Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipment Document Waybill .exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DHL Shipment Document Waybill .exe
Resource
win10v2004-20240709-en
General
-
Target
DHL Shipment Document Waybill .exe
-
Size
1.7MB
-
MD5
658e8867a46096faafb9939ba1faeb1a
-
SHA1
bfe077b029a1a6d4beeda154fa706f4ff0cfff82
-
SHA256
589b172cac7eb931e013d04820f31d1e7f6b7d710d1155dbb64ebb6c2fa2826a
-
SHA512
ead89fa50f5c499e04fccf187257ca634d6168de6a662fa139282e871447a361ca33fd94a96b152a9324af2bc532c9fa2045af945dd0a86a11909aeac770689b
-
SSDEEP
24576:WR3njD6TaOQ5KJh7WXePuq5LktSbm5ktGn:qjD65Q5Kz7WXJq5Lkt6m/n
Malware Config
Extracted
remcos
Dollar Man
178.23.190.118:52499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-SJ9MVF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/4992-30-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3232-34-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3232-38-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4992-39-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4992-33-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2416-32-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3232-31-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2416-29-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2416-41-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4992-30-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4992-39-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4992-33-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2416-32-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2416-29-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2416-41-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wmplayer.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wmplayer.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DHL Shipment Document Waybill .exewmplayer.exedescription pid Process procid_target PID 4164 set thread context of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4300 set thread context of 2416 4300 wmplayer.exe 98 PID 4300 set thread context of 4992 4300 wmplayer.exe 99 PID 4300 set thread context of 3232 4300 wmplayer.exe 100 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
wmplayer.exewmplayer.exepid Process 2416 wmplayer.exe 2416 wmplayer.exe 3232 wmplayer.exe 3232 wmplayer.exe 2416 wmplayer.exe 2416 wmplayer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
wmplayer.exepid Process 4300 wmplayer.exe 4300 wmplayer.exe 4300 wmplayer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Shipment Document Waybill .exewmplayer.exedescription pid Process Token: SeDebugPrivilege 4164 DHL Shipment Document Waybill .exe Token: SeDebugPrivilege 3232 wmplayer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wmplayer.exepid Process 4300 wmplayer.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
DHL Shipment Document Waybill .exewmplayer.exedescription pid Process procid_target PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 3004 4164 DHL Shipment Document Waybill .exe 86 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 2308 4164 DHL Shipment Document Waybill .exe 89 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 552 4164 DHL Shipment Document Waybill .exe 90 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 4300 4164 DHL Shipment Document Waybill .exe 91 PID 4164 wrote to memory of 5080 4164 DHL Shipment Document Waybill .exe 92 PID 4164 wrote to memory of 5080 4164 DHL Shipment Document Waybill .exe 92 PID 4164 wrote to memory of 5080 4164 DHL Shipment Document Waybill .exe 92 PID 4300 wrote to memory of 2416 4300 wmplayer.exe 98 PID 4300 wrote to memory of 2416 4300 wmplayer.exe 98 PID 4300 wrote to memory of 2416 4300 wmplayer.exe 98 PID 4300 wrote to memory of 2416 4300 wmplayer.exe 98 PID 4300 wrote to memory of 4992 4300 wmplayer.exe 99 PID 4300 wrote to memory of 4992 4300 wmplayer.exe 99 PID 4300 wrote to memory of 4992 4300 wmplayer.exe 99 PID 4300 wrote to memory of 4992 4300 wmplayer.exe 99 PID 4300 wrote to memory of 3232 4300 wmplayer.exe 100 PID 4300 wrote to memory of 3232 4300 wmplayer.exe 100 PID 4300 wrote to memory of 3232 4300 wmplayer.exe 100 PID 4300 wrote to memory of 3232 4300 wmplayer.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipment Document Waybill .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:3004
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"2⤵PID:2308
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:552
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fwriddtlwcimvrtujlvawlkbze"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqwbevefkkarxxhyavqbhyxkhkpscy"3⤵
- Accesses Microsoft Outlook accounts
PID:4992
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /stext "C:\Users\Admin\AppData\Local\Temp\asjufophyssehlvckgdvklrbqrhbvjdfk"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵PID:5080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD504512e6b2ee2ac7468968beefa67d16d
SHA1b3a5f5437d3da35ee96ee91431337f202116c42c
SHA25670079e76d2db0e3f389bbba98fbc9e06fefacb75f2a7041f3779b7cf65eb79ff
SHA512e9d122d7dde1367652803d7187f3f22a0cbe6e98407dbb68e4173c00f6d6e60bb05fbe2271349209b23ee140a611e620935a4548428985c8afda789cd4e15f25
-
Filesize
4KB
MD5982ebb238759653970e22ee9fad24470
SHA115fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b