Analysis
-
max time kernel
130s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-02-2024 09:10
General
-
Target
GANGCRACKED.rar
-
Size
28.3MB
-
MD5
fb95370edc412c293fcced895b4d4539
-
SHA1
1bd433763a2e34ab00f350fa502bce49fb5eefdb
-
SHA256
7a3eab6c4831e63a31be3b45edb8bd8d19ffc6706eb27d0097084a5e3f12da52
-
SHA512
961fe0bc644d7e6f995575d04cc8182341b3b1a642305563019fef1c57c8fd6d0d5e9f0cdfaf788a3c92adf7b4724de33924755bf34bff63fc3351b9c282c14d
-
SSDEEP
786432:/NzQyvK2dmI+DTIx3ib6yGwO0+L58Quty/PlVxc:FBCkmI+DTI9imyGWOSQugi
Malware Config
Extracted
C:\Users\Public\DynamicUserFolder\lib\lib2to3\read_it.txt
chaos
Extracted
remcos
DiscordNuker
185.81.157.223:1010
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
eb1d37a5-d986-4bae-a94e-415e7babddcc-D20BAI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GANGCRACKED.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GANGCRACKED.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3632 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\GANGCRACKED\GANG.exe"C:\Users\Admin\AppData\Local\Temp\GANGCRACKED\GANG.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GANGCRACKED\imports.exe"C:\Users\Admin\AppData\Local\Temp\GANGCRACKED\imports.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\DynamicUserFolder\Exclusion.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:" -force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Public"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Public" -force3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Public\DynamicUserFolder"3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Public\DynamicUserFolder" -force3⤵
-
-
-
C:\Users\Public\DynamicUserFolder\GANG.exe"C:\Users\Public\DynamicUserFolder\GANG.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\DynamicUserFolder\TaskSch.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "SyncAppvPublishingServer" /tr "C:\Users\Public\DynamicUserFolder\SyncAppvPublishingServer.exe" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "GatherNetworkInfo" /TR "C:\Users\Public\DynamicUserFolder\GatherNetworkInfo.exe" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Public\DynamicUserFolder\SyncAppvPublishingServer.exeC:\Users\Public\DynamicUserFolder\SyncAppvPublishingServer.exe1⤵
-
C:\Users\Public\DynamicUserFolder\GatherNetworkInfo.exeC:\Users\Public\DynamicUserFolder\GatherNetworkInfo.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD573fa8246ba96c9cb785de2eb1e1d688f
SHA164a1a1f8d7d869d0b4e7b36f4e1f01e8e7813fd9
SHA256183689b324f3552a6fed9b1ed95d6a217bedd83882d5f7e6a3bd47e7dcffb17b
SHA512676e94e6a8a32cd6f8a728ed36fbc6b49d549b3eef839a53964f818cf2e078ffd4ceb1673079f3ab7131b84d6db98cecc0fa016647af61711c4c094fc347deeb
-
Filesize
18KB
MD5ec74bec3588911e9312485c9e6d34014
SHA186bf627937a6b6a04ceadd4046e285bfc4731c78
SHA2564d9ecb68c7517445fd9fc4ed0cebf6b48b651aa78ad7b677f7160d82dcc98178
SHA5121f897e034912ad5755cc0274d47b96d53145e559f65a5d9a5bb1cd454fb5b28c4f34c7750e3d2d13288c7c17eba4284c686de3369fdd09db395ca1008a05e43d
-
Filesize
16KB
MD53ac9dec7ce21f4ddb70e8a872581c829
SHA19c8ee17633735db3cce6b3d3c2f452283da8a857
SHA25636e541948a7702d561d9315388d49af056167bab002ddca75704e4add1e9665e
SHA51281a32622dc970cb1ae0b160d32b5768011a30c9454d9cf5cd827150377b2ff081557c6461c80a8d83c861a5e39958f74d509c385fceb55c7e67a0350254bdaf0
-
Filesize
18KB
MD58864bc74d69882a40b04dcd6803e34dd
SHA136437210917774bb6fc7abdbd71324954eba22fc
SHA25688092126ff012b2e16ec4522ddc78e8c0e79a989d34be6266d21ceb72b703a52
SHA5122d6bf1f68a284b72649a863966239db15bb780a7a93e21accb4985f9a63adba902ee0c8c326b42badfba191f6dad335eb34a862f82fe4a421d93f3b1df8f626d
-
Filesize
16KB
MD5e5ddaf7100cacc0ac08f612e86d1ce2d
SHA15082d95778e9e6d5c0488a5cd5e23a392a3ba4c6
SHA25627d6cb3f8b61f8066284770a9f9f2d29352ea357e8998918f995937406dd766e
SHA5121f73a8402ca0e5de6d1389f38ca1cee55943f45a0f86065a0aab87abff04c3acc712357d287eb5f0587c3c847b19ec81773e00dfbba16a9319e9d6f31838f32d
-
Filesize
18KB
MD5a25f8c586dfa663e089ab5071293a9f8
SHA14f98a79c2142450a3cf2ee8df82cf328e7cb04b4
SHA256d305a74546c509528a6d16bbad30d86779ce93eaf7dba7ae464aaec9548bae55
SHA512a3b52703bdd7bce61e5e7b3508f634e73d6a618debff89118438882c7cc820c89d88c839a1a91a5f8b40d4e7c0015ca57529f31881a5a77508eee542409b7ef7
-
Filesize
16KB
MD53cd6aa5a6e8a9ed6ea0dddff486c6126
SHA11c66d828632b0ca324fa6dfc4fc26e625a7a8dd6
SHA256bdc2aa64582f15fb7a3a91ae6fbdaf3a0272cb1997b95f6828dd7df52767321e
SHA51298fd2ec25004cf257b21e62d07ec4c936291cafdc8cc987f9ead01cba0a383ae18235f5576e40ade520a8cf065e8b7a7bde20e5fa3b46a99746105e5105b5337
-
Filesize
13KB
MD5838beaaf76773172645148a23abc7486
SHA144bb7343593fca0078cfe6e1d38076f70ae8a273
SHA256d1b6b9d2bae9b1751ca0d2220ff682b57581dee6eb0eaa0cadf8af1f3ff1a0e5
SHA5126a16d16e40817be4c9ecd9754b3a2776c04983d457167c411b217fe93efbaf7b5e86677099ae3046091575b4b1810fcb943c6f1cbb16214caf84d71371dc0423
-
Filesize
518KB
MD5154129917b40846eede22d728696a3c3
SHA108f5d360ac4f20e190b30b1755fb3ec625f9a68f
SHA256833f9e61ac10cec37b2511fccca0d9017aa0fe44f45be9406b9bc08cff699c8b
SHA512e17cafe53bc0ca5283494f963231dfc1b0afe26d230e67d425e1a5d943177df4ff66246af1c92f5ea8b7507fd1e487443456a6f0a9601155ecc59ceda91fcf4f
-
Filesize
37KB
MD5bbecf4648b5cf638dc0891364162b446
SHA1b5e49883351a6a14b540eae2e7c133cb3d32acc2
SHA256b01927337846bee9c1c63e8abf8ea779479f0643b9e7319203bbea3f7d8bbb01
SHA512fcd713d67ad3be91772b503bbd7d72922751c8a2245fe51a21d9a3e861134f0da1443c5a095073c44cdddb877e0dd609cde0156c73ab71d72f460d4f254ff1b1
-
Filesize
34KB
MD555af27167c5e22fdaf8e1b0d1036dc20
SHA1ab741a6851bbb7d248380ff98276008924407671
SHA25660b56078b1e5165f7232f8b0afac8053fa909ecb8e4c6d8152fcbfd364389aff
SHA512a18fe6888b97c9f9346d9e10ade35c6e357d6714c4eab75827f46e082b959ccdaba7eb24f7b8b1bab3139b38c4785acaa7841ad3f78926dd20d0e09e994c14b7
-
Filesize
1.8MB
MD524b25196f305a4ac5d811d69c131aa42
SHA108f952cb03b1871b51157498b1f9c155a2ca94f9
SHA256ea00f013726063082812ffe8d2dcc43f7fa35a025833c70b4856025055c66e2d
SHA51200cdfdba2f5f60c945e363c3a433066fa7c540dfd13841dd02bcf18319693f33ee5bc753b92d63ae3e62ceaaefa3f702a0690d17d5f24107734e9f974b8dd677
-
Filesize
7.6MB
MD5b4556666a80ba7c17f0ee203b7e44b5b
SHA19e666199c92ad7367574c2bb50c8021445191d04
SHA2569d33ee98e9e1c6c63a52f5343fc80a97330bd27808d12d319ee20f5e8bde4776
SHA512f5d5099787856d23e23e94a11235865208ed27eafec4f230501d4bf126ed6a4850a582918de61197d3495d23bec41c0725b190d0dbb5eead5bc3024db8ffa439
-
Filesize
4.3MB
MD554f8267c6c116d7240f8e8cd3b241cd9
SHA1907b965b6ce502dad59cde70e486eb28c5517b42
SHA256c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948
SHA512f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
833B
MD54e8a985958177a96c5a3b23daf6eebbc
SHA1c3c45716355f397ac6c862cfdf08c4d9514c0bdf
SHA256a84a589ec6386427037f45a87b07b8dba789da804547d68ed7048de5ce4c2c2e
SHA512ad755edccd13a49e5b9e3c9b0b07c20cebb4711b27347987747b1d5a264081c0b6c153185c63d8f5ade8f67e64c23063c50424f84b8354d480120ca1744149bb
-
Filesize
13KB
MD53ccb9cd580ac4195b6258b40d973062b
SHA1ec59c06197663bf6b4a0f23af6aefd900179b004
SHA256623422a714a9f482125067e84043cfa2f2cce58abf2d9e46b41ddfa207177ad5
SHA51211bd5a4912384295285e5b1b80329441fcab87f38e92a0a64cd307162a637cd70e1830277c5beccb9c18bce0517395cf2b2e5fecfa2341c56407c076a7dc9abf
-
Filesize
486KB
MD501d5c290aacdd91ec5831ad57df20305
SHA1e30ae80c637efa2149ecfdd57bd4a40f5a0f8e2f
SHA256d7740c09cc7ae095c6dafba28ac2bf6bbb51137e9bd3a9a4daef215b8be361ee
SHA512f7093fe7c36521e3a5e14e2cf0324c5f8b3403d74b0f9e6c235b8119bdefdfd292a11c0b5d041903067f57707364afb10d0ac238c59f6b602d765e40dd22e1b7
-
Filesize
24KB
MD514fa1e49d8028a60a0e723ed3adeb1b8
SHA1bbf16289f79d44cc0bfb7ad73521ee614b264bd9
SHA256cd6deb4775f768352ff7bd6cb8ce34f54a5739ad8b561fb7526dd22bebbfd71e
SHA512a2644e2d9c8f76e76b1bf670a3faaa66cf638aa4d375cc487f30fb8f988ef87b43382248397386476f93ba90358335a534db72e1c1f28ed0dc08ef4e9fd99cad
-
Filesize
345B
MD5f6b8cce6f131811e2f8742cde37bf894
SHA180b399d2b7b5e30d6762296082f3238dda8bccac
SHA2560cdb33dedab5cb175d5eebaced27c80767e3feae53b22f81e22c0605dfeddc1e
SHA512662b6c2ee00845339d9b9b8169daa0b782d8fec83ee5cd9d3ffa0d3319f79930997d6012692f985c2a8d3b9223c1cc952b1f122a7a35deb08d85a469092911aa
-
Filesize
1KB
MD52587c021c928fd6139eadab57dc5effb
SHA123d34c0f704ceb7e0074e609b0d81520e1f85e92
SHA256e1865f659c15636a113ab6421fb6e6f6041873ab5e2c67a878a87b8da074f69f
SHA51269201524c8a665eb36e35bfedd904f8581573b326fcb01e0b92bd2882620d41981ec7c17b4aa09315f0b02b6dbd699e6b32810942e8bf9b7dda459e8290a56ce
-
Filesize
925B
MD577f0beca6df9bd030915246f7d8f52c1
SHA181a7255ec0f1485965917d38b59116b5ba55c222
SHA2563c4b8df32f7eef80208e6930f72495dcc3eed3a803718149988054678204db5b
SHA512949500efd0fac08e710dc519270c97ec97e41f9337d173a06557c1f25c61252a50a5b855e9f42cd6afca65fe9c09d1eac20932f6ca96e01a8fa5b4892178474c
-
Filesize
1KB
MD5cc34bcc252d8014250b2fbc0a7880ead
SHA189a79425e089c311137adcdcf0a11dfa9d8a4e58
SHA256a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b
SHA512c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f
-
Filesize
4B
MD537b59afd592725f9305e484a5d7f5168
SHA1a02a05b025b928c039cf1ae7e8ee04e7c190c0db
SHA256054edec1d0211f624fed0cbca9d4f9400b0e491c43742af2c5b0abebf0c990d8
SHA5124ec54b09e2b209ddb9a678522bb451740c513f488cb27a0883630718571745141920036aebdb78c0b4cd783a4a6eecc937a40c6104e427512d709a634b412f60
-
Filesize
187B
MD5a2843f0fc57138e3092164fbe329609e
SHA19e497d2e9f37c87d6b4c102fc93617b80b9f9a24
SHA256436c2361aeabc84c4020747a8633826872b575843c4118d250d5d175f263cda5
SHA512ea1fe3845495768b5a4a09cedb98423ab6f0a791512f461df7d5ef9f7ceb709c2a739578f9ce8bb940697eef34038179a0b33b4ec5cfc51da72e305bbdfbcf93
-
Filesize
19KB
MD5e44b6d7d4ec30e2108c168ff6e25f77b
SHA146c48b23ceb2d4b7a2581b52e39895830631e14c
SHA256f65c71dc2875a4d2da121b1d4bb1023c05708d9953fc91544f54b7579e0076f9
SHA51225fc8f121a202943172de1b5c125e3b9b97a9a8e8a8cedfa0c1c7ad847cf3b17f9fb7eac773e33fb41a764499b2f121ee10d13f61451a1ce9a17bd9b36d49015
-
Filesize
63KB
MD5e0ca371cb1e69e13909bfbd2a7afc60e
SHA1955c31d85770ae78e929161d6b73a54065187f9e
SHA256abb50921ef463263acd7e9be19862089045074ea332421d82e765c5f2163e78a
SHA512dd5a980ba72e4e7be81b927d140e408ad06c7be51b4f509737faee5514e85a42d47518213da1c3e77c25f9bd2eb2109fca173d73d710ff57e6a88a2ff971d0b4
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
544KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
652KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
68KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
64KB
-
Filesize
7.7MB