Overview
overview
10Static
static
331c0d26c2e...29.exe
windows7-x64
1031c0d26c2e...29.exe
windows10-2004-x64
10$TEMP/55.opends60.dll
windows7-x64
1$TEMP/55.opends60.dll
windows10-2004-x64
1$TEMP/CMAccept.exe
windows7-x64
$TEMP/CMAccept.exe
windows10-2004-x64
$TEMP/DevCfgUI.dll
windows7-x64
1$TEMP/DevCfgUI.dll
windows10-2004-x64
1$TEMP/Samp...ll.exe
windows7-x64
1$TEMP/Samp...ll.exe
windows10-2004-x64
1$TEMP/Umbellule.dll
windows7-x64
1$TEMP/Umbellule.dll
windows10-2004-x64
1$TEMP/VJUp...UI.dll
windows7-x64
1$TEMP/VJUp...UI.dll
windows10-2004-x64
1$TEMP/WebC...orm.js
windows7-x64
1$TEMP/WebC...orm.js
windows10-2004-x64
1$TEMP/Wiza...VS.dll
windows7-x64
1$TEMP/Wiza...VS.dll
windows10-2004-x64
1$TEMP/aspn...er.exe
windows7-x64
1$TEMP/aspn...er.exe
windows10-2004-x64
1$TEMP/libu...b.so.0
ubuntu-18.04-amd64
1$TEMP/pdfg...36.pyc
windows7-x64
3$TEMP/pdfg...36.pyc
windows10-2004-x64
3$TEMP/plier.exe
windows7-x64
4$TEMP/plier.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
$TEMP/55.opends60.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$TEMP/55.opends60.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$TEMP/CMAccept.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$TEMP/CMAccept.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$TEMP/DevCfgUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$TEMP/DevCfgUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$TEMP/SampDBInstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$TEMP/SampDBInstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$TEMP/Umbellule.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/Umbellule.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$TEMP/VJUpgradePackageUI.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
$TEMP/WebClientProgressForm.js
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
$TEMP/WebClientProgressForm.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
$TEMP/WizardFrameworkVS.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$TEMP/aspnetcompiler.exe
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
$TEMP/aspnetcompiler.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$TEMP/libutil-tdb.so.0
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral22
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
$TEMP/pdfgeom.cpython-36.pyc
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
$TEMP/plier.exe
Resource
win7-20240220-en
General
-
Target
$TEMP/plier.exe
-
Size
4KB
-
MD5
11c8f037f0e1a68ff1c74cbcac6e3c6e
-
SHA1
bb50ac196dfd3a194b7b7161947a012a0d49886c
-
SHA256
aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
-
SHA512
05da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b
Malware Config
Extracted
remcos
Ene20
amsdkjeduejfhdgerop.duckdns.org:2223
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AdminShell
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
NQUjfd3E3e5dje-JHD8X5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 38 11376 cmd.exe 40 11376 cmd.exe 41 11376 cmd.exe 42 11376 cmd.exe 43 11376 cmd.exe 44 11376 cmd.exe 45 11376 cmd.exe 46 11376 cmd.exe 47 11376 cmd.exe 48 11376 cmd.exe 49 11376 cmd.exe 50 11376 cmd.exe 51 11376 cmd.exe 52 11376 cmd.exe 53 11376 cmd.exe 54 11376 cmd.exe 57 11376 cmd.exe 59 11376 cmd.exe 60 11376 cmd.exe 61 11376 cmd.exe 62 11376 cmd.exe 63 11376 cmd.exe 64 11376 cmd.exe 65 11376 cmd.exe 66 11376 cmd.exe 67 11376 cmd.exe 68 11376 cmd.exe 69 11376 cmd.exe 70 11376 cmd.exe 71 11376 cmd.exe 72 11376 cmd.exe 73 11376 cmd.exe 74 11376 cmd.exe 75 11376 cmd.exe 76 11376 cmd.exe 77 11376 cmd.exe 82 11376 cmd.exe 83 11376 cmd.exe 84 11376 cmd.exe 86 11376 cmd.exe 87 11376 cmd.exe 88 11376 cmd.exe 89 11376 cmd.exe 90 11376 cmd.exe 91 11376 cmd.exe 92 11376 cmd.exe 93 11376 cmd.exe 94 11376 cmd.exe 95 11376 cmd.exe 96 11376 cmd.exe 97 11376 cmd.exe 98 11376 cmd.exe 99 11376 cmd.exe 100 11376 cmd.exe 101 11376 cmd.exe 102 11376 cmd.exe 103 11376 cmd.exe 104 11376 cmd.exe 105 11376 cmd.exe 106 11376 cmd.exe 107 11376 cmd.exe 108 11376 cmd.exe 109 11376 cmd.exe 110 11376 cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\win.ini plier.exe File created C:\Windows\Tasks\diskshadow.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1092 plier.exe 1092 plier.exe 10184 powershell.exe 10184 powershell.exe 10184 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1092 plier.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 10184 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 11376 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88 PID 1092 wrote to memory of 11376 1092 plier.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\plier.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:11376
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵PID:3892
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "powershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\"""2⤵PID:7188
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\""3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:10184
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
74B
MD561624923bea01c8ac9c3f81b39572c07
SHA1b1907634afc55a9c1a3525ba9c80a802a6cb5f40
SHA2560a5611f99aae2cce0338b746638eeae7e90813ad000f69e396e9a61ee7f13dc4
SHA512f949923652968b88fdc99bd8c90f5a59b05198cca0204cccd0999ef80bb9fbf023847dfb17f79fb1a2013b532ef36a22fc5a501e1038c1881b69afef3d74c542
-
Filesize
131B
MD59848e4efb0abd437d65e6d3d1d973adb
SHA1f427ac7c50b19f66658ae7f92cbaf21110b49a47
SHA256c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f
SHA512f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17