Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07-04-2024 01:27
General
-
Target
Purchase Order Specifications 2024.exe
-
Size
891KB
-
MD5
365611c6c550f6b4d41e017b7f658975
-
SHA1
b31644d9fb613abfcb0bf7a801db77b4d7fd7ec9
-
SHA256
f486a970c3228b346008eb169500d373560ea047084818b77357ba68bfa960af
-
SHA512
6393bd06d1ea7faaccc85469f6b87aaab102064c8871f6ea8c33ea5434d822ddbd59157e50def89219ee0d3ebe09d34423dfc5d23f337b42a134422d71c3f721
-
SSDEEP
24576:Ig5HJmx9NoiP7+J7v8Dlco1AtasmkDu13xXD7:1Jmx/7zYv8BJ4a1kq1R7
Malware Config
Extracted
remcos
RemoteHost
paygateme.net:2286
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-WTDTSU
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 25 IoCs
-
Detects executables built or packed with MPress PE compressor 18 IoCs
-
Detects executables packed with SmartAssembly 2 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
-
Nirsoft 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FCsxaE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FCsxaE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94AE.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dlmpqwrhd"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dlmpqwrhd"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ofrijpbbrjztq"3⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order Specifications 2024.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qhwbjhmcnrryspjd"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD53fd6e9c55eaa81a0352da8b3608abc41
SHA17d6ac4fdb94439ef9c2ff340aba972064d6c27e0
SHA256fb884531e01a6c51d24c343835f1e1b63bfae84fbfc7a9d28d1e3c90b36dc5a5
SHA51238444bb867197678ce926cda85dee51d5e22af519a1e04b81b6092bc94261f8593a371d241abb04044e2e5fae3b945eebd6c7b51a9fd19d544ca902c30336e3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ec0cf9ff722f9a9259c3338972c40886
SHA131bad5285affb58c5ebe0569bbdb9bd1deab245c
SHA25630190665467845aed54732c31c7e385368c10acb595cffdd7ca9523fff051a19
SHA512bdfaf9576db431d3c4d14e0ea5deafce661fceda6d5123a6f4b84d50a576dd1ccf4202091dc0b55bed665dd45b4e30d2a797bda6015b06f5771064f9bab32d1a
-
Filesize
1KB
MD575a635ca0f5f8a12278ed1dec6a97941
SHA1b6360ba82ac1f2cda14dfb35ee24311009a59196
SHA256f8c03d26ee0ccb763886aed197a865259fd2b964c5c7743f89fbf00d1e92ccf5
SHA51248089800edbb999bb58230709ae0174bd46cf473154a5991f43310417e6075a4186a3e8318d53a51a0dd97955563075c4341ffc943fa7152efadbe8cd855642b
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
768KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
920KB
-
Filesize
7.7MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
520KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
80KB
-
Filesize
652KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB