Analysis
-
max time kernel
62s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 17:54
Static task
static1
Behavioral task
behavioral1
Sample
ScreenShot.exe
Resource
win7-20240705-en
General
-
Target
ScreenShot.exe
-
Size
1.3MB
-
MD5
6a2cdd8709524999190f4b43a83108c9
-
SHA1
47b472ca518760552d1e0fa2d2321339dd596471
-
SHA256
bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f
-
SHA512
3b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299
-
SSDEEP
24576:ToaZhvL2xgUgoJU72/LV5P3bhIqCl1xlaxqBmdq5:Z6xgUgoJUcaqCDxv
Malware Config
Extracted
remcos
huma
81.19.139.74:4343
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-OMQQOG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ScreenShot.exedescription pid process target process PID 2616 set thread context of 748 2616 ScreenShot.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
ScreenShot.exepid process 2616 ScreenShot.exe -
Loads dropped DLL 8 IoCs
Processes:
ScreenShot.exeScreenShot.execmd.exepid process 1432 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 748 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ScreenShot.exeScreenShot.execmd.exeexplorer.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenShot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenShot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ScreenShot.exeScreenShot.execmd.exepid process 1432 ScreenShot.exe 2616 ScreenShot.exe 2616 ScreenShot.exe 748 cmd.exe 748 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ScreenShot.execmd.exepid process 2616 ScreenShot.exe 748 cmd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ScreenShot.exeScreenShot.execmd.exeexplorer.exedescription pid process target process PID 1432 wrote to memory of 2616 1432 ScreenShot.exe ScreenShot.exe PID 1432 wrote to memory of 2616 1432 ScreenShot.exe ScreenShot.exe PID 1432 wrote to memory of 2616 1432 ScreenShot.exe ScreenShot.exe PID 1432 wrote to memory of 2616 1432 ScreenShot.exe ScreenShot.exe PID 2616 wrote to memory of 748 2616 ScreenShot.exe cmd.exe PID 2616 wrote to memory of 748 2616 ScreenShot.exe cmd.exe PID 2616 wrote to memory of 748 2616 ScreenShot.exe cmd.exe PID 2616 wrote to memory of 748 2616 ScreenShot.exe cmd.exe PID 2616 wrote to memory of 748 2616 ScreenShot.exe cmd.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 748 wrote to memory of 1920 748 cmd.exe explorer.exe PID 1920 wrote to memory of 1660 1920 explorer.exe WScript.exe PID 1920 wrote to memory of 1660 1920 explorer.exe WScript.exe PID 1920 wrote to memory of 1660 1920 explorer.exe WScript.exe PID 1920 wrote to memory of 1660 1920 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ScreenShot.exe"C:\Users\Admin\AppData\Local\Temp\ScreenShot.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exeC:\Users\Admin\AppData\Roaming\bj_service_testv4\ScreenShot.exe2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ptrteqjcxxkysxpannpnbrxkicbioco.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53a1efe88a8f284976ba6829448cead3b
SHA19b1f5db202c03d31ec481f83c2275c09b56aa120
SHA25677e80eec637796a62c9124fd09e47dc5e217f601fe6e060e822de5ca03dd72f1
SHA5126d954931f64205855978cefa3f10c0c3e7503a04431635f27701edface21a012e455671ed3b0079113d84911162c5bf3c177f3c6f31dfaa0cf2e9ad036d4a296
-
Filesize
260B
MD520194639a471c85332924601e071aec4
SHA16a69ca7f78b34ca6a3959236237ef62de1cf09a2
SHA25643dddf81fa819e8499eb4a24211a2702ee8a3fc04048d4a8e3b3f4f9420c68e8
SHA5125616837814bf251f1d007cbaf8002aa66b91b199833437ca236507adaa40ece785264da6857445ab8ae958803453af67f631a0ec0cd1c931c7f3e763c24bc079
-
Filesize
942KB
MD5e540c4fcecd77b819094eee15ced316a
SHA1d45eb272fdf83641c942c0b7c66aa1ae313738a0
SHA256577ddb0c94d3814a044af5a4ff2591f1e59d227ae00b37358427e2de2d80ff3d
SHA51201ae43e96ae17b121f2c44b2c67f8ef66e7e278331d4c27d98206304b3a25d3dc211c3a1e2e2c6de6c342007cb67dcfbd7b6af7eeec5c5af5ad8421472d09c8e
-
Filesize
29KB
MD5ed5672e9357974fe27faa05c97b9c6ce
SHA1f866486cd73b42d4aedddba71f16cad9d4554fcb
SHA256530f8dbee1036b66a3c77512e216ab0f67779a3640daf2864d1fd8bd7e539c30
SHA512246b0e833f6b081d9a839537039c1b3432501c2d42491cd5feb45e1a82c71e55370532d8854700eea3a335728cb5c4a7a396e6896ff896427a8f95befdf68252
-
Filesize
438KB
MD5562ec96d0f65b0309ad7508d0e0ced11
SHA10fe9dda664f4f8d9ae18603c5a25756710032a6f
SHA256fb64a5954b726d2d0f0bc26113a36dc8a86c469af994ceeaf2e2609743a0a557
SHA512876b82534764b2d156ce64d52771d38f245d330957287773f6b2360f48564b8d4a304449fa6f6400052165aaf433a191af2d3b38b194a9b1e892552dc0805fba
-
Filesize
1.1MB
MD5e71e48e31ac728a6de7c020645f0c32f
SHA17f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d
SHA25640a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff
SHA5125e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a
-
Filesize
1.9MB
MD5c8cff500ac30e5ef120ecb00bcdc0ebb
SHA16dc63844fbc7e9678d8653d715d1f65c8c9f834b
SHA2567867aa9cb994e770c40e5b827d4f689bdc913b3466965b77a2b322d6c526045b
SHA512de393681162c50507f3a54b957c264a25993e28b38ac7f21df9b2ce2eab9177a46e1336a88a5045c75aa66f5e9cf2b5edeef5516225bdd80ed0c01506489e8b0
-
Filesize
1.3MB
MD56a2cdd8709524999190f4b43a83108c9
SHA147b472ca518760552d1e0fa2d2321339dd596471
SHA256bd0f954149173d3f5766eee5bd78d5f27ea1ea69667da7b3970b0e6154afc85f
SHA5123b9a50892b7b18480380f69f0eb185b663e82da16064b60a262e9f3181f23ee8510b338eb28af7b961ab555082ffc494cc4fa950610d1991e6d1fa12ba497299
-
Filesize
212KB
MD5a734f2428443030c46db9ce3ab2e68a6
SHA11bf4d3e9b4bf1d801a348f2e46cc9887bae12998
SHA256038511fc64801be03d8472a2f7a6ba8a27e0398cf876be1427c1463cf9190c80
SHA512d829ea13a0d736bee3a788822f5c04e58deff6175da735c25b8031d19e9c3c6bfa40af6882b6e842ba466ba0a5d51c766310491d73261a842334215edf09b699
-
Filesize
64KB
MD511efab4068cb4058207959e2638c2c1a
SHA1b1eac0879dcda14bdc0c2efd7f261d7c175208c3
SHA25611e3568f497c40331ee4a9e9973967e61b224e19204e09ed7451da3b74bd2ff5
SHA512ced6167612674232429c25e52ba051994b09fdaeaf3316505904456ef8d7063f2eb03b5a158f0a424f0ecb49673e6a3d6b57d61183c5f8402da3fe53af0bd185
-
Filesize
223KB
MD58aaa3926885b3fa7ae0448f5e700cb79
SHA147bd7d281ddde5ebef8599482212743bf2f7e67b
SHA25647396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d
SHA51286d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a