Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20231129-en -
resource tags
arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system -
submitted
05/12/2023, 21:14
Static task
static1
Behavioral task
behavioral1
Sample
$R6B2ZGV.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
$R6B2ZGV.exe
Resource
win10-20231129-en
Behavioral task
behavioral3
Sample
$R6B2ZGV.exe
Resource
win10v2004-20231127-en
General
-
Target
$R6B2ZGV.exe
-
Size
895KB
-
MD5
7f32f76a211c294f6e280b5f6867f2b0
-
SHA1
008da0b94b792b4d4810a000336a37651090e9ed
-
SHA256
996fec4254ba09feade637d40971b6472912961128f6ad353ec4fe0405f0cc70
-
SHA512
1ac208de202c91a038f468a0fba3f3b4f09fa92c4a1d21cca4eda21cf40fe99f245424e6f485327b232a23eaa444419efa96384c3b88f6b0106f81efdb7388c9
-
SSDEEP
12288:Sk4lrraD+fm31WPSq3CgCDBPifM1TimdE/3OLjRyX/03xP46L9FI:Sk4lXPfm3gqzB6k1Ts/k2cxHL9F
Malware Config
Extracted
remcos
RemoteHost
167.114.189.33:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7ZDF66
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3068 set thread context of 2900 3068 $R6B2ZGV.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3068 $R6B2ZGV.exe 3068 $R6B2ZGV.exe 3068 $R6B2ZGV.exe 3068 $R6B2ZGV.exe 3068 $R6B2ZGV.exe 3068 $R6B2ZGV.exe 3612 powershell.exe 3068 $R6B2ZGV.exe 1132 powershell.exe 3612 powershell.exe 1132 powershell.exe 1132 powershell.exe 3612 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3068 $R6B2ZGV.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 3612 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2900 $R6B2ZGV.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1132 3068 $R6B2ZGV.exe 74 PID 3068 wrote to memory of 1132 3068 $R6B2ZGV.exe 74 PID 3068 wrote to memory of 1132 3068 $R6B2ZGV.exe 74 PID 3068 wrote to memory of 3612 3068 $R6B2ZGV.exe 76 PID 3068 wrote to memory of 3612 3068 $R6B2ZGV.exe 76 PID 3068 wrote to memory of 3612 3068 $R6B2ZGV.exe 76 PID 3068 wrote to memory of 2372 3068 $R6B2ZGV.exe 77 PID 3068 wrote to memory of 2372 3068 $R6B2ZGV.exe 77 PID 3068 wrote to memory of 2372 3068 $R6B2ZGV.exe 77 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80 PID 3068 wrote to memory of 2900 3068 $R6B2ZGV.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XpBeYEmkGU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XpBeYEmkGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp724D.tmp"2⤵
- Creates scheduled task(s)
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"C:\Users\Admin\AppData\Local\Temp\$R6B2ZGV.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5918d483bc33cb04d6caffac8c248854f
SHA132bfacfc5cfcd4017d79b6d7a8ef00b6ec03fb17
SHA25641116ed7cf53acff05cb8b49e0488ea389a67fdcf221ba43373ec882e20e662c
SHA512f827dfe8f1d667fce0dc395dcf7427ea43d47dab345bf4daefde6ff726c972fa84b50d2bf4e27416db3c5ccd5038e6d1ffc4aef7f095a821c980795549986d97
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD509e7a8aea3636188c3ca562e2c3353a5
SHA170eb0e4be5842d8c0d820147178b22e2e1981978
SHA2569a42d3b38ebfd9afdf3fcbe6c316f89e91b2253964ce66aafe6957fcb7edd654
SHA5127215554c95c546cda8f03e4d8090da6c7353f8f4f78fb0f64e453d778e78b63aca923c5541d89a180fc18ad3d318770fdbdeef5488532ba5a22d2c27b9d7ee5b
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD514e1b188f75d56f6f7afe294121429cf
SHA1f6cba689bc0b68ba8c16e43d936d756c4cb7bcf3
SHA256c5e63f3413904372f44b57859dd6c4ecbbb314851d2274b23874601dfc18c872
SHA512a72214dbb6f454c83a01e89ccb8672950bb9656a19dce2a8b4dcf8e3473a84ffed03f53050125e2321bd11eb2d3633c8141e1bd6ee19642ff37954eb58fbf6f7