Analysis
-
max time kernel
114s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
DHL TAX INVOICES - MARCH 2024.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL TAX INVOICES - MARCH 2024.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral5
Sample
Handelshindringens.ps1
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Handelshindringens.ps1
Resource
win10v2004-20240226-en
General
-
Target
DHL TAX INVOICES - MARCH 2024.exe
-
Size
850KB
-
MD5
9751f18fb374bf112f867381a68bb3a9
-
SHA1
b6690412b3ce7e65d76437b4d6704a3646e62938
-
SHA256
d53afbfc333acb95639354fe5eb9cddce8fc0f59190d23dbfa60fec9944a5e27
-
SHA512
b42a8071e8234c62fbd8028e9f364a39b0daeb7a62b7ccbc94f3588cdda7be93953834c737ab01b3feebcc51665a0a528ede9f2042af369ad3a1ecee69bd8b6f
-
SSDEEP
12288:agyMCmL5EW2zV3mDinwWxjQKQpUGk06VqbwQX3isAr:YViiwwEKQpUs6swI32
Malware Config
Extracted
remcos
RemoteHost
162.251.122.89:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EEMA4A
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3524-75-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/3524-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2076-62-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2076-84-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/2076-62-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1760-74-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3524-75-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3524-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1760-76-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2076-84-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Loads dropped DLL 1 IoCs
pid Process 3080 DHL TAX INVOICES - MARCH 2024.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1704 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2096 powershell.exe 1704 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2096 set thread context of 1704 2096 powershell.exe 108 PID 1704 set thread context of 2076 1704 wab.exe 109 PID 1704 set thread context of 3524 1704 wab.exe 115 PID 1704 set thread context of 1760 1704 wab.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2392 1704 WerFault.exe 108 -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2096 powershell.exe 2076 wab.exe 2076 wab.exe 1760 wab.exe 1760 wab.exe 2076 wab.exe 2076 wab.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 2096 powershell.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe 1704 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 1760 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1704 wab.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3080 wrote to memory of 2096 3080 DHL TAX INVOICES - MARCH 2024.exe 95 PID 3080 wrote to memory of 2096 3080 DHL TAX INVOICES - MARCH 2024.exe 95 PID 3080 wrote to memory of 2096 3080 DHL TAX INVOICES - MARCH 2024.exe 95 PID 2096 wrote to memory of 2688 2096 powershell.exe 102 PID 2096 wrote to memory of 2688 2096 powershell.exe 102 PID 2096 wrote to memory of 2688 2096 powershell.exe 102 PID 2096 wrote to memory of 1704 2096 powershell.exe 108 PID 2096 wrote to memory of 1704 2096 powershell.exe 108 PID 2096 wrote to memory of 1704 2096 powershell.exe 108 PID 2096 wrote to memory of 1704 2096 powershell.exe 108 PID 2096 wrote to memory of 1704 2096 powershell.exe 108 PID 1704 wrote to memory of 2076 1704 wab.exe 109 PID 1704 wrote to memory of 2076 1704 wab.exe 109 PID 1704 wrote to memory of 2076 1704 wab.exe 109 PID 1704 wrote to memory of 2076 1704 wab.exe 109 PID 1704 wrote to memory of 1680 1704 wab.exe 110 PID 1704 wrote to memory of 1680 1704 wab.exe 110 PID 1704 wrote to memory of 1680 1704 wab.exe 110 PID 1704 wrote to memory of 3616 1704 wab.exe 111 PID 1704 wrote to memory of 3616 1704 wab.exe 111 PID 1704 wrote to memory of 3616 1704 wab.exe 111 PID 1704 wrote to memory of 2084 1704 wab.exe 112 PID 1704 wrote to memory of 2084 1704 wab.exe 112 PID 1704 wrote to memory of 2084 1704 wab.exe 112 PID 1704 wrote to memory of 672 1704 wab.exe 113 PID 1704 wrote to memory of 672 1704 wab.exe 113 PID 1704 wrote to memory of 672 1704 wab.exe 113 PID 1704 wrote to memory of 4540 1704 wab.exe 114 PID 1704 wrote to memory of 4540 1704 wab.exe 114 PID 1704 wrote to memory of 4540 1704 wab.exe 114 PID 1704 wrote to memory of 3524 1704 wab.exe 115 PID 1704 wrote to memory of 3524 1704 wab.exe 115 PID 1704 wrote to memory of 3524 1704 wab.exe 115 PID 1704 wrote to memory of 3524 1704 wab.exe 115 PID 1704 wrote to memory of 1760 1704 wab.exe 116 PID 1704 wrote to memory of 1760 1704 wab.exe 116 PID 1704 wrote to memory of 1760 1704 wab.exe 116 PID 1704 wrote to memory of 1760 1704 wab.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL TAX INVOICES - MARCH 2024.exe"C:\Users\Admin\AppData\Local\Temp\DHL TAX INVOICES - MARCH 2024.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\Admin\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2688
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mpjvgwdqyrydxhpu"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵PID:1680
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵PID:3616
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵PID:2084
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵PID:672
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵PID:4540
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xjpfhgosmaqiavdyaqm"4⤵
- Accesses Microsoft Outlook accounts
PID:3524
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hmcyizzlziinkczkjbzeao"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 15124⤵
- Program crash
PID:2392
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵PID:2688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1704 -ip 17041⤵PID:4420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD532100ea472bc470ba10f60a11c782c0e
SHA1078aa6214b8ca1c3562774453abca6c8806a13c3
SHA256d6132e01d239dbbe0f686e1a18cd57d7cf272e34ab03b7f483f5147c00d374ad
SHA512df7aaa762f5546a9e783b5a15a9cd5a3e66ec43b5502b025d621f106e63008095461a96d5f1f06791cac6322e0c418eb6de476b6856338e2f5fc2d038ca10d6b
-
Filesize
6KB
MD501e76fe9d2033606a48d4816bd9c2d9d
SHA1e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2
SHA256ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70
SHA51262ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0
-
Filesize
353KB
MD5213296c17d11adf994b3d8eea2f44497
SHA148cb90d8d8063ef5ca129084ced6f9279cdf31b0
SHA2567603126a3e7f1258479357e5df46bcdf769004b536f678f4bff0bd72fe1ab816
SHA51277c4a3cc051ed8eeaaea917e077170e413c1bd80ed119acdd40b699025bd72c26907ce108f4cbe1396f38737fab73fa92ac55153dde4323661c78dda62151bd4
-
Filesize
49KB
MD526ac3d358904de47313a08e6e95b9ef8
SHA1d8cb62fa3f065244d37862489962401a3c829a9a
SHA256a87dc179ea36df155f5d8b7a8a5963ef1de61fa7032db510a8a1f64033182ff2
SHA512efc8932a6e6cb055fd76603cade1ce298c2d19f250d9e3234255f55b2ec28b6c34345f35a017816b35400a4258eb0cca8fdf885a1c8b5f0c08f50731d17bae71