Analysis
-
max time kernel
16s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05/12/2023, 16:55
Static task
static1
Behavioral task
behavioral1
Sample
FADTQWERT.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
FADTQWERT.exe
Resource
win10v2004-20231130-en
General
-
Target
FADTQWERT.exe
-
Size
1.0MB
-
MD5
c200bdcd9c827ad9c878f61a6e80b2ee
-
SHA1
730d6b83b8af8d7b6740020d0e44466c2192f6ee
-
SHA256
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
-
SHA512
a5dd81fe25aa643c94f5e098e17fc2ce9a929141ea3a470245986e3e5fb8d9da8c014f6649a70816f8d1338b043a09caea69193f627f8c1bf351becb8d76de43
-
SSDEEP
24576:KgCKtD/61Idz9KOXdI0YBt68T1U3FMztS5aV3+2rN87:X6Kzj+0YBt68+3FMKaO2h87
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2104 FADTQWERT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2104 FADTQWERT.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2220 2104 FADTQWERT.exe 29 PID 2104 wrote to memory of 2220 2104 FADTQWERT.exe 29 PID 2104 wrote to memory of 2220 2104 FADTQWERT.exe 29 PID 2104 wrote to memory of 2220 2104 FADTQWERT.exe 29 PID 2104 wrote to memory of 2728 2104 FADTQWERT.exe 33 PID 2104 wrote to memory of 2728 2104 FADTQWERT.exe 33 PID 2104 wrote to memory of 2728 2104 FADTQWERT.exe 33 PID 2104 wrote to memory of 2728 2104 FADTQWERT.exe 33 PID 2104 wrote to memory of 2592 2104 FADTQWERT.exe 32 PID 2104 wrote to memory of 2592 2104 FADTQWERT.exe 32 PID 2104 wrote to memory of 2592 2104 FADTQWERT.exe 32 PID 2104 wrote to memory of 2592 2104 FADTQWERT.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"2⤵PID:2220
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55AE.tmp"2⤵
- Creates scheduled task(s)
PID:2592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"2⤵PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"2⤵PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b2d7b80c3f677b5ee18bc4b00fbef8f4
SHA194e553e152c8d1598e3cd343d3d2d5c286c40f64
SHA2561a0d3c8554b34871476e8c08ccb85f642b9d828f19e6aa4bbbc6619f6cb99c33
SHA512b67346fd113d84fb4456f1078a670684ddcc7e076ff73c9f25a1c293cb2cc799bf6efecd28e7faf52227578aadc640a84c4464f3108dc333cb7f6afc14d1f8c5
-
Filesize
1KB
MD5d2ca338bc35825f69853c772d1ebdcb8
SHA16b9e575f40eae150c4add0a491679222767a4715
SHA256a08b898ef4f47fe2b1bfd76ef4c06fc9ec5b821155dd011a76c9b29a51d26db9
SHA51290eb34dfda92385f8b353bc1341ccf636bb86401b31514c722c583db45127f33e99be8885218b6bc087a4b6831b9f27f46125bde3cf9e982f120409f0255e6f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2D3MAQ9KU7G3JWBGHFXC.temp
Filesize7KB
MD532fbf21f902c92fbca62af1528f8e573
SHA1d95293dccf8c355b3b9c0136ee83d587fa6a94d1
SHA256a38cf444ce54f3cc77206e65f971ab9a6194592a708b79496d2d7087afd92d53
SHA512b9a8c888062ce8884f9bb1231b228e95a4c984e2de76e144875d622f7a260150c8b7f13579c70a06f90de2aa6a83dff342742bc0c66dad079a81306e6ce80b14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD532fbf21f902c92fbca62af1528f8e573
SHA1d95293dccf8c355b3b9c0136ee83d587fa6a94d1
SHA256a38cf444ce54f3cc77206e65f971ab9a6194592a708b79496d2d7087afd92d53
SHA512b9a8c888062ce8884f9bb1231b228e95a4c984e2de76e144875d622f7a260150c8b7f13579c70a06f90de2aa6a83dff342742bc0c66dad079a81306e6ce80b14