Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 07:13
Static task
static1
Behavioral task
behavioral1
Sample
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
Resource
win10v2004-20240709-en
General
-
Target
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe
-
Size
1012KB
-
MD5
76f0c357433481769888394f7ec8bbf9
-
SHA1
697d38057244b433fc2ffdd8dfd2c086ed5424dc
-
SHA256
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2
-
SHA512
6134a2b040b0e90da261ac27fc0bea64c8e85ec00f9c9e094b5dffe2b0123361ffe20906ef277bc9fc0df52e43339ea4923e2de9d80eb52b5f2f522f50403499
-
SSDEEP
12288:lb1QnmdWT07TXFQP5jzXuAJjeHxT6exqDa5ciqDBeVPwbjuWbNa6a14xUzxHV+cm:lb1H/Ha53JCFvrePCIbQ6SjdHUII3
Malware Config
Extracted
remcos
RemoteHost
31.43.185.8:2202
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LTXXML
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Travelling.pifdescription pid process target process PID 1480 created 1256 1480 Travelling.pif Explorer.EXE -
Deletes itself 1 IoCs
Processes:
Travelling.pifpid process 1480 Travelling.pif -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Travelling.pifpid process 1480 Travelling.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2844 cmd.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2252 tasklist.exe 1636 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exefindstr.exetasklist.execmd.exeTravelling.pifcmd.exetasklist.exefindstr.execmd.execmd.exePING.EXEcmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Travelling.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Travelling.pifpid process 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2252 tasklist.exe Token: SeDebugPrivilege 1636 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Travelling.pifpid process 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Travelling.pifpid process 1480 Travelling.pif 1480 Travelling.pif 1480 Travelling.pif -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.execmd.exeTravelling.pifdescription pid process target process PID 860 wrote to memory of 2844 860 f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe cmd.exe PID 860 wrote to memory of 2844 860 f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe cmd.exe PID 860 wrote to memory of 2844 860 f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe cmd.exe PID 860 wrote to memory of 2844 860 f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe cmd.exe PID 2844 wrote to memory of 2252 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 2252 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 2252 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 2252 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 2224 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2224 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2224 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2224 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 1636 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 1636 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 1636 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 1636 2844 cmd.exe tasklist.exe PID 2844 wrote to memory of 2800 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2800 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2800 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2800 2844 cmd.exe findstr.exe PID 2844 wrote to memory of 2772 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2772 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2772 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2772 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2936 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2936 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2936 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2936 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2960 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2960 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2960 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 2960 2844 cmd.exe cmd.exe PID 2844 wrote to memory of 1480 2844 cmd.exe Travelling.pif PID 2844 wrote to memory of 1480 2844 cmd.exe Travelling.pif PID 2844 wrote to memory of 1480 2844 cmd.exe Travelling.pif PID 2844 wrote to memory of 1480 2844 cmd.exe Travelling.pif PID 2844 wrote to memory of 2812 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 2812 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 2812 2844 cmd.exe PING.EXE PID 2844 wrote to memory of 2812 2844 cmd.exe PING.EXE PID 1480 wrote to memory of 2652 1480 Travelling.pif cmd.exe PID 1480 wrote to memory of 2652 1480 Travelling.pif cmd.exe PID 1480 wrote to memory of 2652 1480 Travelling.pif cmd.exe PID 1480 wrote to memory of 2652 1480 Travelling.pif cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"C:\Users\Admin\AppData\Local\Temp\f8f72291115d788722cc33cef22e2ef826e221da3ad3c4074debb663281a38b2.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Spending Spending.bat & Spending.bat & exit3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c md 46814⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b Nextel + Foot + Carroll + Deviant + Cemetery 4681\Travelling.pif4⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\cmd.execmd /c copy /b Wiki + Pharmacies + Quilt + Either 4681\E4⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\4681\Travelling.pif4681\Travelling.pif 4681\E4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & echo URL="C:\Users\Admin\AppData\Local\MindFlow Innovations Co\MindSync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MindSync.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
956KB
MD558cb40a5a8e893df0b75dbf70ed10162
SHA19bc860f702f5b8f6dc2eb437e23ed41362cfceb1
SHA2564a93e17001bc7b6329e51c9d87661a55194983eb7fd4e856695b39a9dfab2a43
SHA5123031ee0b19aec56b04e9cfbcf0d4f267f87cdd4ca167b7871607fa58aaa3d68c7dc09a89ffed4c82e982ff3e5b05e1b45e9221fb613eebd9cfcc8e807d6e8fc7
-
Filesize
276KB
MD5cdf5ce2b2740794fb5638a60c97d6ca7
SHA168e967c2267b4631fa8f068bdce84db1f02fe0ed
SHA256f050298d5a56ae17bececcb622d8115f5f74de3c0c2a261ced812a6b5538d23d
SHA5123a41ea23b3cc21fe1811ad728addbedf0354052ef134698807c0936113a8c5a403f2220bb76519b5159c4cb90029b49320c71b0f71b89534df0250b9fd3c1d51
-
Filesize
110KB
MD547f942807f5dec3c5107788292d0fecd
SHA121da1ca4ac2a0dc11c4d30c70f1d7d41025c5116
SHA256423618830ed07bd79ec3a92b102c504f69942819d126e7538980fcfdd21e254b
SHA5128622ac215805cfa7766bf0d0e5f25e0b5ebdf1085c34232b2eeb2b4063a4a5abbf7697ce97a26d5a0f4a2abff18c84282fd92ba637dec3911689518d758784de
-
Filesize
170KB
MD5497d3bd5165a8545a5b4dcf3a842f721
SHA141e3dc37a0eb4b0fdd17bc4aa21503022744de08
SHA2563eb173ae116ea9ae4e6041a352c444ad663a1564767f80061fd50a29c7b7ca85
SHA51293d8787c5770a93386b4ca12544bf7b5bdbbbf9c1b94f8ba78fa5ec52aa9b53efb1fda4676d2372867cc5f0b78a07bc679dd994a16399b7824dde706de139e48
-
Filesize
206KB
MD53ce1f10bafb24d85a3b76ea4d5aa70db
SHA137e31294b91bf67cdce1e1d58342f7f97f284e6a
SHA256c2bd0e0bfd089366a5cd49db1a7f4c9c4b2c6b3c92924319de3a18c7b75a0b32
SHA5122c0ca237084b3b5e7015a77d7cb3c874e19086ae464ae49a751e4da1c124a243baf6b0d73aee7bfc1f17862fc2f24a9f85f45cac402befd0c7e42a7d68e78f7c
-
Filesize
206KB
MD57735d4e2e9fd3e829340f06b7a47e0fc
SHA1ade0d827c011e03cd3d3a6b4cd544fc4227c5122
SHA256bc463e36242a65e435fb9894b2803a645df73b7c3e9257065abb5879fcaf204a
SHA5121dce04c21d60bc459949d8de9bdbb16a75d57f44d92cdef53e00d5c5daa5fc322d3c230b4a99b39e3c044559a90361a6782b7805062ff5feb630c8acc43daed5
-
Filesize
162KB
MD5fdbd6f9f8d264754709a9a392e5166c2
SHA1a6026b0a6e26427676a7eba319a0fad436fb5a46
SHA2569ca8693b734561301b95c2a285578b3559ede64a0fc10fdf85a9ff7ef440e840
SHA5125c78a6f1ce8526f649e15354973e5f32f2bfa83fd195d934efb403c3c474c3a876b0d732dc0c519c98ab45e2bc25a89c91465b5a99a90ea0cc834c2bde665c83
-
Filesize
248KB
MD51bc99d6790ad7980b06e0155053fa85d
SHA1080584bee5fe0fbe1c0e12ec667dfbd4d11ae11d
SHA2562f6fc0b13b490c15737b3b284e3275e6762f83e997369cade8478351adf3003d
SHA51238a13f718f9b048da052cd46344c16ca0c24b4b62f4218c6f18d3abcd3120460c129b5bd1ad4ff77e0b6876cc983cb9a6a67a3bc44c822c4c5734718aabf8f80
-
Filesize
287KB
MD555a984e33e1bc5af3daa8243b4fcdf41
SHA1a32a48801302c293749a478cbdddde2de3fb56e2
SHA256566df799d543d8a004f050cf673f29d0bc47c70d328b207bc526c335379565d6
SHA512f6970220400611bd4b58fc13147fe2f7552b96bf48bf2589b37e5fb41bc988f095431ffb35b6c2943ed5a7405a2ca427f2ee5e26795ea3a1071b32c9fb347c7f
-
Filesize
12KB
MD55a1321d892070c60f726edc3e3692ab7
SHA1ecdda384d7aa6e3e0c289fdf44652de169aefde6
SHA256ca250bb73ec2afb3e14d2f9bf363623cfa528c8c195be5014e578b2b55c20713
SHA5122986f8ef18d920d31fdd9851302b0e7fea995abe3f00ccc23dcbb0619645537a9b5aad6720991ea68f037085a70f4caca9b4a7777130753a875fb8f2659e982b
-
Filesize
215KB
MD59a2a73b89ef29c867db353c905ba26b2
SHA1202e2c7d9c9b87957ed0e0a6b6398b9356846ae0
SHA256210c3ce2c7ec2616a45d6ac957325e34d58e01ab16a717cdced47d563d8fba5a
SHA51229b98bf683710dec760cb945c2322e95afec0d230d15eff251e241837922ca9eb88517d524a9336e7d951cacf4147faff4564981e549fec047b6dd73e909fed7
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a