Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
$R2VGET4.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
$R2VGET4.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
$R2VGET4.exe
Resource
win10v2004-20231201-en
General
-
Target
$R2VGET4.exe
-
Size
1.1MB
-
MD5
aec9174c8479a575306048bb92f94829
-
SHA1
049eaa475e61cbe1e38c007507bd64d30fbe82b9
-
SHA256
79015a0c68260b6317ecfea1983091e74c98dd8ced80766e1515df93534a3f6d
-
SHA512
08bdd9bb7200ba25cb2939d3d845ddfc4a8de1cdbe0848888bd33861b0c26b599d29173bf507ca4118a5b1c166e775d53caafe9934cd5da5343382e92b76ac1d
-
SSDEEP
24576:ogeik1YB0bJMqpiXP4kRRb2X/yVqRNNbmfz89qLs4v7WkiHa/Gx8yo7Y:ogeikqBsJM1QuRsq4R4v7Wki6/GxA
Malware Config
Extracted
remcos
RemoteHost
167.114.189.33:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7ZDF66
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation $R2VGET4.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4928 set thread context of 3608 4928 $R2VGET4.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3236 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4928 $R2VGET4.exe 4928 $R2VGET4.exe 4928 $R2VGET4.exe 4928 $R2VGET4.exe 4928 $R2VGET4.exe 4928 $R2VGET4.exe 2632 powershell.exe 4856 powershell.exe 4928 $R2VGET4.exe 4856 powershell.exe 2632 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4928 $R2VGET4.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3608 $R2VGET4.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2632 4928 $R2VGET4.exe 91 PID 4928 wrote to memory of 2632 4928 $R2VGET4.exe 91 PID 4928 wrote to memory of 2632 4928 $R2VGET4.exe 91 PID 4928 wrote to memory of 4856 4928 $R2VGET4.exe 93 PID 4928 wrote to memory of 4856 4928 $R2VGET4.exe 93 PID 4928 wrote to memory of 4856 4928 $R2VGET4.exe 93 PID 4928 wrote to memory of 3236 4928 $R2VGET4.exe 95 PID 4928 wrote to memory of 3236 4928 $R2VGET4.exe 95 PID 4928 wrote to memory of 3236 4928 $R2VGET4.exe 95 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97 PID 4928 wrote to memory of 3608 4928 $R2VGET4.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSFNAbyW.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSFNAbyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF889.tmp"2⤵
- Creates scheduled task(s)
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"C:\Users\Admin\AppData\Local\Temp\$R2VGET4.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5f46438ff20cf4b7b7067194df35037d6
SHA1f4c9e481ed2fed4e0becd3c5fb70e9ce7556c459
SHA256f50f82180042af4e8a931751f988578a24e550d4fe34d3dcfe23b583d9b1f8c7
SHA512d048c05d839ef97c4882764c23cb8f1cebcc04837f17f490d27f08d6153a0b231a48676530d87344342068712c4abf1362fad28deeb91fd2e0120818990e452e
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5fcb3bdab5c4ee89ad206fcfb87533905
SHA1cbd007e57dc64063049e03c14860428a66d5d2b7
SHA256cae76768699cbc021db79a68b1c11c238551ab1d401c6a6602494d9369824002
SHA51200349125b6517c1b7fa6e50cc74cf13bf6f7de37f40eeb589d52a66a499e0c5d391b383933ebc3ce8811d84ac8f93061544d25b699ed28403498d4851501554b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD53065fee6c163dcdc801aa730fcbb782c
SHA1e33bc33ccd0ea8853e78cf55b5bad2d6c713de8a
SHA256004919a0a7baf7b0a74698c91c8926af7154f4ffe38c7d82ba8b7d2cba0c91c8
SHA512a5adad403551721b8c5e23af8d99adb3b23078c2f03828896b409754e8e402947d8b693eceabd90e1af7ad276f80699f6c2af581eba02bd926deec99054aa302