Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 17:36
Static task
static1
Behavioral task
behavioral1
Sample
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
Resource
win10v2004-20231130-en
General
-
Target
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe
-
Size
1.0MB
-
MD5
c200bdcd9c827ad9c878f61a6e80b2ee
-
SHA1
730d6b83b8af8d7b6740020d0e44466c2192f6ee
-
SHA256
fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd
-
SHA512
a5dd81fe25aa643c94f5e098e17fc2ce9a929141ea3a470245986e3e5fb8d9da8c014f6649a70816f8d1338b043a09caea69193f627f8c1bf351becb8d76de43
-
SSDEEP
24576:KgCKtD/61Idz9KOXdI0YBt68T1U3FMztS5aV3+2rN87:X6Kzj+0YBt68+3FMKaO2h87
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4444-120-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4444-127-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2428-117-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2428-130-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/4444-120-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2804-126-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4444-127-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2428-117-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2804-128-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2428-130-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5048 set thread context of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 4992 set thread context of 2428 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 104 PID 4992 set thread context of 4444 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 103 PID 4992 set thread context of 2804 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 528 powershell.exe 420 powershell.exe 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 420 powershell.exe 528 powershell.exe 2428 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 2428 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 2804 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 2804 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 2428 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 2428 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 420 powershell.exe Token: SeDebugPrivilege 2804 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5048 wrote to memory of 420 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 95 PID 5048 wrote to memory of 420 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 95 PID 5048 wrote to memory of 420 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 95 PID 5048 wrote to memory of 528 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 101 PID 5048 wrote to memory of 528 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 101 PID 5048 wrote to memory of 528 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 101 PID 5048 wrote to memory of 1752 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 97 PID 5048 wrote to memory of 1752 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 97 PID 5048 wrote to memory of 1752 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 97 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 5048 wrote to memory of 4992 5048 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 99 PID 4992 wrote to memory of 2428 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 104 PID 4992 wrote to memory of 2428 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 104 PID 4992 wrote to memory of 2428 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 104 PID 4992 wrote to memory of 2428 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 104 PID 4992 wrote to memory of 4444 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 103 PID 4992 wrote to memory of 4444 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 103 PID 4992 wrote to memory of 4444 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 103 PID 4992 wrote to memory of 4444 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 103 PID 4992 wrote to memory of 2804 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 102 PID 4992 wrote to memory of 2804 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 102 PID 4992 wrote to memory of 2804 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 102 PID 4992 wrote to memory of 2804 4992 fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:420
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GwdCcjuxCiQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A10.tmp"2⤵
- Creates scheduled task(s)
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exeC:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\nzrmefrvlp"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exeC:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\cembln"3⤵
- Accesses Microsoft Outlook accounts
PID:4444
-
-
C:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exeC:\Users\Admin\AppData\Local\Temp\fc4fb593fdecc5e6c82c0c98decab2ccd213153078489787712a082c299d20cd.exe /stext "C:\Users\Admin\AppData\Local\Temp\acgjluvabzbeasiypitglgvrwekumdbvut"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GwdCcjuxCiQA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD52bbe865b94b15023d1713a384dab3644
SHA15a7fee6574205441cc70ec2bc00fd678eabbbc07
SHA256a1a719eda331cdc9c086951e35ae8df0662e85575b0757b730e2b711ce05d027
SHA512d4ee914ff7f44f84acab2b0a273273036e1073d842dcea6e2ebafc4fd966cf61a0fae75e6b3fcf4a6f1e9fb90f88bf81c4aab3a1340b658813693264245917db
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD50c76a8ad7106df206bf42fac3793e97f
SHA12a44867a679fae10a3a87f8dd352a72244c98daa
SHA25663b932050a6e219667803e760f6051fdb59608635d8d96b3c7e70339a697ee71
SHA512fc180cc80d360c708fe9969e7a5fdf30ff0bf9096303b4459267d2ffdae31dfb0d4b8bcb029001035191cb68b6dece93898e194c99d4b8728f484684c9bc5f17
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD53772aaa65e9c5c579bf2a54fb9ab6265
SHA161196978558fc89e2fed95eed55b4dfdaf984c3a
SHA25655ffc234341ed4f8be0fe8c2b5971f4b2954abdba5f452dcd9c18dba860ca2d0
SHA51201da8983568c857a0c5b3c47e10abcad5cee8a414056577a5f233e3363b4d7f40b72359d7b71830953c03ccf80a929c0d81ce54df3f1f51fd753c3d5b55e0bae
-
Filesize
1KB
MD54e93b25fb2893c67681f775594d3150d
SHA1b8c2fdb3cf3aba3fdb6d2efb0b19005031bd71b1
SHA256ff70ed8c74cd6b837b69cf8b94fda4831dc7bb8250be307a353766c3c9e4c9b7
SHA512caf7aac1a5a2e198e608c4931e766ec64353065aa8c9f6dc95bc51b4d9503e260584839c821838131cb3232a2ad5ce240544f4abcdee8320f4d5476ab901d534