Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
clientfmUx.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
clientfmUx.exe
Resource
win10v2004-20231127-en
General
-
Target
clientfmUx.exe
-
Size
516KB
-
MD5
38a9b7e6b93904b572e76cad2f99353c
-
SHA1
20bd0ea13cbc76cdbb9d002a457e543d02e9d500
-
SHA256
06b9b10a15c0b2856620dd4469c8a976bfbc42e506747a04a763dbeeaf1ecb79
-
SHA512
b381687ef7f9f32af5b254b33bfffc287f675ba06d990df011a460c4f76c81d76546203af6bf0fc412e328d5e013e3997db56b3454002edc71ab6357e4211683
-
SSDEEP
12288:1oPHzIcgTRo9RvHBQAC76LUkd0bpaMwdHqUz:SPHM1ohP0XAx
Malware Config
Extracted
remcos
RemoteHost
retghrtgwtrgtg.bounceme.net:3839
listpoints.click:7020
datastream.myvnc.com:5225
gservicese.com:2718
center.onthewifi.com:8118
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
explorer.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OPX7KW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3644 set thread context of 1920 3644 clientfmUx.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3644 clientfmUx.exe 3644 clientfmUx.exe 1920 cmd.exe 1920 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3644 clientfmUx.exe 1920 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3644 clientfmUx.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3644 wrote to memory of 1920 3644 clientfmUx.exe 89 PID 3644 wrote to memory of 1920 3644 clientfmUx.exe 89 PID 3644 wrote to memory of 1920 3644 clientfmUx.exe 89 PID 3644 wrote to memory of 1920 3644 clientfmUx.exe 89 PID 1920 wrote to memory of 3016 1920 cmd.exe 108 PID 1920 wrote to memory of 3016 1920 cmd.exe 108 PID 1920 wrote to memory of 3016 1920 cmd.exe 108 PID 1920 wrote to memory of 3016 1920 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\clientfmUx.exe"C:\Users\Admin\AppData\Local\Temp\clientfmUx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:3016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5400104c285806db2ea291a5a0cd98f09
SHA18ffb20345435684f209ba15a6031d5207c7205fa
SHA2562ed05e3352352b168ff6ccd463fc97bc53e107ab63b91eff8e9b409651c6624e
SHA512c29d812515686566864da0aac71731a80416c9a0264e3913c32f127b0451e7aeb4520ad10ad3c56ee7dae19e73b9f5dc97443fe90936da7bfb5e7b170bf75391