Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe
Resource
win10v2004-20231127-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe
-
Size
757KB
-
MD5
49eca8d1b29bfaec20599239db6f10da
-
SHA1
ee605018797e3a9408e24b7ec0767ef5e096ac16
-
SHA256
dfd724316cb0edbf1212cbf5e71f007d22b7a38e7860d96d4d4bedf17eaa85ea
-
SHA512
a0d1d7910314cc76bdfa46b6f8cdc9909d850f7fe320be943c16bb6da86b213b23148b331626492a07fedda1932e9d09d4fd10faeb00171e43cdd801cfb71220
-
SSDEEP
12288:HDWMD9ehE+uDneLBQt20dup/20AQBOLdxD4N1fahKDwancwk6pvxT0K0jlyOJN9I:FefZ27zZPdnjImBOQX
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4976-61-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4976-69-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1804-58-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1804-77-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/1804-58-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4976-61-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4976-69-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2528-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2528-74-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1804-77-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts cvtres.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1488 set thread context of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 4816 set thread context of 1804 4816 cvtres.exe 98 PID 4816 set thread context of 4976 4816 cvtres.exe 99 PID 4816 set thread context of 2528 4816 cvtres.exe 101 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4856 Powershell.exe 4856 Powershell.exe 1804 cvtres.exe 1804 cvtres.exe 2528 cvtres.exe 2528 cvtres.exe 1804 cvtres.exe 1804 cvtres.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe 4816 cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4856 Powershell.exe Token: SeDebugPrivilege 2528 cvtres.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4816 cvtres.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1488 wrote to memory of 4856 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 89 PID 1488 wrote to memory of 4856 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 89 PID 1488 wrote to memory of 4856 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 89 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 1488 wrote to memory of 4816 1488 SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe 91 PID 4816 wrote to memory of 4980 4816 cvtres.exe 97 PID 4816 wrote to memory of 4980 4816 cvtres.exe 97 PID 4816 wrote to memory of 4980 4816 cvtres.exe 97 PID 4816 wrote to memory of 1804 4816 cvtres.exe 98 PID 4816 wrote to memory of 1804 4816 cvtres.exe 98 PID 4816 wrote to memory of 1804 4816 cvtres.exe 98 PID 4816 wrote to memory of 4976 4816 cvtres.exe 99 PID 4816 wrote to memory of 4976 4816 cvtres.exe 99 PID 4816 wrote to memory of 4976 4816 cvtres.exe 99 PID 4816 wrote to memory of 4588 4816 cvtres.exe 100 PID 4816 wrote to memory of 4588 4816 cvtres.exe 100 PID 4816 wrote to memory of 4588 4816 cvtres.exe 100 PID 4816 wrote to memory of 2528 4816 cvtres.exe 101 PID 4816 wrote to memory of 2528 4816 cvtres.exe 101 PID 4816 wrote to memory of 2528 4816 cvtres.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.21340.24792.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\btjvbvxkuawcrwhknvxyzrueqrovt"3⤵PID:4980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\btjvbvxkuawcrwhknvxyzrueqrovt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\mvofcnimiiohckewegkscepvyxgeuduf"3⤵
- Accesses Microsoft Outlook accounts
PID:4976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\wquy"3⤵PID:4588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /stext "C:\Users\Admin\AppData\Local\Temp\wquy"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5fa1db6aea687cd80456174dd65075b23
SHA185f9fb1e2b1883cc42a5091f94e5b9695ab04123
SHA256b1d434d0f76e561373599b43bfb2e3ce8ae991a14a098d997440e6f20b4c3a60
SHA5129efbed7d7739e75ef32035e60fe5b4ab14c854ace5b9e368ccc64daf03eeb2a12c36f1376000ea38c324c8867be588b24f9056c6f4100c174a78dde12a05ba0a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f38f9e66e6018fe17658be974254cad4
SHA1597063c515fc90a5cef2d3f4a64d5c8f5e7ed47c
SHA256448eb8deec9960c9a2b6a27daeaea4cbab7d8469ed8b52b6d5916df458b07bb6
SHA512a6b2f498fbd5fe598430371d57182b73779e66af1f2a85b4f6bde919e17c0f8611b226d96ff8134098904c42edaf0c0ef78328f2ccbe9fb16a4f66dd1d5c57a5