Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
04/12/2023, 04:54
Static task
static1
Behavioral task
behavioral1
Sample
4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe
Resource
win10-20231023-en
General
-
Target
4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe
-
Size
1.7MB
-
MD5
432a7a6b4b723e5d88eae3fe158c6ae6
-
SHA1
a93140d92b0cfafc09cb5eee77399aa693b2de3f
-
SHA256
4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48
-
SHA512
5f3d3d7f0dc1b4305f8a758eb94cc1d4fe3c60597be237d0c540c41c2234bf29a59273b820a542f258e41a64d6aeb14edb5644519b18b88ce874470d9764f5a6
-
SSDEEP
12288:2GcbKnZVj7SRrfZetBO1rgRO6u2TdimrfZetCvmKT6IQViL/MW5bk3:2GcmnZlSRa0uOR2xZnkiYWZk3
Malware Config
Extracted
smokeloader
2022
http://atillapro.com/
https://atillapro.com/
Extracted
remcos
RemoteHost
185.157.162.241:1303
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-NT0JNG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3440 created 3040 3440 3D71.exe 31 -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3252 Process not Found -
Executes dropped EXE 7 IoCs
pid Process 204 3D71.exe 4144 3E3E.exe 4180 3E3E.exe 1256 3E3E.exe 4076 remcos.exe 3440 3D71.exe 848 remcos.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 3E3E.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-NT0JNG = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" 3E3E.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4368 set thread context of 4160 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 71 PID 4144 set thread context of 1256 4144 3E3E.exe 76 PID 204 set thread context of 3440 204 3D71.exe 80 PID 4076 set thread context of 848 4076 remcos.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 4160 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3252 Process not Found -
Suspicious behavior: MapViewOfSection 18 IoCs
pid Process 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 4160 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 4144 3E3E.exe 4144 3E3E.exe 3252 Process not Found 3252 Process not Found 204 3D71.exe 3252 Process not Found 3252 Process not Found 3252 Process not Found 3252 Process not Found 4076 remcos.exe 3252 Process not Found 3252 Process not Found -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 4368 wrote to memory of 4160 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 71 PID 4368 wrote to memory of 4160 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 71 PID 4368 wrote to memory of 4160 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 71 PID 4368 wrote to memory of 4160 4368 4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe 71 PID 3252 wrote to memory of 204 3252 Process not Found 72 PID 3252 wrote to memory of 204 3252 Process not Found 72 PID 3252 wrote to memory of 204 3252 Process not Found 72 PID 3252 wrote to memory of 4144 3252 Process not Found 74 PID 3252 wrote to memory of 4144 3252 Process not Found 74 PID 3252 wrote to memory of 4144 3252 Process not Found 74 PID 3252 wrote to memory of 96 3252 Process not Found 73 PID 3252 wrote to memory of 96 3252 Process not Found 73 PID 3252 wrote to memory of 96 3252 Process not Found 73 PID 3252 wrote to memory of 96 3252 Process not Found 73 PID 3252 wrote to memory of 4808 3252 Process not Found 79 PID 3252 wrote to memory of 4808 3252 Process not Found 79 PID 3252 wrote to memory of 4808 3252 Process not Found 79 PID 4144 wrote to memory of 4180 4144 3E3E.exe 77 PID 4144 wrote to memory of 4180 4144 3E3E.exe 77 PID 4144 wrote to memory of 4180 4144 3E3E.exe 77 PID 4144 wrote to memory of 1256 4144 3E3E.exe 76 PID 4144 wrote to memory of 1256 4144 3E3E.exe 76 PID 4144 wrote to memory of 1256 4144 3E3E.exe 76 PID 4144 wrote to memory of 1256 4144 3E3E.exe 76 PID 1256 wrote to memory of 4076 1256 3E3E.exe 75 PID 1256 wrote to memory of 4076 1256 3E3E.exe 75 PID 1256 wrote to memory of 4076 1256 3E3E.exe 75 PID 3252 wrote to memory of 3416 3252 Process not Found 78 PID 3252 wrote to memory of 3416 3252 Process not Found 78 PID 3252 wrote to memory of 3416 3252 Process not Found 78 PID 3252 wrote to memory of 3416 3252 Process not Found 78 PID 204 wrote to memory of 3440 204 3D71.exe 80 PID 204 wrote to memory of 3440 204 3D71.exe 80 PID 204 wrote to memory of 3440 204 3D71.exe 80 PID 204 wrote to memory of 3440 204 3D71.exe 80 PID 3252 wrote to memory of 4420 3252 Process not Found 81 PID 3252 wrote to memory of 4420 3252 Process not Found 81 PID 3252 wrote to memory of 4420 3252 Process not Found 81 PID 3252 wrote to memory of 4420 3252 Process not Found 81 PID 3252 wrote to memory of 3484 3252 Process not Found 82 PID 3252 wrote to memory of 3484 3252 Process not Found 82 PID 3252 wrote to memory of 3484 3252 Process not Found 82 PID 4076 wrote to memory of 848 4076 remcos.exe 84 PID 4076 wrote to memory of 848 4076 remcos.exe 84 PID 4076 wrote to memory of 848 4076 remcos.exe 84 PID 4076 wrote to memory of 848 4076 remcos.exe 84 PID 3252 wrote to memory of 4944 3252 Process not Found 83 PID 3252 wrote to memory of 4944 3252 Process not Found 83 PID 3252 wrote to memory of 4944 3252 Process not Found 83 PID 3252 wrote to memory of 4944 3252 Process not Found 83 PID 3440 wrote to memory of 4860 3440 3D71.exe 85 PID 3440 wrote to memory of 4860 3440 3D71.exe 85 PID 3440 wrote to memory of 4860 3440 3D71.exe 85 PID 3440 wrote to memory of 4860 3440 3D71.exe 85 PID 3440 wrote to memory of 4860 3440 3D71.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:3040
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵PID:4860
-
-
C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\3D71.exeC:\Users\Admin\AppData\Local\Temp\3D71.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Users\Admin\AppData\Local\Temp\3D71.exe"C:\Users\Admin\AppData\Local\Temp\3D71.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:96
-
C:\Users\Admin\AppData\Local\Temp\3E3E.exeC:\Users\Admin\AppData\Local\Temp\3E3E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\3E3E.exe"C:\Users\Admin\AppData\Local\Temp\3E3E.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\3E3E.exe"C:\Users\Admin\AppData\Local\Temp\3E3E.exe"2⤵
- Executes dropped EXE
PID:4180
-
-
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\ProgramData\Remcos\remcos.exe"C:\ProgramData\Remcos\remcos.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:848
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3416
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4808
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4420
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3484
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
599KB
MD57a0bdb236159804a677953a5518d5184
SHA1337cf700131b80e2774c2ac9ad48e57f5f9596d8
SHA256878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
SHA5126bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832
-
Filesize
599KB
MD57a0bdb236159804a677953a5518d5184
SHA1337cf700131b80e2774c2ac9ad48e57f5f9596d8
SHA256878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
SHA5126bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832
-
Filesize
599KB
MD57a0bdb236159804a677953a5518d5184
SHA1337cf700131b80e2774c2ac9ad48e57f5f9596d8
SHA256878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
SHA5126bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
268KB
MD56a9957dd2a19a1bf4af05ca7be1694de
SHA172c945a8acf762df42d5d5ae1a281a2e5c3d9196
SHA25617d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992
SHA51242076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d
-
Filesize
483KB
MD59ff228d096ee65bf9d214b5793bde076
SHA11d388f9f9c9d1fe1db1f79948b959625a9ac33c1
SHA2563f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc
SHA512ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d