Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
31-10-2023 12:42
Static task
static1
Behavioral task
behavioral1
Sample
PO 1100620230526.pdf(39kb).exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO 1100620230526.pdf(39kb).exe
Resource
win10v2004-20231020-en
General
-
Target
PO 1100620230526.pdf(39kb).exe
-
Size
1.8MB
-
MD5
26b43cadf6622b3d0e50bf3763cc5180
-
SHA1
d84d2f83975f74767e7d398e8ad039be00c47598
-
SHA256
089fe1a7004a07e2fa5a8e706359b2d8d0b141bbc4719db9bc378e33b0771764
-
SHA512
1c8e2f1063f654ca94b67e1e651dfbaf5f10d8a0d1cf40bb8280877bae550df467f7574c0118d7d7d833b9b155619fe22168d3efeff916f16ad8c21b817f7fe4
-
SSDEEP
49152:xkQTA+5XkXJqDxHtrZPfnV2gAUCkSbVRb0ilg7/mHHH:xa+9kElHrIjU/CzG7eHn
Malware Config
Extracted
remcos
HARD
cloudhost.myfirewall.org:9302
sandshoe.myfirewall.org:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
WindowUpdate.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%Temp%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
RmcqSxe-3TCTRL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xpertrat
3.0.10
FLEX
sandshoe.myfirewall.org:5344
U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Iserver.exe -
XpertRAT Core payload 1 IoCs
resource yara_rule behavioral1/memory/3036-81-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2584-60-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2584-64-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2584-104-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2636-63-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2636-92-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
resource yara_rule behavioral1/memory/2584-60-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2636-63-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2584-64-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2652-67-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2652-68-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2636-92-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2584-104-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" iexplore.exe -
Executes dropped EXE 1 IoCs
pid Process 2680 Iserver.exe -
Loads dropped DLL 4 IoCs
pid Process 2068 Caspol.exe 2680 Iserver.exe 2680 Iserver.exe 2680 Iserver.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" Iserver.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Caspol.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2 = "C:\\Users\\Admin\\AppData\\Roaming\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe" iexplore.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2176 set thread context of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2068 set thread context of 2636 2068 Caspol.exe 30 PID 2068 set thread context of 2584 2068 Caspol.exe 31 PID 2068 set thread context of 2652 2068 Caspol.exe 32 PID 2680 set thread context of 3036 2680 Iserver.exe 34 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2176 PO 1100620230526.pdf(39kb).exe 2636 Caspol.exe 2680 Iserver.exe 2680 Iserver.exe 2636 Caspol.exe 2680 Iserver.exe 2680 Iserver.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2068 Caspol.exe 2068 Caspol.exe 2068 Caspol.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2176 PO 1100620230526.pdf(39kb).exe Token: SeDebugPrivilege 2652 Caspol.exe Token: SeDebugPrivilege 3036 iexplore.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2068 Caspol.exe 2680 Iserver.exe 3036 iexplore.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1612 2176 PO 1100620230526.pdf(39kb).exe 28 PID 2176 wrote to memory of 1612 2176 PO 1100620230526.pdf(39kb).exe 28 PID 2176 wrote to memory of 1612 2176 PO 1100620230526.pdf(39kb).exe 28 PID 2176 wrote to memory of 1612 2176 PO 1100620230526.pdf(39kb).exe 28 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2176 wrote to memory of 2068 2176 PO 1100620230526.pdf(39kb).exe 29 PID 2068 wrote to memory of 2636 2068 Caspol.exe 30 PID 2068 wrote to memory of 2636 2068 Caspol.exe 30 PID 2068 wrote to memory of 2636 2068 Caspol.exe 30 PID 2068 wrote to memory of 2636 2068 Caspol.exe 30 PID 2068 wrote to memory of 2636 2068 Caspol.exe 30 PID 2068 wrote to memory of 2584 2068 Caspol.exe 31 PID 2068 wrote to memory of 2584 2068 Caspol.exe 31 PID 2068 wrote to memory of 2584 2068 Caspol.exe 31 PID 2068 wrote to memory of 2584 2068 Caspol.exe 31 PID 2068 wrote to memory of 2584 2068 Caspol.exe 31 PID 2068 wrote to memory of 2652 2068 Caspol.exe 32 PID 2068 wrote to memory of 2652 2068 Caspol.exe 32 PID 2068 wrote to memory of 2652 2068 Caspol.exe 32 PID 2068 wrote to memory of 2652 2068 Caspol.exe 32 PID 2068 wrote to memory of 2652 2068 Caspol.exe 32 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2068 wrote to memory of 2680 2068 Caspol.exe 33 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 PID 2680 wrote to memory of 3036 2680 Iserver.exe 34 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Iserver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"C:\Users\Admin\AppData\Local\Temp\PO 1100620230526.pdf(39kb).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵PID:1612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\dqnlnzxqqaewtxvtubagtxofsfiyrl"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\nksdnrijlixbddjxdmvawkioatrzkwuwrs"3⤵
- Accesses Microsoft Outlook accounts
PID:2584
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ymywok"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\Iserver.exe"C:\Users\Admin\AppData\Local\Temp\Iserver.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\Iserver.exe4⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5cb9e42a922603f8477395c363d08b0bb
SHA12dc764dc2dc62f2b1e417c9c4e689040d0cc0e15
SHA256408fb2d53de04603450704678dedb42362bb63056816997110bef0e6e2de78d7
SHA5124c076a4fe27b4857f9bff1d69f71c2a9cb17c3a55bde50d3fac143ac025a61160f81df412e68e6718f096d61dddbb854b38965af2a89b900ecb4b3a9775f387b
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2\U1B5S2E0-S6R4-Y4O1-P7F0-W443P1Y6S3M2.exe
Filesize172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666
-
Filesize
172KB
MD598dba4873d2b9b467158400540b5eebe
SHA14769f5a15191e8ac78ae46544f52414e47fedd30
SHA2567532708eb8b2150fc58ff178790f86ab88f1352f82dcf450500abd52b92f64f4
SHA51237f5ed08eb29ef0d316e6e0e08a47b4a18721d74f81f367b0564038a9f82912ad0a1278733947ca4b9da7139c8aecbf09fb937f10c7f956d1e5e31fa71a9c666