Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08/12/2023, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
KO98765456700.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
KO98765456700.exe
Resource
win10v2004-20231130-en
General
-
Target
KO98765456700.exe
-
Size
588KB
-
MD5
48a8c7c04787860d0b433581a404ba34
-
SHA1
1c675b13fa28944232ec919b458c7da4a2bd43b2
-
SHA256
27d2d0578f8c2ef2ed8055dfc2594af414222a0914e2740a0c12adb9db424e9d
-
SHA512
b8d45391b6f0c3d6d1da61d2dc964e60925133cfca7f840cb9753f257494f5fa16997b91295fb26e5e216291702b712efd2fbbce7b52186c63222546612cfe4c
-
SSDEEP
12288:BxL8DKn1sgl+4gXGMz4hQHjAl7ZEs7SroJZucXou:BhMKnv+Z2MEhQ8ldMUucX/
Malware Config
Extracted
remcos
RemoteHost
107.175.229.139:8087
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-IZFV1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2728-48-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2728-69-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2704-41-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2704-57-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral1/memory/2704-41-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2728-48-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2612-50-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2612-51-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2704-57-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2728-69-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 1252 qjwofl.exe 2244 qjwofl.exe 2704 qjwofl.exe 2728 qjwofl.exe 2612 qjwofl.exe -
Loads dropped DLL 6 IoCs
pid Process 2240 KO98765456700.exe 2240 KO98765456700.exe 1252 qjwofl.exe 2244 qjwofl.exe 2244 qjwofl.exe 2244 qjwofl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts qjwofl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\lueajfoxt = "C:\\Users\\Admin\\AppData\\Roaming\\mhqavfokt\\pyienwcxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\qjwofl.exe\" " qjwofl.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1252 set thread context of 2244 1252 qjwofl.exe 30 PID 2244 set thread context of 2704 2244 qjwofl.exe 31 PID 2244 set thread context of 2728 2244 qjwofl.exe 32 PID 2244 set thread context of 2612 2244 qjwofl.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2704 qjwofl.exe 2704 qjwofl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2244 qjwofl.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1252 qjwofl.exe 2244 qjwofl.exe 2244 qjwofl.exe 2244 qjwofl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2612 qjwofl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2244 qjwofl.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2240 wrote to memory of 1252 2240 KO98765456700.exe 28 PID 2240 wrote to memory of 1252 2240 KO98765456700.exe 28 PID 2240 wrote to memory of 1252 2240 KO98765456700.exe 28 PID 2240 wrote to memory of 1252 2240 KO98765456700.exe 28 PID 1252 wrote to memory of 2244 1252 qjwofl.exe 30 PID 1252 wrote to memory of 2244 1252 qjwofl.exe 30 PID 1252 wrote to memory of 2244 1252 qjwofl.exe 30 PID 1252 wrote to memory of 2244 1252 qjwofl.exe 30 PID 1252 wrote to memory of 2244 1252 qjwofl.exe 30 PID 2244 wrote to memory of 2704 2244 qjwofl.exe 31 PID 2244 wrote to memory of 2704 2244 qjwofl.exe 31 PID 2244 wrote to memory of 2704 2244 qjwofl.exe 31 PID 2244 wrote to memory of 2704 2244 qjwofl.exe 31 PID 2244 wrote to memory of 2728 2244 qjwofl.exe 32 PID 2244 wrote to memory of 2728 2244 qjwofl.exe 32 PID 2244 wrote to memory of 2728 2244 qjwofl.exe 32 PID 2244 wrote to memory of 2728 2244 qjwofl.exe 32 PID 2244 wrote to memory of 2612 2244 qjwofl.exe 33 PID 2244 wrote to memory of 2612 2244 qjwofl.exe 33 PID 2244 wrote to memory of 2612 2244 qjwofl.exe 33 PID 2244 wrote to memory of 2612 2244 qjwofl.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\KO98765456700.exe"C:\Users\Admin\AppData\Local\Temp\KO98765456700.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"C:\Users\Admin\AppData\Local\Temp\qjwofl.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\qjwofl.exeC:\Users\Admin\AppData\Local\Temp\qjwofl.exe /stext "C:\Users\Admin\AppData\Local\Temp\ectewwnkadsuvuvgp"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\qjwofl.exeC:\Users\Admin\AppData\Local\Temp\qjwofl.exe /stext "C:\Users\Admin\AppData\Local\Temp\pezxphxlolkhxarkgrrk"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\qjwofl.exeC:\Users\Admin\AppData\Local\Temp\qjwofl.exe /stext "C:\Users\Admin\AppData\Local\Temp\zzepqzifctcmiofwpbdmffs"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b193812cc5d6a1f71ebe6fc9ca734154
SHA1f8898da7494b71d2c29abe4b0f3d40a690073cc1
SHA256795b9ea7fbc48cacceb79dbb1b14a4206aaa6aa91a3903e9da8fa2a5b779604d
SHA51221e957150d23bbb3e8448ea9658f6c97beaf8a891fbf096bf360b4fb2f593f1fa1bd4fae9046a29971642757c8f059343643d952b2a72f54ff2aefd91f4c05e4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
502KB
MD5d1422dcc186dd0d33d4ee348049b7066
SHA11798099cde18c883af8cff25d213ab51b454d373
SHA2560f1e81839fb040ce10485c8be5c6102546e8673aac91f78813d9ca439017957a
SHA512ca6b9741abbaa59358af118efeaabe8758b793036132f879783d41c77551c246b5456f0b22f455d77c3571cb697f3768293a10aee7c719b9fe8d63de52dfd02d
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab
-
Filesize
168KB
MD5e9e36c00a6bdc83b58f2f005d9230560
SHA14517889931bac4911012e6c40f26664553316b86
SHA256f3b88a87391d8978784342aa4cf1d02c58b65051b6003d9643e5cb0b1fa38a49
SHA5120af04537930dbd11a0524769781d2a03bd1282bf55f0e14e990fecf70d31a30f8bf4554c600125f0296617746a8822b29ab45ee7670874792905141af4f1e9ab