Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 13:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.22684.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.22684.exe
Resource
win10v2004-20240226-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.22684.exe
-
Size
892KB
-
MD5
636a54861ddd167065f294cc76fca7ba
-
SHA1
7e3eba28bc4b89801c91de5450aa28da5c6ff941
-
SHA256
8f02ecb26530c0a13b7f00020ebca144fc271fe36a5caaba1f4b3270e8e0023c
-
SHA512
cde7be19fc7fa841d22521a6c5ad01129ff604b2f91c1c16e0da7d91434cd962af25a39c8ab43c14915536b47d652eb2e55cf0fab5178a9553ab0f8f74833fc4
-
SSDEEP
24576:GgkHhAVqHxUrlWy05hMud6hHERSIhO0RDP+dB8:I2V+Ur6MIMHERSIQ0RDr
Malware Config
Extracted
remcos
RemoteHost
paygateme.net:2286
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WTDTSU
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/432-92-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/432-98-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2460-91-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2460-103-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
Processes:
resource yara_rule behavioral2/memory/432-92-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2460-91-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/432-98-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2916-100-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2916-101-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2460-103-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exeSecuriteInfo.com.Win32.PWSX-gen.22684.exedescription pid Process procid_target PID 3632 set thread context of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 5000 set thread context of 2460 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 101 PID 5000 set thread context of 432 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 102 PID 5000 set thread context of 2916 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.22684.exeSecuriteInfo.com.Win32.PWSX-gen.22684.exepid Process 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 5052 powershell.exe 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 5052 powershell.exe 2460 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 2460 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 2916 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 2916 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 2460 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 2460 SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exepid Process 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.22684.exedescription pid Process Token: SeDebugPrivilege 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe Token: SeDebugPrivilege 5052 powershell.exe Token: SeDebugPrivilege 2916 SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exepid Process 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.22684.exeSecuriteInfo.com.Win32.PWSX-gen.22684.exedescription pid Process procid_target PID 3632 wrote to memory of 5052 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 96 PID 3632 wrote to memory of 5052 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 96 PID 3632 wrote to memory of 5052 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 96 PID 3632 wrote to memory of 1716 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 98 PID 3632 wrote to memory of 1716 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 98 PID 3632 wrote to memory of 1716 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 98 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 3632 wrote to memory of 5000 3632 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 100 PID 5000 wrote to memory of 2460 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 101 PID 5000 wrote to memory of 2460 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 101 PID 5000 wrote to memory of 2460 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 101 PID 5000 wrote to memory of 2460 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 101 PID 5000 wrote to memory of 432 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 102 PID 5000 wrote to memory of 432 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 102 PID 5000 wrote to memory of 432 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 102 PID 5000 wrote to memory of 432 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 102 PID 5000 wrote to memory of 2916 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 103 PID 5000 wrote to memory of 2916 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 103 PID 5000 wrote to memory of 2916 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 103 PID 5000 wrote to memory of 2916 5000 SecuriteInfo.com.Win32.PWSX-gen.22684.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tzRVJJzEigd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tzRVJJzEigd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp635D.tmp"2⤵
- Creates scheduled task(s)
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\agzmcpnsxw"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\cjefcixtlecew"3⤵
- Accesses Microsoft Outlook accounts
PID:432
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.22684.exe /stext "C:\Users\Admin\AppData\Local\Temp\ndkpdainhmujghgt"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5914941031d78aacb68642c8525691e08
SHA1867a3a0114180935912f600c65a4f4991399afa4
SHA256714294417ed1d67d0e8e213f73f4cc1e76868fc078ad2d279acc53ca116c3974
SHA512fd20c0df49263a3fd754584c288ec2d5a6d33d809a0f3d570b308414b8e3ff324e34f653eb89e792af0d8f08a0f67d35ad2acc9719fcff33671bc1cb4f474b7f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ec0cf9ff722f9a9259c3338972c40886
SHA131bad5285affb58c5ebe0569bbdb9bd1deab245c
SHA25630190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19
SHA512bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a
-
Filesize
1KB
MD5c567c7dd1a597624134396b135b65f51
SHA178e50c84fedeac86247852b6cd008d4c3dc76d87
SHA25625067e1ee2b6184ab7b4d8c36bf4bd860ea34e51ae3ba6e8c76284b028590837
SHA512a28d7ee19734f67ae4726e9545aa08ae23da6bf7c1735a2c181b46106294434fc96e3a7c478405b2db9c40d2d4b5f9d6badbf6ea858af8a19b835bc0ac0c9b21