Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 12:23
Static task
static1
Behavioral task
behavioral1
Sample
New Order/New Order.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
New Order/New Order.exe
Resource
win10v2004-20240709-en
General
-
Target
New Order/New Order.exe
-
Size
1.2MB
-
MD5
c0e50e153821fdba68d783254a794c63
-
SHA1
b99dda8b034c99f4b9b1f3716c12ff6e7b626a85
-
SHA256
26bda50a50585e0ed397cdb85e4d5d77094d61110e7646d368e5a3a9c26c1873
-
SHA512
5562fdd982eddb7310aea44b70af3a1a17745b0aba209014e662aeed5bb82b36952a3524edcad902f9903a2fe1a3a8938dbcf245c1f79e14edec1f1a266037d3
-
SSDEEP
24576:4N/BUBb+tYjBFHTxpZ7pQw6mtgbyi0nKcdDppTs0bydWy2UE43YlLuEwnps:8pUlRhlTlb6mkyDK+llLuEwG
Malware Config
Extracted
remcos
RemoteHost
91.92.246.111:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-K0K14W
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bxiemh.mp2pid process 2692 bxiemh.mp2 -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2576 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bxiemh.mp2description pid process target process PID 2692 set thread context of 276 2692 bxiemh.mp2 RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegSvcs.exeNew Order.execmd.exeipconfig.execmd.exeWScript.execmd.exebxiemh.mp2ipconfig.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bxiemh.mp2 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2644 ipconfig.exe 652 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
bxiemh.mp2pid process 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 2692 bxiemh.mp2 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RegSvcs.exepid process 276 RegSvcs.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
RegSvcs.exepid process 276 RegSvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
New Order.exeWScript.execmd.execmd.execmd.exebxiemh.mp2description pid process target process PID 2324 wrote to memory of 2848 2324 New Order.exe WScript.exe PID 2324 wrote to memory of 2848 2324 New Order.exe WScript.exe PID 2324 wrote to memory of 2848 2324 New Order.exe WScript.exe PID 2324 wrote to memory of 2848 2324 New Order.exe WScript.exe PID 2848 wrote to memory of 2616 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2616 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2616 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2616 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2576 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2576 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2576 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 2576 2848 WScript.exe cmd.exe PID 2616 wrote to memory of 2644 2616 cmd.exe ipconfig.exe PID 2616 wrote to memory of 2644 2616 cmd.exe ipconfig.exe PID 2616 wrote to memory of 2644 2616 cmd.exe ipconfig.exe PID 2616 wrote to memory of 2644 2616 cmd.exe ipconfig.exe PID 2576 wrote to memory of 2692 2576 cmd.exe bxiemh.mp2 PID 2576 wrote to memory of 2692 2576 cmd.exe bxiemh.mp2 PID 2576 wrote to memory of 2692 2576 cmd.exe bxiemh.mp2 PID 2576 wrote to memory of 2692 2576 cmd.exe bxiemh.mp2 PID 2848 wrote to memory of 1312 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 1312 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 1312 2848 WScript.exe cmd.exe PID 2848 wrote to memory of 1312 2848 WScript.exe cmd.exe PID 1312 wrote to memory of 652 1312 cmd.exe ipconfig.exe PID 1312 wrote to memory of 652 1312 cmd.exe ipconfig.exe PID 1312 wrote to memory of 652 1312 cmd.exe ipconfig.exe PID 1312 wrote to memory of 652 1312 cmd.exe ipconfig.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe PID 2692 wrote to memory of 276 2692 bxiemh.mp2 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order\New Order.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\dwig.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bxiemh.mp2 lbovaq.mp33⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bxiemh.mp2bxiemh.mp2 lbovaq.mp34⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
883KB
MD5c10c854a8423589db438768023b1e50a
SHA1a8daa0ce662bd6747e792c514336c657ca796eb6
SHA25627887abd8791af8b2ffa5082e5de39f7a80d29ec246d565822a725ab3da99f3a
SHA512ccd5b8251c24a20b8fd0bf8405eab46ff617f8c7ecaab8771693dacab701a63c9aefcb8b7c57a177ff69975ddf88d62d09e2987fa411fa5551caad79e81173c2
-
Filesize
880KB
MD531db1d81c80c66640b773c535cdfa762
SHA19cfffe3e21ab746e18db1447bf339d1af2118570
SHA2567972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211
SHA512c5f0ae21a5ef7fdebf90249e773303e6b7e3eecdcd6bbd5b3320797fdca06c7078730d75240836cbe652fdc4879ad04f680f9bb4d522651161e3fbb4f26dcd40
-
Filesize
542B
MD5f6a62aff1a32cf15da018b25c40df683
SHA1f110641e2c689fef91a30b77476caaf89b4ab5c6
SHA2561947a304d1848efa2b22e0483f26ce464851cba279b81891b2bc89711c6751f5
SHA5121d776a84cbde371e83541526127cace787e01af0a318210f7ab2e8f79dd5c90afbfc4bbf99cde5c4ce56aca08548782f2bd9f294f296512ec6c1509ac93b6fe0
-
Filesize
33KB
MD5df2a1ccbc3d6feb147c9db6294a082cf
SHA18a33193642fae235e6ddb2fa863cd51b228f4349
SHA256e58d05087c4e91148306112fe4eee3d65c6bef8b3aa5a2d79c5ddd8196cc8565
SHA512c636c571ddcf0725599528d51cfdfeb04b680ca5144230b3181440f5f78f9188b7fcf2b83cbf78aaa45c140b275484dc1da70ba4eb793772c8b10aef98f2d473