Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
05/12/2023, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
$R2VGET4.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
$R2VGET4.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
$R2VGET4.exe
Resource
win10v2004-20231201-en
General
-
Target
$R2VGET4.exe
-
Size
1.1MB
-
MD5
aec9174c8479a575306048bb92f94829
-
SHA1
049eaa475e61cbe1e38c007507bd64d30fbe82b9
-
SHA256
79015a0c68260b6317ecfea1983091e74c98dd8ced80766e1515df93534a3f6d
-
SHA512
08bdd9bb7200ba25cb2939d3d845ddfc4a8de1cdbe0848888bd33861b0c26b599d29173bf507ca4118a5b1c166e775d53caafe9934cd5da5343382e92b76ac1d
-
SSDEEP
24576:ogeik1YB0bJMqpiXP4kRRb2X/yVqRNNbmfz89qLs4v7WkiHa/Gx8yo7Y:ogeikqBsJM1QuRsq4R4v7Wki6/GxA
Malware Config
Extracted
remcos
RemoteHost
167.114.189.33:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7ZDF66
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 196 set thread context of 1264 196 $R2VGET4.exe 81 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 196 $R2VGET4.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 3224 powershell.exe 652 powershell.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 196 $R2VGET4.exe 652 powershell.exe 3224 powershell.exe 652 powershell.exe 3224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 196 $R2VGET4.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 652 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1264 $R2VGET4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 196 wrote to memory of 3224 196 $R2VGET4.exe 74 PID 196 wrote to memory of 3224 196 $R2VGET4.exe 74 PID 196 wrote to memory of 3224 196 $R2VGET4.exe 74 PID 196 wrote to memory of 652 196 $R2VGET4.exe 76 PID 196 wrote to memory of 652 196 $R2VGET4.exe 76 PID 196 wrote to memory of 652 196 $R2VGET4.exe 76 PID 196 wrote to memory of 2824 196 $R2VGET4.exe 77 PID 196 wrote to memory of 2824 196 $R2VGET4.exe 77 PID 196 wrote to memory of 2824 196 $R2VGET4.exe 77 PID 196 wrote to memory of 1144 196 $R2VGET4.exe 80 PID 196 wrote to memory of 1144 196 $R2VGET4.exe 80 PID 196 wrote to memory of 1144 196 $R2VGET4.exe 80 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81 PID 196 wrote to memory of 1264 196 $R2VGET4.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSFNAbyW.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSFNAbyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6339.tmp"2⤵
- Creates scheduled task(s)
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"2⤵PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1264
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f46438ff20cf4b7b7067194df35037d6
SHA1f4c9e481ed2fed4e0becd3c5fb70e9ce7556c459
SHA256f50f82180042af4e8a931751f988578a24e550d4fe34d3dcfe23b583d9b1f8c7
SHA512d048c05d839ef97c4882764c23cb8f1cebcc04837f17f490d27f08d6153a0b231a48676530d87344342068712c4abf1362fad28deeb91fd2e0120818990e452e
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD5df451255fce463c7ee51a4d9f2857981
SHA164b4818a075bbf6a73e4d7bf0a9922ef679b34ac
SHA25649cef38572434054ded7a62e3865c3e5ee3be733d9a32f45f9b824ace88d063f
SHA5125dca1a89a6d808e9b2831364cc11404739b50bd613ac1af7b62edc94215057e59217d18ba00e828574e20ba7fdfe4c67cf7fcd90b63a35fa91d3add4b612c004
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD5526a81461df0cca7dd58846010b10a42
SHA1fcda2d075f755bca872b16e827e7fb7ee88ce020
SHA2565e678975f1cb8683b62895f68460fe0615035d0492a1598c2a1c73f02ad611df
SHA512fed356cbedc3de69549109cafd1104b5d50c31b04671838f75ec7aa1f24966bdf7df3832a38d6f5ec067393772a6f36938c1e8ea471a7578b4d17792ad3de618