Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe
Resource
win10v2004-20240226-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe
-
Size
891KB
-
MD5
365611c6c550f6b4d41e017b7f658975
-
SHA1
b31644d9fb613abfcb0bf7a801db77b4d7fd7ec9
-
SHA256
f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af
-
SHA512
6393bd06d1ea7faaccc85469f6b87aaab102064c8871f6ea8c33ea5434d822ddbd59157e50def89219ee0d3ebe09d34423dfc5d23f337b42a134422d71c3f721
-
SSDEEP
24576:Ig5HJmx9NoiP7+J7v8Dlco1AtasmkDu13xXD7:1Jmx/7zYv8BJ4a1kq1R7
Malware Config
Extracted
remcos
RemoteHost
paygateme.net:2286
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WTDTSU
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1016-93-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/1016-98-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2012-91-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2012-103-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2012-91-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1016-93-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/1016-98-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4492-100-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4492-101-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2012-103-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeSecuriteInfo.com.Win32.PWSX-gen.19953.22926.exedescription pid Process procid_target PID 2992 set thread context of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 4444 set thread context of 2012 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 101 PID 4444 set thread context of 1016 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 102 PID 4444 set thread context of 4492 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeSecuriteInfo.com.Win32.PWSX-gen.19953.22926.exepid Process 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 944 powershell.exe 944 powershell.exe 2012 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2012 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 4492 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 4492 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2012 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 2012 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exepid Process 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.19953.22926.exedescription pid Process Token: SeDebugPrivilege 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 4492 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exepid Process 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeSecuriteInfo.com.Win32.PWSX-gen.19953.22926.exedescription pid Process procid_target PID 2992 wrote to memory of 944 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 95 PID 2992 wrote to memory of 944 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 95 PID 2992 wrote to memory of 944 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 95 PID 2992 wrote to memory of 4016 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 97 PID 2992 wrote to memory of 4016 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 97 PID 2992 wrote to memory of 4016 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 97 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 2992 wrote to memory of 4444 2992 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 99 PID 4444 wrote to memory of 2012 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 101 PID 4444 wrote to memory of 2012 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 101 PID 4444 wrote to memory of 2012 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 101 PID 4444 wrote to memory of 2012 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 101 PID 4444 wrote to memory of 1016 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 102 PID 4444 wrote to memory of 1016 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 102 PID 4444 wrote to memory of 1016 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 102 PID 4444 wrote to memory of 1016 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 102 PID 4444 wrote to memory of 4492 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 103 PID 4444 wrote to memory of 4492 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 103 PID 4444 wrote to memory of 4492 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 103 PID 4444 wrote to memory of 4492 4444 SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FCsxaE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCsxaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3BF.tmp"2⤵
- Creates scheduled task(s)
PID:4016
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe /stext "C:\Users\Admin\AppData\Local\Temp\rtxkepkvbqiutem"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe /stext "C:\Users\Admin\AppData\Local\Temp\bwcvfavxpyazvkaroh"3⤵
- Accesses Microsoft Outlook accounts
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.19953.22926.exe /stext "C:\Users\Admin\AppData\Local\Temp\lqinfsgqlgsmgqwvgraqp"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD53964ec839fb1752d17b4035c5b017418
SHA1fcb2b69a78419dd32084ecaa8a386355cf46f84d
SHA256ff83f7d7c8b92594b1ee95ad68a38bcabfc3de2f5c727bd3992010cc9453fd38
SHA512891313af562d2f61577ffdf57403b497cf668ae7ef64538b3e24cdafb6c5e775163b32df9dca7720c4fb94d6c93457af2f5223dde48f19e394db777c658d6b46
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5789c726863f720a7ba5d255e7a000734
SHA10427bac5473ae472d38f2f03e8de82d2dfb1a302
SHA2562dbc369b0667f9cd7459735e998c13ffb3a06b91024e8d483f7776b292a9b627
SHA512e469fd47e55e9c0548bb63868d57ec66f3c50ad69686cfaabd4a0e1e160ef56dc74caabc3643622b2c1769b026ea6a5651e0cc18f1d64e8454feb4fa529e1ce8
-
Filesize
1KB
MD5a3750212525a386b7bcca5f6b666dfe2
SHA106ec18422c179c65eeb868d04674ef6a1c60393b
SHA256c1a4b59cdc01f446528da123d2de983174a7cfc1a5159043e729c86fdb722d42
SHA5129de6cde48f7a62c2c7e6eea81c6898dace9b66c892f573570bc95818c241942bac786f62db640bd67ef3813815d81b5fc9eb31d8a6193bad9bf160b041b6234a