51dca601a7f7c08ca8a600f52addec6706019ee48f89a6429e46df3f926e08ad

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63af2fcab6d053d213720b8817cc87c8.exe
Size

17.8MB
MD5

63af2fcab6d053d213720b8817cc87c8
SHA1

c3a97a3923b6fc9ba8839a6a9ab9d47c2155356d
SHA256

51dca601a7f7c08ca8a600f52addec6706019ee48f89a6429e46df3f926e08ad
SHA512

702da0934c771e3b246b5a73f51ebfda2cfb00a837e8a084ce98052bc62d99a3a4f00a05684a79d480b97a5f5c263b541cfa52619bf4b65df0579614d6043165
SSDEEP

393216:l+c50Fa7K39n0LHOz3tcA/YFspJfUXvakYHQFSdbhALSVQtikwtW3Jigc:hot3uLuz3tM6rfUXCkYgU/VQti/W35

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2256	remcos_a.exe
2616	slinkyloader.exe
2468	remcos.exe

Loads dropped DLL 4 IoCs

pid	Process
2868	63af2fcab6d053d213720b8817cc87c8.exe
2632	Process not Found
2624	cmd.exe
2624	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos_a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe
2616	slinkyloader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	remcos.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2468	remcos.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2256	2868	63af2fcab6d053d213720b8817cc87c8.exe	28
PID 2868 wrote to memory of 2256	2868	63af2fcab6d053d213720b8817cc87c8.exe	28
PID 2868 wrote to memory of 2256	2868	63af2fcab6d053d213720b8817cc87c8.exe	28
PID 2868 wrote to memory of 2256	2868	63af2fcab6d053d213720b8817cc87c8.exe	28
PID 2868 wrote to memory of 2616	2868	63af2fcab6d053d213720b8817cc87c8.exe	29
PID 2868 wrote to memory of 2616	2868	63af2fcab6d053d213720b8817cc87c8.exe	29
PID 2868 wrote to memory of 2616	2868	63af2fcab6d053d213720b8817cc87c8.exe	29
PID 2256 wrote to memory of 2364	2256	remcos_a.exe	31
PID 2256 wrote to memory of 2364	2256	remcos_a.exe	31
PID 2256 wrote to memory of 2364	2256	remcos_a.exe	31
PID 2256 wrote to memory of 2364	2256	remcos_a.exe	31
PID 2364 wrote to memory of 2624	2364	WScript.exe	32
PID 2364 wrote to memory of 2624	2364	WScript.exe	32
PID 2364 wrote to memory of 2624	2364	WScript.exe	32
PID 2364 wrote to memory of 2624	2364	WScript.exe	32
PID 2624 wrote to memory of 2468	2624	cmd.exe	34
PID 2624 wrote to memory of 2468	2624	cmd.exe	34
PID 2624 wrote to memory of 2468	2624	cmd.exe	34
PID 2624 wrote to memory of 2468	2624	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\63af2fcab6d053d213720b8817cc87c8.exe
"C:\Users\Admin\AppData\Local\Temp\63af2fcab6d053d213720b8817cc87c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
  "C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2468
- C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
  "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
386B

MD5
1ec6289c6fd4c2ded6b2836ed28cbeb5

SHA1
c4e08195e6c640eb8860acc03fda1d649b4fe070

SHA256
6efdc40f9eb217f879607614e928b65bff759e424f3efb31faceb2a043c32dc2

SHA512
20bc46f4dee22f75f15c402c7c2eaee60fff7dd92548050585571dcbefd59485cc249c06bc3f1aac7a138e5ae67c0c3918b46ffa24c8b0f1b092e2f6b6e21288

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

Filesize
469KB

MD5
6e0648ca2b27ea71ba71a0e712fd200a

SHA1
c785a48d1ff8b2b4e8c3fa157b04e2ba1e01885e

SHA256
ed93f5353803ad45a0905ce9fa8a0cbcb1c1168a2a48c04e6b5c7d56870c5948

SHA512
991651afe96edeb78fdfd57fee997f2f342e67e002ac19c31e171ad5e3f6bb83d710495ca22caf021273be2dbdeb1492c26371b1a3737a55b13fd24de517a6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
2.9MB

MD5
619872c192056bb8a54721bc2a018435

SHA1
31f1159d36a15d5698457fa66a58b725c8a255f6

SHA256
79331fe61150d3c09a65ccbd718d6705747d4e691f85a5758adfb7e01c7027ae

SHA512
a884f98f3466c94f29cb4c28e61e00c68f9b801f08687e8b564a854bb9bf7f72e0f85425c3f43c8d7e54cacc6686eed2a31be596f73f57541a5e65376a5907f7

Download Submit
\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
1.2MB

MD5
42629cc8d5dcb92601914eff3f64a3e6

SHA1
89fa05dbd4ce6aa73384cb3b7975931459d57d8c

SHA256
061197b7c5af9070073b04433803370d3623461df7bcf9aa4cf90e1a15f06b56

SHA512
dc908f8eb9e2a1ffedff9c4f2f8fe4d0a1253f4f1dcddc0caa220d997a3b35872c84e1550e1dbb4a25fee5aadcb05b1dd662d476117f00d57d79cfb3dec2bd33

Download Submit
\Users\Admin\AppData\Local\Temp\slinkyloader.exe

Filesize
2.5MB

MD5
b3d14cea90e4c6fffe41913fe9b4378f

SHA1
5ec9934888f9c858c3b267f3936b66eb50aae9f9

SHA256
1c9b7e58b6540beeca298720fe223aa9bcef97c84ab277d1602e94a3454528c1

SHA512
fd441b51a4636bd1e1cec52ace7cc28e647c25dab86d75b22c5775b07a036b692d12b3f4f382b7efd44483602ecbcd5eb4added8a931006b243cdbae5172ace6

Download Submit
memory/2868-0-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2868-1-0x00000000010B0000-0x0000000002278000-memory.dmp

Filesize
17.8MB

Download
memory/2868-2-0x000000001BEA0000-0x000000001BF20000-memory.dmp

Filesize
512KB

Download
memory/2868-19-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download