Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
Resource
win10v2004-20231127-en
General
-
Target
Payment Advice-BCS_ECS9522023032900460039_16922_952.exe
-
Size
1.0MB
-
MD5
d450c0d6afa6a22fc9fc53780bcc628b
-
SHA1
65ae8b330c8da3f7c0699ea054cdcc857087bd38
-
SHA256
ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31
-
SHA512
20384a55ece7385a7c950ad984d75f778fc0c7975dfca813fe0b9890862649c26c5eea0e392648c66da491020e2818176c28bc89f1785159e9ed0f323748bc6e
-
SSDEEP
12288:zy2iNpukyFWjrH66dn1uoLeyFfyu0AHyJy/bppvmT6TQ/lEtYyVgh2eV:G1XukRjr5pcobFJHxr+NNos
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:56932
45.128.234.54:56932
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-D11KCU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1980-7-0x0000000008240000-0x0000000008300000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1980 set thread context of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 2608 powershell.exe 2864 powershell.exe 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2964 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2864 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2864 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 30 PID 1980 wrote to memory of 2864 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 30 PID 1980 wrote to memory of 2864 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 30 PID 1980 wrote to memory of 2864 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 30 PID 1980 wrote to memory of 2608 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 32 PID 1980 wrote to memory of 2608 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 32 PID 1980 wrote to memory of 2608 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 32 PID 1980 wrote to memory of 2608 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 32 PID 1980 wrote to memory of 2472 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 34 PID 1980 wrote to memory of 2472 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 34 PID 1980 wrote to memory of 2472 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 34 PID 1980 wrote to memory of 2472 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 34 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36 PID 1980 wrote to memory of 2964 1980 Payment Advice-BCS_ECS9522023032900460039_16922_952.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XOXpOFSvB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XOXpOFSvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEC9.tmp"2⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECS9522023032900460039_16922_952.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b0e136f8ea6281d13f08d10f06799ae3
SHA170274df5e272effcd14a02fed97e127c8915c463
SHA256e6de63613a8436294f5c0563756639df9a4312a64b835b7eada3a5ae4058a3d1
SHA51228ce0d27d755ff0c702d6488e55bdb0e1d807f8a9c338c1a2ce7da53d89761c26dd296901ef7ecee706f692f04b2de64c20b6ce167c9de07b1b0867bfa5f5972
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\948YRQV0ENS48FJIVYSM.temp
Filesize7KB
MD5fe3a08652c6658b3fba58266e195fcf7
SHA1e3fe28af62f28231f10ea68764365992d615fb0c
SHA2567a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29
SHA51241e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5fe3a08652c6658b3fba58266e195fcf7
SHA1e3fe28af62f28231f10ea68764365992d615fb0c
SHA2567a203df2da067fa2b93101830c52a121017ac0e010fa4af6374920240f743f29
SHA51241e2532af1c9f2ff17f7598a8e6cddddc3ca9d5abcb22df435d0ffc843dbadd3c7443cfe60ed04b0bd7d90fca25596581a3fafa4e646c80869a6ff13a77952d7