Analysis
-
max time kernel
357s -
max time network
358s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
q.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
q.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.ps1
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Pidginizing/Halvpunkt240/Forblack231/Otiatric/Ergs.ps1
Resource
win10v2004-20240419-en
General
-
Target
q.exe
-
Size
380KB
-
MD5
c1e9cae3895e47557c49da02e857331d
-
SHA1
cd606c216cdf514fd64b714037a75250007d90b7
-
SHA256
a833220123f1e042399406b33817c857fec4d4471f9332b02abc390e11dae2e4
-
SHA512
f4ede6b4caf0267888fe5cfaacfd808a4ef15c5b87f186211c57a75d77b3d4915e2851662e0528370deec6a4f974dce95ce1bd6df1a62c6675ce0d1bf717a486
-
SSDEEP
6144:HT4DtVpZI3UNm5XuEneTjst4l4hjVKLWWC4OZol37D3XmkL+VHjFz3+vaEfT:HTgUUEeTmzJKaYOGlXnoDdqlT
Malware Config
Extracted
remcos
Top
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
mqerms.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
alpwovnb-G3F5OR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\\runos\\').Exsolved;%Mesoderms% ($Priorized82)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 3048 wab.exe 3048 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2820 powershell.exe 3048 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2820 set thread context of 3048 2820 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2820 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
q.exepowershell.exewab.execmd.exedescription pid process target process PID 2884 wrote to memory of 2820 2884 q.exe powershell.exe PID 2884 wrote to memory of 2820 2884 q.exe powershell.exe PID 2884 wrote to memory of 2820 2884 q.exe powershell.exe PID 2884 wrote to memory of 2820 2884 q.exe powershell.exe PID 2820 wrote to memory of 2736 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2736 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2736 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 2736 2820 powershell.exe cmd.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 2820 wrote to memory of 3048 2820 powershell.exe wab.exe PID 3048 wrote to memory of 2692 3048 wab.exe cmd.exe PID 3048 wrote to memory of 2692 3048 wab.exe cmd.exe PID 3048 wrote to memory of 2692 3048 wab.exe cmd.exe PID 3048 wrote to memory of 2692 3048 wab.exe cmd.exe PID 2692 wrote to memory of 2008 2692 cmd.exe reg.exe PID 2692 wrote to memory of 2008 2692 cmd.exe reg.exe PID 2692 wrote to memory of 2008 2692 cmd.exe reg.exe PID 2692 wrote to memory of 2008 2692 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\q.exe"C:\Users\Admin\AppData\Local\Temp\q.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Pareiasaurus=Get-Content 'C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Pidginizing\Halvpunkt240\Forblack231\Otiatric\Ergs.Tha';$Zoneindelingerne=$Pareiasaurus.SubString(56195,3);.$Zoneindelingerne($Pareiasaurus)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\runos\').Exsolved;%Mesoderms% ($Priorized82)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Mesoderms% -windowstyle minimized $Priorized82=(Get-ItemProperty -Path 'HKCU:\runos\').Exsolved;%Mesoderms% ($Priorized82)"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52a76b31fb8fe9b2cadb76780defbe912
SHA1ef11de80345f42a0f4a849d757f455f6f29e0efb
SHA256f9f609635c029f7567af2fd2bcda342ad1da68968b580a6920f8a7331c3a1430
SHA51249aa85fe0417f89cb78ffb450856df2f29c5680865bf8a3b5d06d8feb31d82c52a59b551918605d5552927e0a1a887367dee062d81b75a6a41232c4c44ba4cdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD595b12cff6314807a27021862353b153a
SHA1071e17488417f5abd6a31559767681938b1b60ba
SHA25647ad188835043d422b414328144a4f139529003db141249c74565c7013570bf7
SHA512d8012a1dec8b1bdbb580c49bebee160b7e6abdab06a8ce3aceef9f63ecf158787d3614720f86ae1f4d9793fca7d4ebfff9ecf34b1272b55168386afcf5d1eb6b
-
C:\Users\Admin\AppData\Local\Temp\Tar7303.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Bilipurpurin.SlaFilesize
322KB
MD5a6b465587a24051a3267f7097e93b1cf
SHA174bfbb11eaf146ea85a7fe21371e4810c7539fa3
SHA25688761c61c887cc09658beef749102a2b17cc1752a10087146899e2ac8cf340c5
SHA512321d1cc296e456df43e722a1551959ad4aa5be868f88ad7fe4d08c6b35d2cdedb813f7869be130c6b69cd31199c56adc2cc1a2052ee3720197e659c6a39a1be5
-
C:\Users\Admin\AppData\Local\tjurhane\fasciolidae\stinksvampen\Pidginizing\Halvpunkt240\Forblack231\Otiatric\Ergs.ThaFilesize
54KB
MD51c0b0b1677e6a0e8e41383703430a228
SHA13226cc511cb4ee3c4d8fc85f8309e769b588c59f
SHA256056096bc668ccf068617f877b2d960d93fcc3f2bfcf6dc51e3e6ee1a5c83cdb8
SHA512b8856417ec13d2be0b53d74ec4a3b22784b5fa6ae0b2fd5d3cb21863103d01526ab60de2432e0532fcb27c36bc39d69e8178b1a8cc08f05a95c6bf591b581902
-
memory/2820-14-0x0000000002D10000-0x0000000002D50000-memory.dmpFilesize
256KB
-
memory/2820-13-0x0000000073B00000-0x00000000740AB000-memory.dmpFilesize
5.7MB
-
memory/2820-12-0x0000000006620000-0x0000000008575000-memory.dmpFilesize
31.3MB
-
memory/2820-6-0x0000000073B00000-0x00000000740AB000-memory.dmpFilesize
5.7MB
-
memory/2820-7-0x0000000073B00000-0x00000000740AB000-memory.dmpFilesize
5.7MB
-
memory/2820-8-0x0000000002D10000-0x0000000002D50000-memory.dmpFilesize
256KB
-
memory/3048-120-0x0000000000690000-0x00000000016F2000-memory.dmpFilesize
16.4MB
-
memory/3048-121-0x0000000001700000-0x0000000003655000-memory.dmpFilesize
31.3MB