Analysis
-
max time kernel
58s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
Purchase _Order_0000089.exe
Resource
win10v2004-20240709-en
General
-
Target
Purchase _Order_0000089.exe
-
Size
2.4MB
-
MD5
9ce741958a80db120217ebad36bd9652
-
SHA1
2fbe96d1026784335b854dd5d8e0ecd8d49efade
-
SHA256
b598665f15c6c098ecfc2c5185cb43946c0dfecd9e2f13f8f3d59b185eb73f02
-
SHA512
868c872e076a9c33dec96c12ede32c051efcc45647b6b005a7668d0699dff724951381cc666e38838046d8c618e9c2f995b989dbc00ba26f16db11b70c92ebbd
-
SSDEEP
24576:8IfaFn//NKZDqt+WgUGMXxRfTTcGL0n7ZhZv86hV6:T2oDqGMXxRfTTcD7ZhZUi6
Malware Config
Extracted
remcos
2560
107.173.4.16:2560
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-L6F79W
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detected Nirsoft tools 7 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral1/memory/3460-34-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2436-33-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/4596-32-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/4596-30-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2436-28-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/3460-31-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/4596-39-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/3460-34-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/3460-31-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/4596-32-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/4596-30-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/4596-39-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
csc.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts csc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Purchase _Order_0000089.execsc.exedescription pid Process procid_target PID 756 set thread context of 2920 756 Purchase _Order_0000089.exe 94 PID 2920 set thread context of 4596 2920 csc.exe 101 PID 2920 set thread context of 3460 2920 csc.exe 102 PID 2920 set thread context of 2436 2920 csc.exe 103 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
csc.execsc.exepid Process 4596 csc.exe 4596 csc.exe 2436 csc.exe 2436 csc.exe 4596 csc.exe 4596 csc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csc.exepid Process 2920 csc.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
csc.exepid Process 2920 csc.exe 2920 csc.exe 2920 csc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase _Order_0000089.execsc.exedescription pid Process Token: SeDebugPrivilege 756 Purchase _Order_0000089.exe Token: SeDebugPrivilege 2436 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
csc.exepid Process 2920 csc.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
Purchase _Order_0000089.execsc.exedescription pid Process procid_target PID 756 wrote to memory of 3024 756 Purchase _Order_0000089.exe 88 PID 756 wrote to memory of 3024 756 Purchase _Order_0000089.exe 88 PID 756 wrote to memory of 3024 756 Purchase _Order_0000089.exe 88 PID 756 wrote to memory of 868 756 Purchase _Order_0000089.exe 89 PID 756 wrote to memory of 868 756 Purchase _Order_0000089.exe 89 PID 756 wrote to memory of 868 756 Purchase _Order_0000089.exe 89 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 5004 756 Purchase _Order_0000089.exe 93 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 2920 756 Purchase _Order_0000089.exe 94 PID 756 wrote to memory of 1348 756 Purchase _Order_0000089.exe 95 PID 756 wrote to memory of 1348 756 Purchase _Order_0000089.exe 95 PID 756 wrote to memory of 1348 756 Purchase _Order_0000089.exe 95 PID 2920 wrote to memory of 4596 2920 csc.exe 101 PID 2920 wrote to memory of 4596 2920 csc.exe 101 PID 2920 wrote to memory of 4596 2920 csc.exe 101 PID 2920 wrote to memory of 4596 2920 csc.exe 101 PID 2920 wrote to memory of 3460 2920 csc.exe 102 PID 2920 wrote to memory of 3460 2920 csc.exe 102 PID 2920 wrote to memory of 3460 2920 csc.exe 102 PID 2920 wrote to memory of 3460 2920 csc.exe 102 PID 2920 wrote to memory of 2436 2920 csc.exe 103 PID 2920 wrote to memory of 2436 2920 csc.exe 103 PID 2920 wrote to memory of 2436 2920 csc.exe 103 PID 2920 wrote to memory of 2436 2920 csc.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"C:\Users\Admin\AppData\Local\Temp\Purchase _Order_0000089.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:3024
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"2⤵PID:868
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:5004
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\rvxapizbbhvecakbginhbfpymzu"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\bxckiakdppnjmpgnytaimskpvneysr"3⤵
- Accesses Microsoft Outlook accounts
PID:3460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\drhdjtvwlyfwpvurhencpxwgduvglcofhc"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:1348
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD55d684acd522be8be840b07586a4a3d63
SHA1bc3da7423ca20cd080cbc1a2c452ae685a4a11f2
SHA2568c935581b61b6bdeb5e487473de8ba42613b7d469cc1a8de26d53965fcaba167
SHA5120d667d1e1bf8b6476236518c02e745d0550fe05378c36e0767c107beee4a46bf022d56e768112604ad4312feeed3a1da3cdface8e30cc814690328782d6cb158
-
Filesize
4KB
MD5982ebb238759653970e22ee9fad24470
SHA115fca6be8cc4a276c9f70a73f28c52c3b0eead15
SHA256c8b9cad5602932ea51b923f39f4b2d9aedf1f4915880d89032ab6636acaf9bea
SHA512c8777edf0dd3e72e0cf3bb89db2bc7856fed0eeca7199806fec341e9168899e3b700c73a6b2e7cb0e8ccc5523116d6ecfde5c9ebcc83288a162dd1b0ea78201b