Analysis
-
max time kernel
17s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 16:55
Static task
static1
Behavioral task
behavioral1
Sample
FADTQWERT.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
FADTQWERT.exe
Resource
win10v2004-20231130-en
General
-
Target
FADTQWERT.exe
-
Size
1.0MB
-
MD5
c200bdcd9c827ad9c878f61a6e80b2ee
-
SHA1
730d6b83b8af8d7b6740020d0e44466c2192f6ee
-
SHA256
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
-
SHA512
a5dd81fe25aa643c94f5e098e17fc2ce9a929141ea3a470245986e3e5fb8d9da8c014f6649a70816f8d1338b043a09caea69193f627f8c1bf351becb8d76de43
-
SSDEEP
24576:KgCKtD/61Idz9KOXdI0YBt68T1U3FMztS5aV3+2rN87:X6Kzj+0YBt68+3FMKaO2h87
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation FADTQWERT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4368 FADTQWERT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4368 FADTQWERT.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4368 wrote to memory of 2324 4368 FADTQWERT.exe 89 PID 4368 wrote to memory of 2324 4368 FADTQWERT.exe 89 PID 4368 wrote to memory of 2324 4368 FADTQWERT.exe 89 PID 4368 wrote to memory of 4532 4368 FADTQWERT.exe 88 PID 4368 wrote to memory of 4532 4368 FADTQWERT.exe 88 PID 4368 wrote to memory of 4532 4368 FADTQWERT.exe 88 PID 4368 wrote to memory of 3748 4368 FADTQWERT.exe 92 PID 4368 wrote to memory of 3748 4368 FADTQWERT.exe 92 PID 4368 wrote to memory of 3748 4368 FADTQWERT.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"2⤵PID:4532
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"2⤵PID:2324
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8944.tmp"2⤵
- Creates scheduled task(s)
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"2⤵PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"C:\Users\Admin\AppData\Local\Temp\FADTQWERT.exe"2⤵PID:4892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD540d326cdc38e906f1b80663e44d5b3a5
SHA1f7cebaa62119486c91b75bd17a7e67dbd83ed590
SHA25650cdf89c127016081a57a896fc41e5644d48943d8c65d3530d9960ac815cad94
SHA512d30e9613137785dae96fc2959ce2bfbf2f3477b4b1d485bbc38a147053f2ee9034b163e8e053e30fba9601cfb906a2299272293b0264cb392a3203b492ed530c
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD59baaf8bce3f00dbc0bf93e0f0253d425
SHA1f424f1aa4135434a32845cd533420ef5f3b488be
SHA25649eb0c2f3cf3198c1f8f6db0481cefecb98818eafe77e50e4dbd60706abb52b0
SHA5122939ace6cc1f64d03dec009af5e25c2378a9ef9957fc318ceead74ee7d5d32d90391f6c0a592028159c37fb613b4e49a615de4e58243c51128b7c19e5ddbd27b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD570b84ba6c6e4a44cb6bcd3e049f2fe12
SHA141dc7463a577907db270e80dcfd14c00a3143819
SHA2567a2916571e6806101da8bb72083c6202d4463d788ee42711752fafc625d1b68e
SHA512152f6f085661199ffe6a1e7353d07e047597b877d9a9948496cdb3a9bd3b12eb4e51983fe796cbe6ecd548c967b9cf6c3e977762ec3bfe3f0ad756ababea0f17