Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 19:22
Static task
static1
Behavioral task
behavioral1
Sample
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
Resource
win10v2004-20231127-en
General
-
Target
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe
-
Size
757KB
-
MD5
66bca9391d3610d5f16e8cc8db45a962
-
SHA1
587171885e9dd7e76ec95a29827af6766f0acba5
-
SHA256
581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1a
-
SHA512
887c958342e2281b7b593b92d1fc7e4d00b0891e16672a6433ff3475df2bf4809b6acff84fc39b38a6fba067110ee00553ece48a2ad1e9630603f702289f3885
-
SSDEEP
12288:g2Qw6UNMMIowZWWa7HcN+FlB5wGYRveB0ud4n8KyPHkO7Eb:g9w6UNMvowZPmHcgFv5whemnTuEP
Malware Config
Extracted
remcos
RemoteHost
172.93.187.227:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-9QHGDK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1928 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3172 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2224 powershell.exe 3172 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 3172 2224 powershell.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2224 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3172 wab.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3172 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3172 wab.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2224 1928 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 89 PID 1928 wrote to memory of 2224 1928 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 89 PID 1928 wrote to memory of 2224 1928 581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe 89 PID 2224 wrote to memory of 3172 2224 powershell.exe 109 PID 2224 wrote to memory of 3172 2224 powershell.exe 109 PID 2224 wrote to memory of 3172 2224 powershell.exe 109 PID 2224 wrote to memory of 3172 2224 powershell.exe 109 PID 2224 wrote to memory of 3172 2224 powershell.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe"C:\Users\Admin\AppData\Local\Temp\581fdf9e0a55e6121dfa4b0f662af19fe323492170a19b4181fc4bc941424b1aexe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$genom=Get-Content 'C:\Users\Admin\AppData\Local\Temp\Semplices\Amortisabel\sphygmomanometric.Mat';$Tintometric14=$genom.SubString(70960,3);.$Tintometric14($genom)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3172
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5cc7c8241497f9e2254f2d8335aa9ed87
SHA123d060ec347d5b2f12eaa0484cdf7935a4ede9b7
SHA25657cfa5abddfc948957c662c21284b8ca9c8c9d75231c31e5a8f87b3453867ffd
SHA512534da226f2a6c8ea4b485c8517a4f4aca1ba62412f9e4e9a617b43630bb4c620058bad455c67a0a792476dc79ff4fa054fa779d2db90f3fde6dd935effa2ba73
-
Filesize
303KB
MD5361a240997550ebd0b443d63119f5963
SHA1abed050265e7b774dd1c23f750b8b865084ed0f7
SHA2565c4b3f294087e7ffeb6632054d939cbf0d3f304450651555c969c66c7999d46a
SHA512ad3a6d577a954a158a4181cd0f20ddc5fefece729bbc39233a02fa5539064beacfc5dd7aae47e411f457c2fbf6ec29db8c2eae3fb1a8e5dd93ec645f1f4076fc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094