Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
HUD34EDRFQ253.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
HUD34EDRFQ253.exe
Resource
win10v2004-20240226-en
General
-
Target
HUD34EDRFQ253.exe
-
Size
998KB
-
MD5
9a942028f55f59560c38677923c7ce6a
-
SHA1
069cf2b7306f61ac65a4598f519a83dd535325c9
-
SHA256
5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb
-
SHA512
e3f0f2d9d97cfa7178d3fd1e12cd35c9b1a5b08e92767389bcf998e428e08e4527fa7b9204941e849a6f28c240c52c57b653777e7620210c5d024dbce0a22eda
-
SSDEEP
24576:yxWTl+NDnZjbBxcxyGFKjL8kFzzjBh3HrYMY:lpknZHEyGw3t3cz
Malware Config
Extracted
remcos
RemoteHost
194.147.140.180:1987
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FRNTO2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
HUD34EDRFQ253.exedescription pid process target process PID 824 set thread context of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
HUD34EDRFQ253.exepowershell.exepowershell.exepid process 824 HUD34EDRFQ253.exe 1716 powershell.exe 2544 powershell.exe 824 HUD34EDRFQ253.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
HUD34EDRFQ253.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 824 HUD34EDRFQ253.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HUD34EDRFQ253.exepid process 2612 HUD34EDRFQ253.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
HUD34EDRFQ253.exedescription pid process target process PID 824 wrote to memory of 1716 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 1716 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 1716 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 1716 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 2544 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 2544 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 2544 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 2544 824 HUD34EDRFQ253.exe powershell.exe PID 824 wrote to memory of 2592 824 HUD34EDRFQ253.exe schtasks.exe PID 824 wrote to memory of 2592 824 HUD34EDRFQ253.exe schtasks.exe PID 824 wrote to memory of 2592 824 HUD34EDRFQ253.exe schtasks.exe PID 824 wrote to memory of 2592 824 HUD34EDRFQ253.exe schtasks.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe PID 824 wrote to memory of 2612 824 HUD34EDRFQ253.exe HUD34EDRFQ253.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3784.tmp"2⤵
- Creates scheduled task(s)
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"C:\Users\Admin\AppData\Local\Temp\HUD34EDRFQ253.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5e42dbb9530aea6644e3c8c2dbfecfe37
SHA1c8bc23becc11d02d3d0137489144661d0cfe73ef
SHA256402e564e8680914242226ab69de94c7ae0cf9ff9f359c017cb560d7f0fae545c
SHA51207a7e4e9c20188f169304068d4e6942555d17bf2ca7b9e65d0a75672a6d672e2f92c16cab43f1e496ecae06539e5a91c01643df9fbcf2b5d120bc44878e1ae95
-
Filesize
1KB
MD5b4a83abaf40c073fdf0f953a7e795b33
SHA1bfa918a3923b0d221898e173905e7d8584940006
SHA25603c049b5c573060c9f440a6760fca696ad0bc9a2b7042baeb355c692e89a82a7
SHA512db8358b4de4cf877ce201c7912924af0e70cc160a2fe2757d4e7a184021d2369b400fca534d80b3ff57794a14568b101e0c3c9eb89441f5b1afdba968f160e0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d37f6198ecd57e26280a42e8241a04bd
SHA1e3ea1a4c637d33db7729aed66b686bab4ff822b7
SHA256c941bf6127df9a21fd91d2936ede35768eda80221addee98be8900b11df27614
SHA512a45835ac3e45b3342464e457c5fec355c127721fe325abdc8884384981325eaaf55ee8ff785e55e4a7db694f81a91f2efd4f1955c28573452c46f1fd7cb6f558