Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
TSTS 0005A.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TSTS 0005A.exe
Resource
win10v2004-20240226-en
General
-
Target
TSTS 0005A.exe
-
Size
922KB
-
MD5
b195643d6d8c3f81c7409533ad14726c
-
SHA1
c09b56928fb1f448ed9b3610a0b930f77e2ebcfe
-
SHA256
f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2
-
SHA512
b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8
-
SSDEEP
24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo
Malware Config
Extracted
remcos
RemoteHost
sembe.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
notess
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-P0AEMX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TSTS 0005A.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation TSTS 0005A.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TSTS 0005A.exedescription pid Process procid_target PID 3168 set thread context of 4196 3168 TSTS 0005A.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
TSTS 0005A.exepowershell.exepid Process 3168 TSTS 0005A.exe 3168 TSTS 0005A.exe 3168 TSTS 0005A.exe 3168 TSTS 0005A.exe 3520 powershell.exe 3520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TSTS 0005A.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3168 TSTS 0005A.exe Token: SeDebugPrivilege 3520 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TSTS 0005A.exepid Process 4196 TSTS 0005A.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
TSTS 0005A.exedescription pid Process procid_target PID 3168 wrote to memory of 3520 3168 TSTS 0005A.exe 97 PID 3168 wrote to memory of 3520 3168 TSTS 0005A.exe 97 PID 3168 wrote to memory of 3520 3168 TSTS 0005A.exe 97 PID 3168 wrote to memory of 3068 3168 TSTS 0005A.exe 99 PID 3168 wrote to memory of 3068 3168 TSTS 0005A.exe 99 PID 3168 wrote to memory of 3068 3168 TSTS 0005A.exe 99 PID 3168 wrote to memory of 404 3168 TSTS 0005A.exe 101 PID 3168 wrote to memory of 404 3168 TSTS 0005A.exe 101 PID 3168 wrote to memory of 404 3168 TSTS 0005A.exe 101 PID 3168 wrote to memory of 2432 3168 TSTS 0005A.exe 102 PID 3168 wrote to memory of 2432 3168 TSTS 0005A.exe 102 PID 3168 wrote to memory of 2432 3168 TSTS 0005A.exe 102 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103 PID 3168 wrote to memory of 4196 3168 TSTS 0005A.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vcEDbAjawlTHE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vcEDbAjawlTHE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D12.tmp"2⤵
- Creates scheduled task(s)
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"2⤵PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"2⤵PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"C:\Users\Admin\AppData\Local\Temp\TSTS 0005A.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD535bfb4553ad9189205d20be5cc976305
SHA1485c545ce3701f27694fe4df829b2557ed4f0f48
SHA256dfa9b03022019b6b2fb30b73957c1bfdecb4b569345d932cf6fc7549e5aa5a7c
SHA512fb48e2e0fe181865ee5bb481d7825bb6bb1e52feac2dc16f869d8c58458d432b0a4a0b1a62c05effb1a41c2d1d98d68a55771784bb590a8380ff0880082c0e5a
-
Filesize
144B
MD54cbbe1ca599b5a09cecc9bad75c441ff
SHA16fceb677d32c976de9311404b616001a8dfdcef5
SHA25675dec0166b55f5ddc0641dbb14257ee904d33426c5a4f15b8e481c52d3b92d99
SHA512f7f5f27de2c9ded88b091392849df65ad8a7547c47f279c16c77a01ab745c90e13006fe1787304f094b01943900630cee39e22f9df1f3b4c1a987ec72e490081