Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/02/2024, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
r1522024.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
r1522024.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
r1522024.exe
-
Size
839KB
-
MD5
35562de1445f84deee725deefe31b410
-
SHA1
0e8168206e896875cccad315a2890820cae1cf33
-
SHA256
7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb
-
SHA512
a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1
-
SSDEEP
24576:tMwT8bZSKZ+lKmxUgxDEuZ9WI+spi9iCnqVW:tMwHKi/x4uZ8dr9qI
Malware Config
Extracted
remcos
Client
46.183.223.29:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
images.exe
-
copy_folder
images
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZOAGZI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2904-74-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/2904-77-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2296-72-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2296-87-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/2904-74-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2296-72-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2904-77-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4484-84-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4484-83-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2296-87-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation r1522024.exe -
Executes dropped EXE 4 IoCs
pid Process 4476 images.exe 2296 images.exe 2904 images.exe 4484 images.exe -
Loads dropped DLL 5 IoCs
pid Process 4388 r1522024.exe 4388 r1522024.exe 4476 images.exe 4476 images.exe 4492 images.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts images.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" images.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" images.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acanthial = "C:\\Users\\Admin\\AppData\\Roaming\\Flockling\\Spkbrtter23.exe" r1522024.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" r1522024.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-ZOAGZI = "\"C:\\ProgramData\\images\\images.exe\"" r1522024.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Acanthial = "C:\\Users\\Admin\\AppData\\Roaming\\Flockling\\Spkbrtter23.exe" images.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2008 r1522024.exe 4492 images.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4388 r1522024.exe 2008 r1522024.exe 4476 images.exe 4492 images.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4388 set thread context of 2008 4388 r1522024.exe 91 PID 4476 set thread context of 4492 4476 images.exe 94 PID 4492 set thread context of 2296 4492 images.exe 95 PID 4492 set thread context of 2904 4492 images.exe 96 PID 4492 set thread context of 4484 4492 images.exe 97 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini r1522024.exe File opened for modification C:\Program Files (x86)\disharmonize\semidivided.ini images.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\snlig.ini r1522024.exe File opened for modification C:\Windows\Fonts\snlig.ini images.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2128 4492 WerFault.exe 94 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2296 images.exe 2296 images.exe 4484 images.exe 4484 images.exe 2296 images.exe 2296 images.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4388 r1522024.exe 4476 images.exe 4492 images.exe 4492 images.exe 4492 images.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4484 images.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4388 wrote to memory of 2008 4388 r1522024.exe 91 PID 4388 wrote to memory of 2008 4388 r1522024.exe 91 PID 4388 wrote to memory of 2008 4388 r1522024.exe 91 PID 4388 wrote to memory of 2008 4388 r1522024.exe 91 PID 4388 wrote to memory of 2008 4388 r1522024.exe 91 PID 2008 wrote to memory of 4476 2008 r1522024.exe 93 PID 2008 wrote to memory of 4476 2008 r1522024.exe 93 PID 2008 wrote to memory of 4476 2008 r1522024.exe 93 PID 4476 wrote to memory of 4492 4476 images.exe 94 PID 4476 wrote to memory of 4492 4476 images.exe 94 PID 4476 wrote to memory of 4492 4476 images.exe 94 PID 4476 wrote to memory of 4492 4476 images.exe 94 PID 4476 wrote to memory of 4492 4476 images.exe 94 PID 4492 wrote to memory of 2296 4492 images.exe 95 PID 4492 wrote to memory of 2296 4492 images.exe 95 PID 4492 wrote to memory of 2296 4492 images.exe 95 PID 4492 wrote to memory of 2904 4492 images.exe 96 PID 4492 wrote to memory of 2904 4492 images.exe 96 PID 4492 wrote to memory of 2904 4492 images.exe 96 PID 4492 wrote to memory of 4484 4492 images.exe 97 PID 4492 wrote to memory of 4484 4492 images.exe 97 PID 4492 wrote to memory of 4484 4492 images.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\r1522024.exe"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\r1522024.exe"C:\Users\Admin\AppData\Local\Temp\r1522024.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\ProgramData\images\images.exe"C:\ProgramData\images\images.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\ProgramData\images\images.exe"C:\ProgramData\images\images.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\ProgramData\images\images.exeC:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\nedfu"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\ProgramData\images\images.exeC:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\xzjxvunl"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2904
-
-
C:\ProgramData\images\images.exeC:\ProgramData\images\images.exe /stext "C:\Users\Admin\AppData\Local\Temp\ibwqonynlrx"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 13925⤵
- Program crash
PID:2128
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4492 -ip 44921⤵PID:528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
839KB
MD535562de1445f84deee725deefe31b410
SHA10e8168206e896875cccad315a2890820cae1cf33
SHA2567e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb
SHA512a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1
-
Filesize
220KB
MD5215f935278cc7c17f5a3c612a1941c0f
SHA17e38abe1ff045ac3c6b5c10cd645bff54a56ee6d
SHA2561cc384506c84964e72af778b1421866935ebf4d744ab731ecd364af5965e7cf0
SHA512e8af35b72dfd96f6c0d4dc4e2afdbd80174877f45a5d728bffc582459701f5ef8311a7b4cb1ec95f278f56be7a615d35c6a288f3733dcf41271af9a97719e77b
-
Filesize
4KB
MD5b4329339750e86291d8a7191b0dc7955
SHA1a125e8cf6fec1b6fd003139495a37d68f020254f
SHA25685e5e57100dde581ff37dcd80cbe55643328aaa6518b265ceb788d21ba9d0695
SHA5129bd5d6ae3feca8eaa03a1c3c147fc98aebca41aea976b1deeb9ae158cd4acfbdd45244a727c071a604fed12dcadc568462777597758532c42d28ec480bfc6054
-
Filesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
Filesize
839KB
MD5b57bd2b22ec1ca023b23c4254e317918
SHA146bcaefb0eda740641f7047c1b27c552e567e37c
SHA256029f17128cc1e4489a7b0eb12e757afb752200faba25d3e4a58270118de0e1ef
SHA5124045c46cf25141118b45624d4a58cdb5349fe7f7c6659be01e1c27c9be08f1afe441f481778f4bdaf6451581a09e1af53ebe021b4d35a70d1229ec618d25d3ee
-
Filesize
43B
MD575285908e15263897f2fe77cc637ef6e
SHA1cc5a707cae259834b2453a305af9453b7b7412ac
SHA2566fc175d4186cfb67d46e22b277602aa3ec665ad44c9854e7bdaf0e5a25cefbc5
SHA512e93afaa0772d9aa9a8d77e44473a5c58cf9f3b214b76d5ed94e08dbc2ae9ef3d67b470073b83c157318bfa67fb44e17833af313efe8ded28e07d55272eb4edb2