Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
04/12/2023, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
FAT986545600986.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
FAT986545600986.exe
Resource
win10v2004-20231130-en
General
-
Target
FAT986545600986.exe
-
Size
1.0MB
-
MD5
470249dbfe3ac7f1d16ea4a52ef76fb3
-
SHA1
984ef38fbfa4efd6b9310a07c4a6b2be63e328bf
-
SHA256
f77532a0a209676025270db283534fc63ba0780415e8273d670fc6d1bc4bf1f5
-
SHA512
ec2edf6140afcf84719a8a2d53303ee86fa6b32406b0fc99db6d87dcc162577b9766f88e5fb7643e4cb4fb09c5431c5ab3d8029800eab02aa1b81914e3faba39
-
SSDEEP
24576:h34/up+pJ1sRbSz55MlrTQF4ZriIqBT3peD:h38PJ1QSz55CsIiIqBs
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2456 2164 FAT986545600986.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2164 FAT986545600986.exe 2164 FAT986545600986.exe 2308 powershell.exe 2612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2164 FAT986545600986.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2612 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2456 FAT986545600986.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2308 2164 FAT986545600986.exe 28 PID 2164 wrote to memory of 2308 2164 FAT986545600986.exe 28 PID 2164 wrote to memory of 2308 2164 FAT986545600986.exe 28 PID 2164 wrote to memory of 2308 2164 FAT986545600986.exe 28 PID 2164 wrote to memory of 2612 2164 FAT986545600986.exe 30 PID 2164 wrote to memory of 2612 2164 FAT986545600986.exe 30 PID 2164 wrote to memory of 2612 2164 FAT986545600986.exe 30 PID 2164 wrote to memory of 2612 2164 FAT986545600986.exe 30 PID 2164 wrote to memory of 2584 2164 FAT986545600986.exe 32 PID 2164 wrote to memory of 2584 2164 FAT986545600986.exe 32 PID 2164 wrote to memory of 2584 2164 FAT986545600986.exe 32 PID 2164 wrote to memory of 2584 2164 FAT986545600986.exe 32 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34 PID 2164 wrote to memory of 2456 2164 FAT986545600986.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zulqgtKXtL.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zulqgtKXtL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EE0.tmp"2⤵
- Creates scheduled task(s)
PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5c9a2f1a2076a398dc36f585a95e6c197
SHA139de5490af12ac48da1832073b1cd78e04ceacc7
SHA2560d7e2034d0bada5cca730b93707507dcec04c90f256fe06cb58494140bd08577
SHA5125852031b90cb604a99e209e9cd35b9aab51fad311e393a721b3c78bd12df0399ab054a78eda45caa8008d410996dc095f6702c8d8bd440f2a0738884d63f377d
-
Filesize
1KB
MD5043992e2deb84bb2e6c840c24c140a8f
SHA16e900c18873461500f895c1304e89ffaa8965ee9
SHA256fe04f07042d088a15fc7bbd7c544e8d12d3960bff866c7f321fc0831536cab39
SHA512639be05d1a015d9bb4f44811bb359acf6d5057f34dcea5aa8e1d14ff11b024bd268383ee14fc7d55d59d4dcbd8c63bb601b4bba987d6a80a4240ef08d7b29cd6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PB5T9U2IZS7KUYQZU8CB.temp
Filesize7KB
MD55275564cbe096a091c773ba995de1a03
SHA15359a41e0de067115a0e64ddbc1c50c1d65f62fd
SHA256d1d740d1460d5bee3d998018be8fdaf346f7461e1ed2714e8b21a26c44e80b45
SHA5123bad9b61b305638c38b01414a321b949c9362f11d3390cce5dc4659a64255908760bfc0fa19ec455aa433c880e1e1202db3cb9d298a1688adf819d51e01b21e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55275564cbe096a091c773ba995de1a03
SHA15359a41e0de067115a0e64ddbc1c50c1d65f62fd
SHA256d1d740d1460d5bee3d998018be8fdaf346f7461e1ed2714e8b21a26c44e80b45
SHA5123bad9b61b305638c38b01414a321b949c9362f11d3390cce5dc4659a64255908760bfc0fa19ec455aa433c880e1e1202db3cb9d298a1688adf819d51e01b21e6