Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 04:31
Static task
static1
Behavioral task
behavioral1
Sample
Factura037277283695777055236096556001416634813574290050475660034226497919.exe
Resource
win7-20240705-en
General
-
Target
Factura037277283695777055236096556001416634813574290050475660034226497919.exe
-
Size
235.0MB
-
MD5
5fbcdbcc0bb08f6e1741cbdde72d73d8
-
SHA1
44efce93b75de925ae0be0a73011dabef724f5ea
-
SHA256
15a4367f675522dceb487e74a5c58e6ccf608484899b8f70f43c19b791e47a70
-
SHA512
ec4c2f58df3ce5bbb8b62e8bc9368ff06c6cbf7f1d00b73844117add1e1982e08c1032377340e71c9d0ed39f4fbea9c57b12983057655aa3fcd2797c89117eca
-
SSDEEP
12288:uJZh698faB+XA6T/xSpaBjmZmIq0t6E940To:c/6qfYOpSpOmbjP4u
Malware Config
Extracted
remcos
Start
185.196.9.78:24041
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
log.dat
-
keylog_flag
false
-
keylog_folder
System01
-
mouse_option
false
-
mutex
Rmcxyz1-AEDW2I
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
AdobeSg.exeAdobeSg.exeAdobeSg.exepid process 5812 AdobeSg.exe 3204 AdobeSg.exe 6084 AdobeSg.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Factura037277283695777055236096556001416634813574290050475660034226497919.exeAdobeSg.exeAdobeSg.exeAdobeSg.exedescription pid process target process PID 3904 set thread context of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 5812 set thread context of 6008 5812 AdobeSg.exe vbc.exe PID 3204 set thread context of 1704 3204 AdobeSg.exe vbc.exe PID 6084 set thread context of 5784 6084 AdobeSg.exe vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5424 schtasks.exe 1632 schtasks.exe 5956 schtasks.exe 1824 schtasks.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 5980 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Factura037277283695777055236096556001416634813574290050475660034226497919.execmd.exeAdobeSg.execmd.exeAdobeSg.exedescription pid process target process PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5980 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe vbc.exe PID 3904 wrote to memory of 5904 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 5904 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 5904 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 388 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 388 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 388 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 388 wrote to memory of 1824 388 cmd.exe schtasks.exe PID 388 wrote to memory of 1824 388 cmd.exe schtasks.exe PID 388 wrote to memory of 1824 388 cmd.exe schtasks.exe PID 3904 wrote to memory of 4288 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 4288 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 3904 wrote to memory of 4288 3904 Factura037277283695777055236096556001416634813574290050475660034226497919.exe cmd.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 6008 5812 AdobeSg.exe vbc.exe PID 5812 wrote to memory of 5664 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5664 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5664 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5628 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5628 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5628 5812 AdobeSg.exe cmd.exe PID 5628 wrote to memory of 5424 5628 cmd.exe schtasks.exe PID 5628 wrote to memory of 5424 5628 cmd.exe schtasks.exe PID 5628 wrote to memory of 5424 5628 cmd.exe schtasks.exe PID 5812 wrote to memory of 5372 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5372 5812 AdobeSg.exe cmd.exe PID 5812 wrote to memory of 5372 5812 AdobeSg.exe cmd.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 1704 3204 AdobeSg.exe vbc.exe PID 3204 wrote to memory of 4856 3204 AdobeSg.exe cmd.exe PID 3204 wrote to memory of 4856 3204 AdobeSg.exe cmd.exe PID 3204 wrote to memory of 4856 3204 AdobeSg.exe cmd.exe PID 3204 wrote to memory of 3620 3204 AdobeSg.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:5980 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"2⤵PID:5904
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Factura037277283695777055236096556001416634813574290050475660034226497919.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"2⤵PID:4288
-
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:6008
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"2⤵PID:5664
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5424 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"2⤵PID:5372
-
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1704
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"2⤵PID:4856
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f2⤵PID:3620
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"2⤵PID:780
-
C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exeC:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5784
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AdobeSg"2⤵PID:5176
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f2⤵PID:3428
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:5956 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe" "C:\Users\Admin\AppData\Roaming\AdobeSg\AdobeSg.exe"2⤵PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD590b77e43bd11c96a07394cfb9546f001
SHA1afe6ec3016cb193e120af92083413fe86ca6039c
SHA2564bc51671390c40b9ffda53d61ac551f091c0c37966142140ac43fe1acd1df9d8
SHA512b79448183f92f1bf1d3d9a7ad5c321a25d57cdd0dcefd03bb4209329289f723a6b7d22336b2dfc58f4e298d291d48511a500190e4e92cc13506da6b0814960e5
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1