Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04/12/2023, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
FAT986545600986.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
FAT986545600986.exe
Resource
win10v2004-20231130-en
General
-
Target
FAT986545600986.exe
-
Size
1.0MB
-
MD5
470249dbfe3ac7f1d16ea4a52ef76fb3
-
SHA1
984ef38fbfa4efd6b9310a07c4a6b2be63e328bf
-
SHA256
f77532a0a209676025270db283534fc63ba0780415e8273d670fc6d1bc4bf1f5
-
SHA512
ec2edf6140afcf84719a8a2d53303ee86fa6b32406b0fc99db6d87dcc162577b9766f88e5fb7643e4cb4fb09c5431c5ab3d8029800eab02aa1b81914e3faba39
-
SSDEEP
24576:h34/up+pJ1sRbSz55MlrTQF4ZriIqBT3peD:h38PJ1QSz55CsIiIqBs
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1644-74-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1644-92-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1080-65-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1080-83-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/1080-65-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1724-76-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1724-77-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1644-74-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1080-83-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1644-92-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts FAT986545600986.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2116 set thread context of 2772 2116 FAT986545600986.exe 34 PID 2772 set thread context of 1080 2772 FAT986545600986.exe 39 PID 2772 set thread context of 1644 2772 FAT986545600986.exe 40 PID 2772 set thread context of 1724 2772 FAT986545600986.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2700 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2116 FAT986545600986.exe 2116 FAT986545600986.exe 2740 powershell.exe 2556 powershell.exe 1080 FAT986545600986.exe 1080 FAT986545600986.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2772 FAT986545600986.exe 2772 FAT986545600986.exe 2772 FAT986545600986.exe 2772 FAT986545600986.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2116 FAT986545600986.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 1724 FAT986545600986.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2772 FAT986545600986.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2556 2116 FAT986545600986.exe 28 PID 2116 wrote to memory of 2556 2116 FAT986545600986.exe 28 PID 2116 wrote to memory of 2556 2116 FAT986545600986.exe 28 PID 2116 wrote to memory of 2556 2116 FAT986545600986.exe 28 PID 2116 wrote to memory of 2740 2116 FAT986545600986.exe 30 PID 2116 wrote to memory of 2740 2116 FAT986545600986.exe 30 PID 2116 wrote to memory of 2740 2116 FAT986545600986.exe 30 PID 2116 wrote to memory of 2740 2116 FAT986545600986.exe 30 PID 2116 wrote to memory of 2700 2116 FAT986545600986.exe 32 PID 2116 wrote to memory of 2700 2116 FAT986545600986.exe 32 PID 2116 wrote to memory of 2700 2116 FAT986545600986.exe 32 PID 2116 wrote to memory of 2700 2116 FAT986545600986.exe 32 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2116 wrote to memory of 2772 2116 FAT986545600986.exe 34 PID 2772 wrote to memory of 2436 2772 FAT986545600986.exe 38 PID 2772 wrote to memory of 2436 2772 FAT986545600986.exe 38 PID 2772 wrote to memory of 2436 2772 FAT986545600986.exe 38 PID 2772 wrote to memory of 2436 2772 FAT986545600986.exe 38 PID 2772 wrote to memory of 1080 2772 FAT986545600986.exe 39 PID 2772 wrote to memory of 1080 2772 FAT986545600986.exe 39 PID 2772 wrote to memory of 1080 2772 FAT986545600986.exe 39 PID 2772 wrote to memory of 1080 2772 FAT986545600986.exe 39 PID 2772 wrote to memory of 1080 2772 FAT986545600986.exe 39 PID 2772 wrote to memory of 1644 2772 FAT986545600986.exe 40 PID 2772 wrote to memory of 1644 2772 FAT986545600986.exe 40 PID 2772 wrote to memory of 1644 2772 FAT986545600986.exe 40 PID 2772 wrote to memory of 1644 2772 FAT986545600986.exe 40 PID 2772 wrote to memory of 1644 2772 FAT986545600986.exe 40 PID 2772 wrote to memory of 1724 2772 FAT986545600986.exe 41 PID 2772 wrote to memory of 1724 2772 FAT986545600986.exe 41 PID 2772 wrote to memory of 1724 2772 FAT986545600986.exe 41 PID 2772 wrote to memory of 1724 2772 FAT986545600986.exe 41 PID 2772 wrote to memory of 1724 2772 FAT986545600986.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zulqgtKXtL.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zulqgtKXtL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp"2⤵
- Creates scheduled task(s)
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exeC:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe /stext "C:\Users\Admin\AppData\Local\Temp\oxgfjaplcxnyuvqnibwawxqu"3⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exeC:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe /stext "C:\Users\Admin\AppData\Local\Temp\oxgfjaplcxnyuvqnibwawxqu"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exeC:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe /stext "C:\Users\Admin\AppData\Local\Temp\zsmxcsamqffdekerrmrbzkldmxu"3⤵
- Accesses Microsoft Outlook accounts
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\FAT986545600986.exeC:\Users\Admin\AppData\Local\Temp\FAT986545600986.exe /stext "C:\Users\Admin\AppData\Local\Temp\burqcltgenxqhqbdixedkpyuvelfhkb"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD577dac67713555dbb677bb605fe693a32
SHA108cf44ba4fea16721500ed84830bde1fc46ea55b
SHA256846f1e847e095e78a0214fc8d23edfc0cdf3284bd6d6d8a3f8b612a684a962c9
SHA51286be53d55ab0e0f5cc6be9213de8c47dd6e94be800fed6163d000b8aa51d37a74fdee515ce2f3b39fb93991670ba04b6f1324e9333b6341cdb439fb13b72564f
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1KB
MD5ebc446fa5693d0b35a95f0d09b80ba56
SHA1f9be5a6923d8b7c06b980e3f4698e47bfcdb8666
SHA256044f4c4e69a8b78ed2b5b6ecb1e24a52db7b7d2497dc2a72a6da936320deaedc
SHA51245b186dcecd4e070ff93c6cb858e206235d781dd14ba2717b1637bdc4bfd3ba5d451fcee45f91d839ba260594263ee5630db24f6cae01aa75d894f618bdb19b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W5ME3COSHH4ZEYAYFOWF.temp
Filesize7KB
MD5055f8649a15526c58e3078494ac60f8a
SHA12046a7d5d0e3dac526a44b955e85640fa2d73058
SHA2565cc21754d2eeb3eb5bb614e4b7bbd4056574449bd52b2b52d1b8a682a366e7d7
SHA51233261695d1f6b6c9d8fdde4089117943eb76e6428570301fbf7f4eaf6b7658d193a24d55bd001e64c799f60337c1a3efa243a85a0f79879e476b031e746b0e99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5055f8649a15526c58e3078494ac60f8a
SHA12046a7d5d0e3dac526a44b955e85640fa2d73058
SHA2565cc21754d2eeb3eb5bb614e4b7bbd4056574449bd52b2b52d1b8a682a366e7d7
SHA51233261695d1f6b6c9d8fdde4089117943eb76e6428570301fbf7f4eaf6b7658d193a24d55bd001e64c799f60337c1a3efa243a85a0f79879e476b031e746b0e99