Analysis
-
max time kernel
98s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231222-en
General
-
Target
RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe
-
Size
431KB
-
MD5
2d445bd0fd5ca61eb05f2a293e7e9ecb
-
SHA1
4728f6650d9658ad6c9db2a1c01c88b0bd9be712
-
SHA256
c5bbe31a17d4365500acaf7bd2fbfc10f8a0867d650e12b24e22efa239cfdb3d
-
SHA512
a8939d865005272c265e8c235153bffad905d6cb28aabd9599e707d2e09f55e3fc876d85a68da75947df4af5dde7b2d81916bf5d53e3319194fe2eb16414fd30
-
SSDEEP
6144:znPdudwDMyZL5OCSAPcWOkhdeocqhf06ITkmSiwvcU7RJKbZJ2AI/6QRkmBWjjr5:znPdjQOFlfoi0TTv9U77KbZJ2AmrYVj
Malware Config
Extracted
remcos
3904
72.11.158.94:1604
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
vsystems.exe
-
copy_folder
vsystems
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BSR5QU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1700-83-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1700-82-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2740-73-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2740-90-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/1700-83-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/1700-82-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2740-73-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4620-87-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4620-86-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2740-90-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe -
Executes dropped EXE 4 IoCs
pid Process 552 vsystems.exe 2740 vsystems.exe 1700 vsystems.exe 4620 vsystems.exe -
Loads dropped DLL 5 IoCs
pid Process 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 552 vsystems.exe 552 vsystems.exe 3464 vsystems.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vsystems.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" vsystems.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" vsystems.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kulstoffets = "C:\\Users\\Admin\\AppData\\Roaming\\Filformaters\\Disponere189.exe" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-BSR5QU = "\"C:\\ProgramData\\vsystems\\vsystems.exe\"" RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kulstoffets = "C:\\Users\\Admin\\AppData\\Roaming\\Filformaters\\Disponere189.exe" vsystems.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 392 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 3464 vsystems.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 392 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 552 vsystems.exe 3464 vsystems.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2776 set thread context of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 552 set thread context of 3464 552 vsystems.exe 96 PID 3464 set thread context of 5072 3464 vsystems.exe 97 PID 3464 set thread context of 636 3464 vsystems.exe 98 PID 3464 set thread context of 2740 3464 vsystems.exe 99 PID 3464 set thread context of 1700 3464 vsystems.exe 100 PID 3464 set thread context of 4620 3464 vsystems.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4184 3464 WerFault.exe 96 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2740 vsystems.exe 2740 vsystems.exe 4620 vsystems.exe 4620 vsystems.exe 2740 vsystems.exe 2740 vsystems.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 552 vsystems.exe 3464 vsystems.exe 3464 vsystems.exe 3464 vsystems.exe 3464 vsystems.exe 3464 vsystems.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4620 vsystems.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2776 wrote to memory of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 2776 wrote to memory of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 2776 wrote to memory of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 2776 wrote to memory of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 2776 wrote to memory of 392 2776 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 90 PID 392 wrote to memory of 552 392 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 94 PID 392 wrote to memory of 552 392 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 94 PID 392 wrote to memory of 552 392 RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe 94 PID 552 wrote to memory of 3464 552 vsystems.exe 96 PID 552 wrote to memory of 3464 552 vsystems.exe 96 PID 552 wrote to memory of 3464 552 vsystems.exe 96 PID 552 wrote to memory of 3464 552 vsystems.exe 96 PID 552 wrote to memory of 3464 552 vsystems.exe 96 PID 3464 wrote to memory of 5072 3464 vsystems.exe 97 PID 3464 wrote to memory of 5072 3464 vsystems.exe 97 PID 3464 wrote to memory of 5072 3464 vsystems.exe 97 PID 3464 wrote to memory of 5072 3464 vsystems.exe 97 PID 3464 wrote to memory of 636 3464 vsystems.exe 98 PID 3464 wrote to memory of 636 3464 vsystems.exe 98 PID 3464 wrote to memory of 636 3464 vsystems.exe 98 PID 3464 wrote to memory of 636 3464 vsystems.exe 98 PID 3464 wrote to memory of 2740 3464 vsystems.exe 99 PID 3464 wrote to memory of 2740 3464 vsystems.exe 99 PID 3464 wrote to memory of 2740 3464 vsystems.exe 99 PID 3464 wrote to memory of 1700 3464 vsystems.exe 100 PID 3464 wrote to memory of 1700 3464 vsystems.exe 100 PID 3464 wrote to memory of 1700 3464 vsystems.exe 100 PID 3464 wrote to memory of 4620 3464 vsystems.exe 101 PID 3464 wrote to memory of 4620 3464 vsystems.exe 101 PID 3464 wrote to memory of 4620 3464 vsystems.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:392 -
C:\ProgramData\vsystems\vsystems.exe"C:\ProgramData\vsystems\vsystems.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:552 -
C:\ProgramData\vsystems\vsystems.exe"C:\ProgramData\vsystems\vsystems.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:5072
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:636
-
-
C:\ProgramData\vsystems\vsystems.exeC:\ProgramData\vsystems\vsystems.exe /stext "C:\Users\Admin\AppData\Local\Temp\naqbqgarirxnnzilghchyqbfmiel"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\ProgramData\vsystems\vsystems.exeC:\ProgramData\vsystems\vsystems.exe /stext "C:\Users\Admin\AppData\Local\Temp\ycvlqylswzpaxfwpprxiavwwvpwuqzx"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1700
-
-
C:\ProgramData\vsystems\vsystems.exeC:\ProgramData\vsystems\vsystems.exe /stext "C:\Users\Admin\AppData\Local\Temp\awie"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 14325⤵
- Program crash
PID:4184
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3464 -ip 34641⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
431KB
MD52d445bd0fd5ca61eb05f2a293e7e9ecb
SHA14728f6650d9658ad6c9db2a1c01c88b0bd9be712
SHA256c5bbe31a17d4365500acaf7bd2fbfc10f8a0867d650e12b24e22efa239cfdb3d
SHA512a8939d865005272c265e8c235153bffad905d6cb28aabd9599e707d2e09f55e3fc876d85a68da75947df4af5dde7b2d81916bf5d53e3319194fe2eb16414fd30
-
Filesize
257KB
MD5ef91146cf8c01b2a876b537a478f72f2
SHA1f26e6cee54c78f3a1640a76140f6231f61dd6a04
SHA256170c83ee6d864797418effaa4dd0ef0a5d5b807804ba8c9aa3a64ee9bde551d9
SHA51261a26f374811c86ea58807c1d3a33a3e3640d820a4ecb16273becec1c90cc9579c14957a0b30943b62b7f8b30111826036d7739b388f59818c0add4a7568300d
-
C:\Users\Admin\AppData\Local\Temp\coralla\samisens\Restage\Frknerne\Brugerlicensaftalerne\Handlefrihedernes\Grdefrdig.Spi
Filesize251KB
MD586f5b6261e755ad3f7c05b02e562a4cf
SHA189dc4b4ef749b2d71d63f9385b3b0ef5fac03499
SHA256da8723c0c747b978c81ebe5d318a5a298bf85813392758323ab45999cd4db0a9
SHA512a180dcb9c1b8acd35534ba7fc40953396bc686109b423901c4530783e4a03b63879f5f690aafe0ac5d1645e7c0f78885e794cd292185ac1d055d4a73eacb5c92
-
Filesize
4KB
MD59d1c4331e92ea47959e79f26ca09d973
SHA1f8baa65953243feba3299fbaa7af110fbc7011b2
SHA256ffddf68859952ecc2a486189ef0b15519f898d4d1ba04f6555264714b2d9108f
SHA51276cc4cfa6a89d69035c0539294a5903f5b9b01314aaa2ffef7ccc6a5cdc163bf2336fa98e6f5406510b74c8da8bf5cbac5c55718df58f3b082b7fe8f8dda3daf
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
Filesize
431KB
MD552b28d1b15025f4ea0534f7ae9d0f9c3
SHA11e276114271cf908edd35547863f31e4460252a9
SHA2567af2cf2df4b43316571f30f7e6ce7e66742d6d43a568ac64a153c7499c9c34f3
SHA51237bb99f27c33794f57d4449fcaf2fe6607cf1dfde8d32058c655af20fdac14502da9c8d130d750788c78a4ca40e9ba166f66d1606c5504082260a675f6d14be4