ea9344137bdda1adc9d24dae0793d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
252KB
MD5994b4b6e9d714c1f876217cf54a14cee
SHA1206bb410c06ff767b207e72a29a002cce45f3a1b
SHA256a1d111c3d0795d98269e2349d5b132a33abca9c6822e031cdc3c17df9fbad093
SHA512f347e629f4997bae6208d9897bc5d904e230682fa5586e0c26dc4ac50435ecb1a6c57eaac1d09afc929e320850838bc89cc08a2d7088742957c9895379d824a8
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c
-
Filesize
196KB
MD50b22a7dc264dde13c042a09577df514c
SHA1e73be0e8b35122dd3529b6cda90d0afd183073e9
SHA256946ad114e0c0ecb7a86652ee6701c459e6cf33ddd40df1c15729456148f907fd
SHA512a3f5bc52983843e5fb7f7f6671aa9e076ae6549d9a99dee6c395a38adc5f225608cd29e1c9ec70c25497c4e2f1ea54871f392fb893ee074a65a1e55faa88e43c