Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
Factura037277283695777055236096556001416634813574290050475660034226497919.exe
Resource
win7-20240705-en
General
-
Target
Factura037277283695777055236096556001416634813574290050475660034226497919.exe
-
Size
235.0MB
-
MD5
5fbcdbcc0bb08f6e1741cbdde72d73d8
-
SHA1
44efce93b75de925ae0be0a73011dabef724f5ea
-
SHA256
15a4367f675522dceb487e74a5c58e6ccf608484899b8f70f43c19b791e47a70
-
SHA512
ec4c2f58df3ce5bbb8b62e8bc9368ff06c6cbf7f1d00b73844117add1e1982e08c1032377340e71c9d0ed39f4fbea9c57b12983057655aa3fcd2797c89117eca
-
SSDEEP
12288:uJZh698faB+XA6T/xSpaBjmZmIq0t6E940To:c/6qfYOpSpOmbjP4u
Malware Config
Extracted
remcos
Start
185.196.9.78:24041
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
log.dat
-
keylog_flag
false
-
keylog_folder
System01
-
mouse_option
false
-
mutex
Rmcxyz1-AEDW2I
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
AdobeSg.exeAdobeSg.exeAdobeSg.exepid process 2808 AdobeSg.exe 568 AdobeSg.exe 1400 AdobeSg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Factura037277283695777055236096556001416634813574290050475660034226497919.exeAdobeSg.exeAdobeSg.exeAdobeSg.exedescription pid process target process PID 1616 set thread context of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 2808 set thread context of 2580 2808 AdobeSg.exe vbc.exe PID 568 set thread context of 1464 568 AdobeSg.exe vbc.exe PID 1400 set thread context of 1740 1400 AdobeSg.exe vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2804 schtasks.exe 1052 schtasks.exe 1208 schtasks.exe 1408 schtasks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1504 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Factura037277283695777055236096556001416634813574290050475660034226497919.execmd.exetaskeng.exeAdobeSg.execmd.exedescription pid process target process PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1504 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 1616 wrote to memory of 1912 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 1912 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 1912 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 1912 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2740 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2740 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2740 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2740 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 2740 wrote to memory of 2804 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2804 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2804 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2804 2740 cmd.exe schtasks.exe PID 1616 wrote to memory of 2728 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2728 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2728 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 1616 wrote to memory of 2728 1616 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 2160 wrote to memory of 2808 2160 taskeng.exe AdobeSg.exe PID 2160 wrote to memory of 2808 2160 taskeng.exe AdobeSg.exe PID 2160 wrote to memory of 2808 2160 taskeng.exe AdobeSg.exe PID 2160 wrote to memory of 2808 2160 taskeng.exe AdobeSg.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2580 2808 AdobeSg.exe vbc.exe PID 2808 wrote to memory of 2568 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2568 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2568 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2568 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2756 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2756 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2756 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2756 2808 AdobeSg.exe cmd.exe PID 2756 wrote to memory of 1052 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 1052 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 1052 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 1052 2756 cmd.exe schtasks.exe PID 2808 wrote to memory of 2828 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2828 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2828 2808 AdobeSg.exe cmd.exe PID 2808 wrote to memory of 2828 2808 AdobeSg.exe cmd.exe PID 2160 wrote to memory of 568 2160 taskeng.exe AdobeSg.exe PID 2160 wrote to memory of 568 2160 taskeng.exe AdobeSg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"2⤵PID:1912
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2804 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"2⤵PID:2728
-
C:\Windows\system32\taskeng.exetaskeng.exe {5CA6BDA4-BDDB-4399-945A-241D81DF93D8} S-1-5-21-2172136094-3310281978-782691160-1000:EXCFTDUU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:2580
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"3⤵PID:2568
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1052 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"3⤵PID:2828
-
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"3⤵PID:2440
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵PID:2372
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1208 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"3⤵PID:1440
-
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:1740
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"3⤵PID:2964
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵PID:2412
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1408 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"3⤵PID:1032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5d4da3093d126c39d40202dcc449b449b
SHA1dcdff5864a3c81c6dd96e725988522778b5497f7
SHA256c99c7a8578006b80618e1952547d39f30cce4403858590de491c429349f2d612
SHA512c029ed02653a621b3f1aca414b10d9d4ab0594b09fdb61f758ca013843be71d1e60de7ca8182ea8bb431437fb14b7387dca72146f5dd03f707c144a0c5814484