Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2024, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
-
Size
431KB
-
MD5
2d445bd0fd5ca61eb05f2a293e7e9ecb
-
SHA1
4728f6650d9658ad6c9db2a1c01c88b0bd9be712
-
SHA256
c5bbe31a17d4365500acaf7bd2fbfc10f8a0867d650e12b24e22efa239cfdb3d
-
SHA512
a8939d865005272c265e8c235153bffad905d6cb28aabd9599e707d2e09f55e3fc876d85a68da75947df4af5dde7b2d81916bf5d53e3319194fe2eb16414fd30
-
SSDEEP
6144:znPdudwDMyZL5OCSAPcWOkhdeocqhf06ITkmSiwvcU7RJKbZJ2AI/6QRkmBWjjr5:znPdjQOFlfoi0TTv9U77KbZJ2AmrYVj
Malware Config
Extracted
remcos
3904
72.11.158.94:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
vsystems.exe
-
copy_folder
vsystems
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BSR5QU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe -
Executes dropped EXE 1 IoCs
pid Process 3996 vsystems.exe -
Loads dropped DLL 5 IoCs
pid Process 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 3996 vsystems.exe 3996 vsystems.exe 2588 vsystems.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kulstoffets = "C:\\Users\\Admin\\AppData\\Roaming\\Filformaters\\Disponere189.exe" vsystems.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kulstoffets = "C:\\Users\\Admin\\AppData\\Roaming\\Filformaters\\Disponere189.exe" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2384 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 2384 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 3996 vsystems.exe 2588 vsystems.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4204 set thread context of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 3996 set thread context of 2588 3996 vsystems.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 3996 vsystems.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4204 wrote to memory of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 4204 wrote to memory of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 4204 wrote to memory of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 4204 wrote to memory of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 4204 wrote to memory of 2384 4204 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 92 PID 2384 wrote to memory of 3996 2384 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 93 PID 2384 wrote to memory of 3996 2384 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 93 PID 2384 wrote to memory of 3996 2384 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 93 PID 3996 wrote to memory of 2588 3996 vsystems.exe 94 PID 3996 wrote to memory of 2588 3996 vsystems.exe 94 PID 3996 wrote to memory of 2588 3996 vsystems.exe 94 PID 3996 wrote to memory of 2588 3996 vsystems.exe 94 PID 3996 wrote to memory of 2588 3996 vsystems.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\ProgramData\vsystems\vsystems.exe"C:\ProgramData\vsystems\vsystems.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\ProgramData\vsystems\vsystems.exe"C:\ProgramData\vsystems\vsystems.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD51e58da14d2ed23644fdb298a7d34d12d
SHA1f9f9c1d3223ba88db9b21c59ea5445ba64996ab5
SHA2564f6ae439cf324689d2838b7cac7e0514e1ada2e5978f97989c13a0023a277dd7
SHA5124871d9480dcfe25d09e63831f5141583d0479217a39bd518119977f36d6fd35dc5d25691f0abfefba722808ece43892f10ed0669c821cf1ac72e4de05062c976
-
Filesize
431KB
MD52d445bd0fd5ca61eb05f2a293e7e9ecb
SHA14728f6650d9658ad6c9db2a1c01c88b0bd9be712
SHA256c5bbe31a17d4365500acaf7bd2fbfc10f8a0867d650e12b24e22efa239cfdb3d
SHA512a8939d865005272c265e8c235153bffad905d6cb28aabd9599e707d2e09f55e3fc876d85a68da75947df4af5dde7b2d81916bf5d53e3319194fe2eb16414fd30
-
C:\Users\Admin\AppData\Local\Temp\coralla\samisens\Restage\Frknerne\Brugerlicensaftalerne\Handlefrihedernes\Grdefrdig.Spi
Filesize251KB
MD586f5b6261e755ad3f7c05b02e562a4cf
SHA189dc4b4ef749b2d71d63f9385b3b0ef5fac03499
SHA256da8723c0c747b978c81ebe5d318a5a298bf85813392758323ab45999cd4db0a9
SHA512a180dcb9c1b8acd35534ba7fc40953396bc686109b423901c4530783e4a03b63879f5f690aafe0ac5d1645e7c0f78885e794cd292185ac1d055d4a73eacb5c92
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
431KB
MD552b28d1b15025f4ea0534f7ae9d0f9c3
SHA11e276114271cf908edd35547863f31e4460252a9
SHA2567af2cf2df4b43316571f30f7e6ce7e66742d6d43a568ac64a153c7499c9c34f3
SHA51237bb99f27c33794f57d4449fcaf2fe6607cf1dfde8d32058c655af20fdac14502da9c8d130d750788c78a4ca40e9ba166f66d1606c5504082260a675f6d14be4