Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
Resource
win10v2004-20240226-en
General
-
Target
5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe
-
Size
998KB
-
MD5
9a942028f55f59560c38677923c7ce6a
-
SHA1
069cf2b7306f61ac65a4598f519a83dd535325c9
-
SHA256
5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb
-
SHA512
e3f0f2d9d97cfa7178d3fd1e12cd35c9b1a5b08e92767389bcf998e428e08e4527fa7b9204941e849a6f28c240c52c57b653777e7620210c5d024dbce0a22eda
-
SSDEEP
24576:yxWTl+NDnZjbBxcxyGFKjL8kFzzjBh3HrYMY:lpknZHEyGw3t3cz
Malware Config
Extracted
remcos
RemoteHost
194.147.140.180:1987
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FRNTO2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2932 set thread context of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 2488 powershell.exe 2748 powershell.exe 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2384 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2488 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 28 PID 2932 wrote to memory of 2488 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 28 PID 2932 wrote to memory of 2488 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 28 PID 2932 wrote to memory of 2488 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 28 PID 2932 wrote to memory of 2748 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 30 PID 2932 wrote to memory of 2748 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 30 PID 2932 wrote to memory of 2748 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 30 PID 2932 wrote to memory of 2748 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 30 PID 2932 wrote to memory of 2516 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 31 PID 2932 wrote to memory of 2516 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 31 PID 2932 wrote to memory of 2516 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 31 PID 2932 wrote to memory of 2516 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 31 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34 PID 2932 wrote to memory of 2384 2932 5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XPTpFDOlta.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XPTpFDOlta" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C4C.tmp"2⤵
- Creates scheduled task(s)
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"C:\Users\Admin\AppData\Local\Temp\5755305654c07b239c370661598bc698f8113b41fe5785e0e13098a66cdbd4eb.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD51c97e8356bb3f321842ddebf11a510a6
SHA17263e5e8c61c49e4eca7e68ddcac5afd9ba99353
SHA256ebea6181f8033730a83acbb4eeabbe6bbb1168a2423364ce2b333afef8599d38
SHA5120abc971c05027e62e67b0b32558e8dc86bc19a47e0f1138592519ee9bc194765c8ee1d7c6b71170cda057ccf2e85115d507b25939ec3ca113e22d0c1c10b3922
-
Filesize
1KB
MD5d0a7da08184f0947765e4c26ba1ed753
SHA13bf5b5dba5ea845ae8c94390762a37ecb14f7a55
SHA256f6b6bb9747f19b492dfe046f8dc5d90d6683c29ec157f76939cd4be02bd89e1b
SHA51296d292b9f35cb9e18b165452cc950e25a278e11fdb1e9431e7254b670796bbab4533f7e5cfa908fa193117a031b59b7ba7352c9874affb312221df2f7b02143b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c1f4951e91a624b2995afd3263bbee01
SHA14df480c50390530e74b75b996fa0a9c3de9ffda3
SHA2563c678fba1369240db8c9be7cfaa285ac40cfdbc4b926bf57be4c57fcb3423821
SHA51206f5e23d2fdc6cd7805071cc65dd47e2d4bde9b03e0e16b31db2737b3024f51ab1389bc43061054a745f05eb9b3f7b8eda8f2641e64596a706b03ca6767377d9