Overview
overview
10Static
static
331c0d26c2e...29.exe
windows7-x64
1031c0d26c2e...29.exe
windows10-2004-x64
10$TEMP/55.opends60.dll
windows7-x64
1$TEMP/55.opends60.dll
windows10-2004-x64
1$TEMP/CMAccept.exe
windows7-x64
$TEMP/CMAccept.exe
windows10-2004-x64
$TEMP/DevCfgUI.dll
windows7-x64
1$TEMP/DevCfgUI.dll
windows10-2004-x64
1$TEMP/Samp...ll.exe
windows7-x64
1$TEMP/Samp...ll.exe
windows10-2004-x64
1$TEMP/Umbellule.dll
windows7-x64
1$TEMP/Umbellule.dll
windows10-2004-x64
1$TEMP/VJUp...UI.dll
windows7-x64
1$TEMP/VJUp...UI.dll
windows10-2004-x64
1$TEMP/WebC...orm.js
windows7-x64
1$TEMP/WebC...orm.js
windows10-2004-x64
1$TEMP/Wiza...VS.dll
windows7-x64
1$TEMP/Wiza...VS.dll
windows10-2004-x64
1$TEMP/aspn...er.exe
windows7-x64
1$TEMP/aspn...er.exe
windows10-2004-x64
1$TEMP/libu...b.so.0
ubuntu-18.04-amd64
1$TEMP/pdfg...36.pyc
windows7-x64
3$TEMP/pdfg...36.pyc
windows10-2004-x64
3$TEMP/plier.exe
windows7-x64
4$TEMP/plier.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$TEMP/55.opends60.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$TEMP/55.opends60.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/CMAccept.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/CMAccept.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/DevCfgUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/DevCfgUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$TEMP/SampDBInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$TEMP/SampDBInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$TEMP/Umbellule.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/Umbellule.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$TEMP/WebClientProgressForm.js
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
$TEMP/WebClientProgressForm.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$TEMP/aspnetcompiler.exe
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
$TEMP/aspnetcompiler.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$TEMP/libutil-tdb.so.0
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
$TEMP/plier.exe
Resource
win7-20240220-en
General
-
Target
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
-
Size
1.6MB
-
MD5
983199bbc9855444da45fd3470542c93
-
SHA1
6358b2bf1dc6e8aff646ad6ab919be865fa19870
-
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
SHA512
9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684
-
SSDEEP
49152:IEnnpprnZS5N5KF+PBoW0Pc2pjzUNjLfy:7nptn+N5KIPBoWnQwJy
Malware Config
Extracted
remcos
Ene20
amsdkjeduejfhdgerop.duckdns.org:2223
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AdminShell
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
NQUjfd3E3e5dje-JHD8X5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 53 7476 cmd.exe 55 7476 cmd.exe 56 7476 cmd.exe 57 7476 cmd.exe 59 7476 cmd.exe 62 7476 cmd.exe 63 7476 cmd.exe 64 7476 cmd.exe 65 7476 cmd.exe 66 7476 cmd.exe 67 7476 cmd.exe 68 7476 cmd.exe 69 7476 cmd.exe 70 7476 cmd.exe 74 7476 cmd.exe 75 7476 cmd.exe 76 7476 cmd.exe 77 7476 cmd.exe 78 7476 cmd.exe 79 7476 cmd.exe 80 7476 cmd.exe 81 7476 cmd.exe 82 7476 cmd.exe 83 7476 cmd.exe 84 7476 cmd.exe 85 7476 cmd.exe 86 7476 cmd.exe 87 7476 cmd.exe 88 7476 cmd.exe 89 7476 cmd.exe 92 7476 cmd.exe 94 7476 cmd.exe 95 7476 cmd.exe 96 7476 cmd.exe 98 7476 cmd.exe 100 7476 cmd.exe 101 7476 cmd.exe 102 7476 cmd.exe 103 7476 cmd.exe 104 7476 cmd.exe 105 7476 cmd.exe 106 7476 cmd.exe 107 7476 cmd.exe 108 7476 cmd.exe 109 7476 cmd.exe 110 7476 cmd.exe 111 7476 cmd.exe 112 7476 cmd.exe 113 7476 cmd.exe 114 7476 cmd.exe 115 7476 cmd.exe 116 7476 cmd.exe 117 7476 cmd.exe 118 7476 cmd.exe 119 7476 cmd.exe 120 7476 cmd.exe 121 7476 cmd.exe 122 7476 cmd.exe 123 7476 cmd.exe 124 7476 cmd.exe 125 7476 cmd.exe 126 7476 cmd.exe 127 7476 cmd.exe 128 7476 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1868 plier.exe -
Loads dropped DLL 1 IoCs
pid Process 1868 plier.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\diskshadow.job cmd.exe File opened for modification C:\Windows\win.ini plier.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1868 plier.exe 6748 powershell.exe 6748 powershell.exe 6748 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1868 plier.exe 1868 plier.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 6748 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 7476 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4492 wrote to memory of 1868 4492 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 87 PID 4492 wrote to memory of 1868 4492 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 87 PID 4492 wrote to memory of 1868 4492 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 87 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88 PID 1868 wrote to memory of 7476 1868 plier.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\plier.exeC:\Users\Admin\AppData\Local\Temp\plier.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:7476
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:6860
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""2⤵PID:6164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD532604f4797fafd34895f707137146e3a
SHA186bb7be89f74c85a1f77e52879ab1354af5b00be
SHA256f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a
SHA512e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721
-
Filesize
17KB
MD56000783aeacd1836db8f8d7c10330a3b
SHA1ba0176243cc0568dd0d10a1762ab69498e1dcb44
SHA256573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65
SHA512954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD511c8f037f0e1a68ff1c74cbcac6e3c6e
SHA1bb50ac196dfd3a194b7b7161947a012a0d49886c
SHA256aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
SHA51205da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b
-
Filesize
74B
MD5e1cf98e0941efad1d6f7e3e1db7d38e0
SHA1da72c520255c8b2851629f8de90cbcfbf016ef33
SHA2562d4bc1b51007671cba479dbb3d50b5635e6c27c7f64edf6f3828a55a4f55b23e
SHA512d9917160c5f883970051728e0c2c4ebd68c300327ad3fe398dde874e586f523a79afaae1a91a35ab4368e17dfb41a17fdffd3864e6b3d5a11160878d46494556
-
Filesize
131B
MD59848e4efb0abd437d65e6d3d1d973adb
SHA1f427ac7c50b19f66658ae7f92cbaf21110b49a47
SHA256c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f
SHA512f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17