Overview

overview

10

Static

static

5

9dda72072b...9f.exe

windows7-x64

7

9dda72072b...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 15:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dda72072bb5f352a9100dc0bc6c089f.exe

  • Size

    1.5MB

  • MD5

    9dda72072bb5f352a9100dc0bc6c089f

  • SHA1

    261268d043679a90fca1b6489738f5a1df30105e

  • SHA256

    e78be787cfbb5ab74a1c8c2fb7c33b7fdb644dc616c4505057fe00511353137a

  • SHA512

    ac523ad9a9ef698f843677cbb54e300a7c789bf5bdc0cb526ba4cebe6a976db69e107da78788b3dcd1b7f11d56b44aeaf7829ffcb516c13625ab4f3fa39f000b

  • SSDEEP

    24576:8AHnh+eWsN3skA4RV1Hom2KXMmHaGKnmSp3fgmm36sSx7bIhVmgPWsuJ5:bh+ZkldoPK8YaGoYdSFbITP+t

Score
10/10
hawkeyeremcosremotehostcollectionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.4.16:8787

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KZRQJH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dda72072bb5f352a9100dc0bc6c089f.exe
    "C:\Users\Admin\AppData\Local\Temp\9dda72072bb5f352a9100dc0bc6c089f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\9dda72072bb5f352a9100dc0bc6c089f.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Users\Admin\AppData\Local\directory\name.exe
        C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\wclqope"
        3⤵
        • Executes dropped EXE
        PID:1708
      • C:\Users\Admin\AppData\Local\directory\name.exe
        C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\jyduiaaearflv"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2092
      • C:\Users\Admin\AppData\Local\directory\name.exe
        C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\yeyjhiplmi"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook accounts
        PID:1472
      • C:\Users\Admin\AppData\Local\directory\name.exe
        C:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\wclqope"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3364
      • C:\Windows\SysWOW64\dxdiag.exe
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        3⤵
        • Drops file in System32 directory
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    3500731175c8a4d3b79d7a910435c623

    SHA1

    d54e37c2c8a2756ec876a4d0202a0238083f439e

    SHA256

    1757acffa60bfdafc29ca0d05a4aed8ea3abef3e068f02d1420a24b3e10fee17

    SHA512

    e6bafe2b34258e55304cc907892961961ae27abb3d60e8c58274ff8a512363144da9c97810faaff6c955676a5d5159d637b451ccb701f8de9bd29940b71aa2ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gehman
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fondaco
    Filesize

    29KB

    MD5

    16311eae579169d75f81ea65e83d11a9

    SHA1

    031769d9a1734b84f5b14a5107e299ddb91183c4

    SHA256

    298369abb82851444150cb7cb170641a7504ef9902c27a9f344df5a499e7044c

    SHA512

    3fde3b0b0c2e87ed8cd9e9f547ba9e4b941abb38b32e1fd4099ad51e1b3144e0da4bed8e2b60c5dde70e70bca0db8f3a805b146ed98c6b13eabc3537dbaaab1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
    Filesize

    84KB

    MD5

    fdb6a6a26aa617c00638faf3111c409f

    SHA1

    8f50298eaac7585ecbcaf7d9b952545128bc9bc8

    SHA256

    8318679d616e0416b9a7f9d3fcab049cd47618f9832c98701ddd58995c2c8a60

    SHA512

    004928a4f57af2baf007f5d98fa4d2b8943949198b4e687b384d8ed0ca5b0d55f8a26806676e163a9e7452da11cf8acb83eeebe1e90c12ebc30f5c032625f118

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wclqope
    Filesize

    4KB

    MD5

    a4b83bf48e62a41c2f45628d10c5bba1

    SHA1

    2596a41d8da2eb88f7f69e27cc16a046a2287f35

    SHA256

    7b29149f6971b7fba6137f401c2d515cc576dafd233b7d312dd7d818b9f91829

    SHA512

    afcaee732127ad05cc70a2a9cca8e4ccdcacf8161b16ed4c5e346418a7c221f3da4f20d95b449fb813a6ccbd2aad05a3a9449a9db01f8fd5c132068d1cf4c7bd

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    4.0MB

    MD5

    c9e9a695054430eca8208fdbdb2b71cc

    SHA1

    1f10e4a5a7a646751469a89421f508f05fc1759e

    SHA256

    a6f6d15f143f301eca4c86f744f914a7d7c6f7548574cff22008c7cd81936f59

    SHA512

    012ea13803211e9d6236ca640d90a9e49b2c8325c15136b0a4f70f0a09c05518817d8b43d27cec57224af700ec10e68c1566f4dfe977f67d993b35f21fe5a8b1

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    3.9MB

    MD5

    4474aefe2755c6655f57e415a89861e5

    SHA1

    6f89739edb7b90317709203047361dd8f17cb084

    SHA256

    7a0db20a3c4893fc4b28d90fdde8ef2b2c77ba2c3f108a874799deba18531f30

    SHA512

    8e246e9847fc9840d6daf33a46f5cb1cab4e4f912e74d106848458209a454127c705958b66663d7fd40fb4c847bcaeb0fcca8ed40674b3b180768a33fd5603fa

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    318KB

    MD5

    24f9b4e4b41936c41fe580e6d3ad91d3

    SHA1

    bfbe01857806ab184ab942d4415904910675d6df

    SHA256

    14e88e9da74093560bf1a04bba81c669d17e6281036ebba7f5f0edad5d76db42

    SHA512

    e742a5d62c5d94ba225702a025d767e41f1157e5032ca816aba8dda98a12fa1f98c0e642f8643c911083890f7c4cb7096aa384381cb647630df5fdfa5e6532c8

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    377KB

    MD5

    6d19e9ad783ee7f20ef105a24567c361

    SHA1

    1728fbeec1aeeb18d55555a92f01cbdfa6b57dc2

    SHA256

    603da916977b9bf33da020639738c281cf4e283d7fb2212b12e6d04fa98e4d16

    SHA512

    c22f64e022bf8c716079d05bb050d030ff194e62dcf5a9e9bc7fa6c90296aa4c54cf38fe5f72c1a51775082805d30100005c72f2d95cdafa5bb50be75a7b6efd

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    261KB

    MD5

    72c0925905c97279100435d34bb4924c

    SHA1

    cc90c7b1eb5d09661d0f2fa02a26558f871836e6

    SHA256

    f2325db8234fd020917ffd2b18cec4b8e74f31e34df505cd14df7804c641cc9d

    SHA512

    05e9b82b4637455b870f19c9e5dc25b32855711caef39ad361e88fdb6bdf1c3ec6c4e82452d552947e3f226fd6e9b5ccfc609ec4517c6ad0be609ae7c117ace3

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    235KB

    MD5

    a734bd4b1cf58967fc3081fdab110bdd

    SHA1

    42aa48af40d2a4a7df737cf7ff29e08e3cee904a

    SHA256

    67f93cc09a352a35ec0f3a98b13dad36dc2e88abcc0106768e54f55515138810

    SHA512

    72bfdfb30cd738d21755ee1688c73818a38895566fe9580103414ab150baf29f2daefcea492dab152dc285c6dc188bd5c8e4caf293588f325122586aa2ec37d4

    Download Submit

  • memory/1120-125-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-126-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-118-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-119-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-129-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-130-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-128-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-120-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-124-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1120-127-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1472-44-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1472-56-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1472-59-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/1472-51-0x0000000000400000-0x0000000000457000-memory.dmp

    Filesize

    348KB

    Download

  • memory/2092-64-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2092-65-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2092-63-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2092-66-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2092-53-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/3008-10-0x00000000020A0000-0x00000000020A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3364-68-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3364-54-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3364-47-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3364-42-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4348-109-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-83-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-76-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-75-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-110-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-70-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-81-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-111-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-73-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-112-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-87-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-94-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-95-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-102-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-103-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-48-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-74-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4348-77-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-86-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-114-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-115-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-117-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-116-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-46-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-40-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-38-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-37-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-36-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-35-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-34-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-33-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-31-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-29-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4348-28-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download