Analysis
-
max time kernel
1322s -
max time network
1328s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 13:58
Static task
static1
Behavioral task
behavioral1
Sample
New Purchase Order-030220- SMART SOURCING INC.exe
Resource
win10v2004-20240226-en
General
-
Target
New Purchase Order-030220- SMART SOURCING INC.exe
-
Size
678KB
-
MD5
3207acb14184189a3800a8e20a82b023
-
SHA1
65d2ad175339e0dc644b301c85e7f02f098bbb63
-
SHA256
1f3358783cef07f7a60b0530c0de90be8a1131715faaf9d841ce830d9116434b
-
SHA512
71ccfda46c9c98944153398afebe09708d9c071da3e821f238b865fb77551734e94fbf6e39445c45da926efac9a7b6f9fcc6fe0d93ba8a2274d0fdc25c569bd0
-
SSDEEP
12288:qMu7vJgCfeUA94QAyS3ewHXsnn38zVzMfpNemioprHlJ:q5mZ2emcnn38pzE4In
Malware Config
Extracted
remcos
SOLOMON
grantadistciaret.com:3212
grantadistciaret.com:3223
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%Temp%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
RmcxeJ-GSQVVR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4216 set thread context of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4216 New Purchase Order-030220- SMART SOURCING INC.exe 4216 New Purchase Order-030220- SMART SOURCING INC.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4216 New Purchase Order-030220- SMART SOURCING INC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1300 Caspol.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4216 wrote to memory of 2360 4216 New Purchase Order-030220- SMART SOURCING INC.exe 88 PID 4216 wrote to memory of 2360 4216 New Purchase Order-030220- SMART SOURCING INC.exe 88 PID 4216 wrote to memory of 2360 4216 New Purchase Order-030220- SMART SOURCING INC.exe 88 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89 PID 4216 wrote to memory of 1300 4216 New Purchase Order-030220- SMART SOURCING INC.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"C:\Users\Admin\AppData\Local\Temp\New Purchase Order-030220- SMART SOURCING INC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵PID:2360
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1300
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59b75b0bbc861b238e9f3def6cbc4c8cf
SHA183b4f45842997c94bd6efbdee5c50728342439f0
SHA2568a6330a191ed148e67a69b4c92997333a03dc32e277a48baa59a5333b254ba44
SHA51272c9820df1f93c0ece15b84a720c53e2bbe95d2402cc96b7426abb2060cf5844602d0c86dc67edf2521ba9c077ffca2f693833360dc1e668eb2124d49f40bbc0