Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
Quotation-15-02-2021_PDF.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Quotation-15-02-2021_PDF.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
0jxlr2n3sx9a9r.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
0jxlr2n3sx9a9r.dll
Resource
win10v2004-20240709-en
General
-
Target
Quotation-15-02-2021_PDF.exe
-
Size
234KB
-
MD5
2021fec8feb356edbcea0588a270cb6b
-
SHA1
2e1ff93fe5da8c89508ff5f1aa44d641e25b6823
-
SHA256
918dede163276d652ee3fc92b2ec93733850b27a31339e6e972536d168990506
-
SHA512
2598edb08e125bea4016c44385b29c244f24914fdcdc07546c599e3caf68346bd511853ca1422d4ba9019c21c16ccc33201f6495b9c4a22769df1ff33d4d82c2
-
SSDEEP
3072:yBkfJpRXATwMdFCcM6FbyDiEDlL1UPhrXiTWddkDdvXIYCZ9gn/TOnG7kUeOp+L2:yqjIGQyDid5ryTWdAIRrgrlk++LbH9Et
Malware Config
Extracted
remcos
2.7.2 Pro
Excel-logs
103.114.106.35:20987
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Excel.exe
-
copy_folder
Excel
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Excel
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Excel-KW0C5C
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Excel
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Excel.exeExcel.exepid process 2624 Excel.exe 344 Excel.exe -
Loads dropped DLL 6 IoCs
Processes:
Quotation-15-02-2021_PDF.execmd.exeExcel.exepid process 672 Quotation-15-02-2021_PDF.exe 672 Quotation-15-02-2021_PDF.exe 2556 cmd.exe 2624 Excel.exe 2624 Excel.exe 2624 Excel.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Quotation-15-02-2021_PDF.exeExcel.exeQuotation-15-02-2021_PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Excel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Excel\\Excel.exe\"" Quotation-15-02-2021_PDF.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Excel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Excel\\Excel.exe\"" Excel.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\name = "C:\\Users\\Admin\\AppData\\Roaming\\folder\\file.exe" Quotation-15-02-2021_PDF.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Quotation-15-02-2021_PDF.exeExcel.exedescription pid process target process PID 672 set thread context of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 2624 set thread context of 344 2624 Excel.exe Excel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Excel\Excel.exe nsis_installer_1 \Users\Admin\AppData\Roaming\Excel\Excel.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Quotation-15-02-2021_PDF.exeExcel.exepid process 672 Quotation-15-02-2021_PDF.exe 672 Quotation-15-02-2021_PDF.exe 672 Quotation-15-02-2021_PDF.exe 672 Quotation-15-02-2021_PDF.exe 2624 Excel.exe 2624 Excel.exe 2624 Excel.exe 2624 Excel.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Quotation-15-02-2021_PDF.exeExcel.exepid process 672 Quotation-15-02-2021_PDF.exe 2624 Excel.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Excel.exepid process 344 Excel.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Quotation-15-02-2021_PDF.exeQuotation-15-02-2021_PDF.exeWScript.execmd.exeExcel.exedescription pid process target process PID 672 wrote to memory of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 672 wrote to memory of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 672 wrote to memory of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 672 wrote to memory of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 672 wrote to memory of 2972 672 Quotation-15-02-2021_PDF.exe Quotation-15-02-2021_PDF.exe PID 2972 wrote to memory of 2736 2972 Quotation-15-02-2021_PDF.exe WScript.exe PID 2972 wrote to memory of 2736 2972 Quotation-15-02-2021_PDF.exe WScript.exe PID 2972 wrote to memory of 2736 2972 Quotation-15-02-2021_PDF.exe WScript.exe PID 2972 wrote to memory of 2736 2972 Quotation-15-02-2021_PDF.exe WScript.exe PID 2736 wrote to memory of 2556 2736 WScript.exe cmd.exe PID 2736 wrote to memory of 2556 2736 WScript.exe cmd.exe PID 2736 wrote to memory of 2556 2736 WScript.exe cmd.exe PID 2736 wrote to memory of 2556 2736 WScript.exe cmd.exe PID 2556 wrote to memory of 2624 2556 cmd.exe Excel.exe PID 2556 wrote to memory of 2624 2556 cmd.exe Excel.exe PID 2556 wrote to memory of 2624 2556 cmd.exe Excel.exe PID 2556 wrote to memory of 2624 2556 cmd.exe Excel.exe PID 2624 wrote to memory of 344 2624 Excel.exe Excel.exe PID 2624 wrote to memory of 344 2624 Excel.exe Excel.exe PID 2624 wrote to memory of 344 2624 Excel.exe Excel.exe PID 2624 wrote to memory of 344 2624 Excel.exe Excel.exe PID 2624 wrote to memory of 344 2624 Excel.exe Excel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Quotation-15-02-2021_PDF.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Excel\Excel.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\Excel\Excel.exeC:\Users\Admin\AppData\Roaming\Excel\Excel.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\Excel\Excel.exeC:\Users\Admin\AppData\Roaming\Excel\Excel.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414B
MD553c0ff348853d6380df0b8c16a03d762
SHA1eda6327849c2c83520e527241156fad9fa634b4a
SHA256358585a15d72ce0478be92c97b940accf7f7717bf77c29967d4a6fa853f879b2
SHA512925c2286fd0a370afa3d91d94b503ed01f77467fd2a13edca2e940ee4e8f9420193c9a70a3af0a8b26e62e6c2bd7cf1911059c273f16dc4bf261d54b0f840737
-
Filesize
128KB
MD5ee820258379f0db08160ef97b38096c3
SHA1faba7ae96beb0df20306e19498ed9b86dd60f17a
SHA25666974e8127fd27bfeefc3d23b8534f394fb9e9b3a7c1d1e1db9081445ff10c6c
SHA512023a6a3420ec43088c692c9d45c7a788560db74c794e869994155761f4c8b6b7ed9f0c1b775eaff7bea17941b11fe251f0d458418e05fe43fb787d782768ea75
-
Filesize
74B
MD56f723ee8e9a2a775772dc395c18742e7
SHA17493aef74cfd13434f36c0545e20f0117ee6fd15
SHA25601d8938d4fc536a152371e07eb6c4ae5e00958460920bca192526f2856c1e53c
SHA512d1df252b7b93d68d3db6a2ec58fbe18e958faa3b9d62c1c354ded44c008ad307c790b6cbf75e0a06c0a5474e6dd32b60c866262e359e3240213ab9db85d59744
-
Filesize
13KB
MD59ec36c1f7989533c81de064104ea35ab
SHA19a9f608e7bf4e4f06e4804f7b132939d3ee5654d
SHA256238727a5364853abf73decbd56c4c1e3f3906060e802352b547a296e34dd3646
SHA512bfb31fd814d2069cf529297c9c4ec4b8d6480012ccbc8f0ea013ce750705d953e47f00f6fa625b95c94c1bcde6763612a6055f91a35428eed0f1e16c6b1bb2e7
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
234KB
MD52021fec8feb356edbcea0588a270cb6b
SHA12e1ff93fe5da8c89508ff5f1aa44d641e25b6823
SHA256918dede163276d652ee3fc92b2ec93733850b27a31339e6e972536d168990506
SHA5122598edb08e125bea4016c44385b29c244f24914fdcdc07546c599e3caf68346bd511853ca1422d4ba9019c21c16ccc33201f6495b9c4a22769df1ff33d4d82c2