Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05/12/2023, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
$R6B2ZGV.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
$R6B2ZGV.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
$R6B2ZGV.exe
Resource
win10v2004-20231127-en
General
-
Target
$R6B2ZGV.exe
-
Size
895KB
-
MD5
7f32f76a211c294f6e280b5f6867f2b0
-
SHA1
008da0b94b792b4d4810a000336a37651090e9ed
-
SHA256
996fec4254ba09feade637d40971b6472912961128f6ad353ec4fe0405f0cc70
-
SHA512
1ac208de202c91a038f468a0fba3f3b4f09fa92c4a1d21cca4eda21cf40fe99f245424e6f485327b232a23eaa444419efa96384c3b88f6b0106f81efdb7388c9
-
SSDEEP
12288:Sk4lrraD+fm31WPSq3CgCDBPifM1TimdE/3OLjRyX/03xP46L9FI:Sk4lXPfm3gqzB6k1Ts/k2cxHL9F
Malware Config
Extracted
remcos
RemoteHost
167.114.189.33:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7ZDF66
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 2804 2376 $R6B2ZGV.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2376 $R6B2ZGV.exe 2376 $R6B2ZGV.exe 2376 $R6B2ZGV.exe 2376 $R6B2ZGV.exe 2376 $R6B2ZGV.exe 2376 $R6B2ZGV.exe 2604 powershell.exe 852 powershell.exe 2376 $R6B2ZGV.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2376 $R6B2ZGV.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 852 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2804 $R6B2ZGV.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2376 wrote to memory of 852 2376 $R6B2ZGV.exe 28 PID 2376 wrote to memory of 852 2376 $R6B2ZGV.exe 28 PID 2376 wrote to memory of 852 2376 $R6B2ZGV.exe 28 PID 2376 wrote to memory of 852 2376 $R6B2ZGV.exe 28 PID 2376 wrote to memory of 2604 2376 $R6B2ZGV.exe 30 PID 2376 wrote to memory of 2604 2376 $R6B2ZGV.exe 30 PID 2376 wrote to memory of 2604 2376 $R6B2ZGV.exe 30 PID 2376 wrote to memory of 2604 2376 $R6B2ZGV.exe 30 PID 2376 wrote to memory of 2668 2376 $R6B2ZGV.exe 32 PID 2376 wrote to memory of 2668 2376 $R6B2ZGV.exe 32 PID 2376 wrote to memory of 2668 2376 $R6B2ZGV.exe 32 PID 2376 wrote to memory of 2668 2376 $R6B2ZGV.exe 32 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34 PID 2376 wrote to memory of 2804 2376 $R6B2ZGV.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XpBeYEmkGU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XpBeYEmkGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB693.tmp"2⤵
- Creates scheduled task(s)
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5918d483bc33cb04d6caffac8c248854f
SHA132bfacfc5cfcd4017d79b6d7a8ef00b6ec03fb17
SHA25641116ed7cf53acff05cb8b49e0488ea389a67fdcf221ba43373ec882e20e662c
SHA512f827dfe8f1d667fce0dc395dcf7427ea43d47dab345bf4daefde6ff726c972fa84b50d2bf4e27416db3c5ccd5038e6d1ffc4aef7f095a821c980795549986d97
-
Filesize
1KB
MD598a515d0dfa44ec3c7336e63de787876
SHA11452d2c7a5485ae3eeba5ec9bad40449e9772cd9
SHA2569df81ff9dd0665ab763c0db923d50457eb4c55685c9db79409e5caf562776749
SHA512873ea7032697a40f446e7b925e13f37818c641aa472c206161ecdc9119197895604d77c4be1655b79d68aaaf626316fb654441a3e86f8543c61ea130373cdfbe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YPGIG0916FW8QWL4SKSC.temp
Filesize7KB
MD5cea32a2624f703a64f9fc1417618fe21
SHA13b9fd3a070d079a5882f7f9151ff539924dcb741
SHA2565ca0cfcc26bc81ee3a40190ea2844921a5d43376d2cd26573c54cca4c2658012
SHA51240cab363acfbfb0b9493204c8a53a6aaf94bb5c413bc8941509866ff17e4f02ce667841b2c96f875119740931200dbf449ac49faf58388d842cb3815afcb1426
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5cea32a2624f703a64f9fc1417618fe21
SHA13b9fd3a070d079a5882f7f9151ff539924dcb741
SHA2565ca0cfcc26bc81ee3a40190ea2844921a5d43376d2cd26573c54cca4c2658012
SHA51240cab363acfbfb0b9493204c8a53a6aaf94bb5c413bc8941509866ff17e4f02ce667841b2c96f875119740931200dbf449ac49faf58388d842cb3815afcb1426