Overview
overview
10Static
static
331c0d26c2e...29.exe
windows7-x64
1031c0d26c2e...29.exe
windows10-2004-x64
10$TEMP/55.opends60.dll
windows7-x64
1$TEMP/55.opends60.dll
windows10-2004-x64
1$TEMP/CMAccept.exe
windows7-x64
$TEMP/CMAccept.exe
windows10-2004-x64
$TEMP/DevCfgUI.dll
windows7-x64
1$TEMP/DevCfgUI.dll
windows10-2004-x64
1$TEMP/Samp...ll.exe
windows7-x64
1$TEMP/Samp...ll.exe
windows10-2004-x64
1$TEMP/Umbellule.dll
windows7-x64
1$TEMP/Umbellule.dll
windows10-2004-x64
1$TEMP/VJUp...UI.dll
windows7-x64
1$TEMP/VJUp...UI.dll
windows10-2004-x64
1$TEMP/WebC...orm.js
windows7-x64
1$TEMP/WebC...orm.js
windows10-2004-x64
1$TEMP/Wiza...VS.dll
windows7-x64
1$TEMP/Wiza...VS.dll
windows10-2004-x64
1$TEMP/aspn...er.exe
windows7-x64
1$TEMP/aspn...er.exe
windows10-2004-x64
1$TEMP/libu...b.so.0
ubuntu-18.04-amd64
1$TEMP/pdfg...36.pyc
windows7-x64
3$TEMP/pdfg...36.pyc
windows10-2004-x64
3$TEMP/plier.exe
windows7-x64
4$TEMP/plier.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$TEMP/55.opends60.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$TEMP/55.opends60.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/CMAccept.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/CMAccept.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/DevCfgUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/DevCfgUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$TEMP/SampDBInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$TEMP/SampDBInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$TEMP/Umbellule.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/Umbellule.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$TEMP/WebClientProgressForm.js
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
$TEMP/WebClientProgressForm.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$TEMP/aspnetcompiler.exe
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
$TEMP/aspnetcompiler.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$TEMP/libutil-tdb.so.0
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
$TEMP/plier.exe
Resource
win7-20240220-en
General
-
Target
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
-
Size
1.6MB
-
MD5
983199bbc9855444da45fd3470542c93
-
SHA1
6358b2bf1dc6e8aff646ad6ab919be865fa19870
-
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
SHA512
9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684
-
SSDEEP
49152:IEnnpprnZS5N5KF+PBoW0Pc2pjzUNjLfy:7nptn+N5KIPBoWnQwJy
Malware Config
Extracted
remcos
Ene20
amsdkjeduejfhdgerop.duckdns.org:2223
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AdminShell
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
NQUjfd3E3e5dje-JHD8X5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 3 3204 cmd.exe 4 3204 cmd.exe 5 3204 cmd.exe 6 3204 cmd.exe 7 3204 cmd.exe 8 3204 cmd.exe 9 3204 cmd.exe 10 3204 cmd.exe 11 3204 cmd.exe 12 3204 cmd.exe 13 3204 cmd.exe 14 3204 cmd.exe 15 3204 cmd.exe 16 3204 cmd.exe 17 3204 cmd.exe 18 3204 cmd.exe 19 3204 cmd.exe 20 3204 cmd.exe 21 3204 cmd.exe 22 3204 cmd.exe 23 3204 cmd.exe 24 3204 cmd.exe 25 3204 cmd.exe 26 3204 cmd.exe 27 3204 cmd.exe 28 3204 cmd.exe 29 3204 cmd.exe 30 3204 cmd.exe 31 3204 cmd.exe 32 3204 cmd.exe 33 3204 cmd.exe 34 3204 cmd.exe 35 3204 cmd.exe 36 3204 cmd.exe 37 3204 cmd.exe 38 3204 cmd.exe 39 3204 cmd.exe 40 3204 cmd.exe 41 3204 cmd.exe 43 3204 cmd.exe 44 3204 cmd.exe 45 3204 cmd.exe 46 3204 cmd.exe 47 3204 cmd.exe 48 3204 cmd.exe 49 3204 cmd.exe 50 3204 cmd.exe 51 3204 cmd.exe 52 3204 cmd.exe 53 3204 cmd.exe 54 3204 cmd.exe 55 3204 cmd.exe 56 3204 cmd.exe 57 3204 cmd.exe 58 3204 cmd.exe 59 3204 cmd.exe 60 3204 cmd.exe 61 3204 cmd.exe 62 3204 cmd.exe 63 3204 cmd.exe 64 3204 cmd.exe 65 3204 cmd.exe 66 3204 cmd.exe 67 3204 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2768 plier.exe -
Loads dropped DLL 3 IoCs
pid Process 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 2768 plier.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini plier.exe File created C:\Windows\Tasks\diskshadow.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2768 plier.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2768 plier.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3204 cmd.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2768 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 28 PID 1744 wrote to memory of 2768 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 28 PID 1744 wrote to memory of 2768 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 28 PID 1744 wrote to memory of 2768 1744 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 28 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 2768 wrote to memory of 3204 2768 plier.exe 29 PID 1092 wrote to memory of 4140 1092 DllHost.exe 32 PID 1092 wrote to memory of 4140 1092 DllHost.exe 32 PID 1092 wrote to memory of 4140 1092 DllHost.exe 32 PID 1092 wrote to memory of 4140 1092 DllHost.exe 32 PID 4140 wrote to memory of 3644 4140 cmd.exe 34 PID 4140 wrote to memory of 3644 4140 cmd.exe 34 PID 4140 wrote to memory of 3644 4140 cmd.exe 34 PID 4140 wrote to memory of 3644 4140 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\plier.exeC:\Users\Admin\AppData\Local\Temp\plier.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3204
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0"2⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 03⤵PID:3644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD532604f4797fafd34895f707137146e3a
SHA186bb7be89f74c85a1f77e52879ab1354af5b00be
SHA256f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a
SHA512e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721
-
Filesize
17KB
MD56000783aeacd1836db8f8d7c10330a3b
SHA1ba0176243cc0568dd0d10a1762ab69498e1dcb44
SHA256573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65
SHA512954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248
-
Filesize
74B
MD5d4efae098a46095c49ddfe77b608cd6b
SHA17151a5d93149c5189a75d8487a62ba8c8a772a46
SHA25644412ebb6748adcff1d5adf06b42c8d28845194f85d4201e456f6188860506ad
SHA5122b7d7adab5ae4bea31a56df05b3e218b1694381a5715ead80b44031ef332e29439473aa5e6f7e60171202f636283cf3e0803ef88f90ab90a3e31fb5410e6d363
-
Filesize
517B
MD5893cae59ab5945a94a7da007d47a1255
SHA1d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06
SHA256edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938
SHA512d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9
-
Filesize
4KB
MD511c8f037f0e1a68ff1c74cbcac6e3c6e
SHA1bb50ac196dfd3a194b7b7161947a012a0d49886c
SHA256aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
SHA51205da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b