Overview
overview
10Static
static
10240802-n97...ed.zip
windows7-x64
1240802-n97...ed.zip
windows10-2004-x64
1bfc092b384...af.zip
windows7-x64
1bfc092b384...af.zip
windows10-2004-x64
11/0178b79b...bd.exe
windows7-x64
101/0178b79b...bd.exe
windows10-2004-x64
101/0280cde4...60.exe
windows7-x64
101/0280cde4...60.exe
windows10-2004-x64
101/08b76206...65.exe
windows7-x64
101/08b76206...65.exe
windows10-2004-x64
101/0e4fc438...91.exe
windows7-x64
31/0e4fc438...91.exe
windows10-2004-x64
101/0fb86a8b...05.exe
windows7-x64
101/0fb86a8b...05.exe
windows10-2004-x64
101/25898c73...8f.exe
windows7-x64
101/25898c73...8f.exe
windows10-2004-x64
101/2c2e9491...3c.exe
windows7-x64
31/2c2e9491...3c.exe
windows10-2004-x64
101/2ef0f582...2e.exe
windows7-x64
31/2ef0f582...2e.exe
windows10-2004-x64
101/39884fc0...82.exe
windows7-x64
101/39884fc0...82.exe
windows10-2004-x64
101/3a72ecec...8a.exe
windows7-x64
101/3a72ecec...8a.exe
windows10-2004-x64
101/3bfcb4f7...71.exe
windows7-x64
101/3bfcb4f7...71.exe
windows10-2004-x64
101/4103411f...f5.exe
windows7-x64
101/4103411f...f5.exe
windows10-2004-x64
101/4e0fdb84...95.exe
windows7-x64
31/4e0fdb84...95.exe
windows10-2004-x64
71/5297372f...33.exe
windows7-x64
51/5297372f...33.exe
windows10-2004-x64
5Analysis
-
max time kernel
93s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 12:27
Behavioral task
behavioral1
Sample
240802-n97ays1dpa_pw_infected.zip
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
240802-n97ays1dpa_pw_infected.zip
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf.zip
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
bfc092b384976e97153bae0e29359461bfd65fce5ad8188d6460de57bc680eaf.zip
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
1/0178b79bd084c2597b2de4e62e61a88bb8359e4fcac2fe672bb887e0e52e5dbd.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
1/08b7620610fc30c54e5cc095a54ae6d2949f68b0f224c285283e1612c254ef65.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
1/0e4fc438decc9723b89bd0e71b9ee30c1a8390e697d790b2d5ce96e94accd791.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
1/25898c73a877d87ba289bb4ab9585eb36eba9d27d47af678a86befdbf9aa938f.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
1/2c2e949171d86da9b5c58901de2e4a99c4fe86fe92c47556f53b833ce77c503c.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
1/2ef0f582367a7674aef245acb06977bf646419f1f8d05c7fb07881a6102f982e.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
1/39884fc02ed9a51ffcc9b298916be79307f15f1518b6ae2021dd07af0aeecb82.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral23
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
1/3a72ecec34a29f53a1d73677a0e6f4c2e19087a32f1808f8f4ff643f62128d8a.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral25
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win7-20240705-en
Behavioral task
behavioral26
Sample
1/3bfcb4f798ba63a1d18887cb67c90e083d5561a58136a892bd9944528c707671.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral27
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
1/4103411f7bb66a033f9f5ce35839ba08b2a27d169e188a911185790f3b78bbf5.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral29
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
1/4e0fdb84649ad15a0722789512aaef15c7bfbc4cab82b2a7b0ea52ac9594bb95.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral31
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
1/5297372fe85eea3ecc0d271b5567f2c7ee75bd3a04e745debddb04c9b05dae33.exe
Resource
win10v2004-20240730-en
General
-
Target
1/0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe
-
Size
1.3MB
-
MD5
73d006e33d8eda033e684c07b15c53ad
-
SHA1
e3e0a09b37beee1e19d5a6b9fd5322f906f4493d
-
SHA256
0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160
-
SHA512
1b2822a9f568783a6064194c21e4147ffb10c1a0c3ca00f586f3306cf7b5d0bee39af5dad5a78f720d75c09b0b71d44c75d05d9b432b1159915977006e9252db
-
SSDEEP
24576:KAHnh+eWsN3skA4RV1Hom2KXMmHaKi4Tivd32MUMh9ZzU2Fk1gn5:dh+ZkldoPK8YaKi4mrUUZbk1I
Malware Config
Extracted
remcos
RemoteHost
192.3.64.149:2888
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7Q1GRN
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2772 set thread context of 2812 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 86 PID 2812 set thread context of 312 2812 svchost.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2812 svchost.exe 2812 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 2812 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2812 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 86 PID 2772 wrote to memory of 2812 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 86 PID 2772 wrote to memory of 2812 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 86 PID 2772 wrote to memory of 2812 2772 0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe 86 PID 2812 wrote to memory of 312 2812 svchost.exe 87 PID 2812 wrote to memory of 312 2812 svchost.exe 87 PID 2812 wrote to memory of 312 2812 svchost.exe 87 PID 2812 wrote to memory of 312 2812 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1\0280cde4a65664a05361129dc1cfa10bc17b3fa9567103ce6eb9d07b06f8f160.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2812 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"3⤵PID:312
-
-
Network
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.dual-a-0034.a-msedge.netg-bing-com.dual-a-0034.a-msedge.netIN CNAMEdual-a-0034.a-msedge.netdual-a-0034.a-msedge.netIN A13.107.21.237dual-a-0034.a-msedge.netIN A204.79.197.237
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF; domain=.bing.com; expires=Wed, 27-Aug-2025 12:28:17 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FBD3354634464568B8C7363916F9C99D Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
date: Fri, 02 Aug 2024 12:28:16 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=m73DVUcFJM93n1seCWmh-JuqFjuRGk759r6Qo7t18BY; domain=.bing.com; expires=Wed, 27-Aug-2025 12:28:17 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0777D8AA6F66472F9A5B13405A4E15EF Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
date: Fri, 02 Aug 2024 12:28:16 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=Remote address:13.107.21.237:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2E7397424B3D63CB1341838D4ADD62AF; MSPTC=m73DVUcFJM93n1seCWmh-JuqFjuRGk759r6Qo7t18BY
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E9627BF9472C472C87EE8F1D5CFBCAD3 Ref B: LON04EDGE1021 Ref C: 2024-08-02T12:28:17Z
date: Fri, 02 Aug 2024 12:28:16 GMT
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request237.21.107.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request203.142.123.92.in-addr.arpaIN PTRResponse203.142.123.92.in-addr.arpaIN PTRa92-123-142-203deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.143.123.92.in-addr.arpaIN PTRResponse233.143.123.92.in-addr.arpaIN PTRa92-123-143-233deploystaticakamaitechnologiescom
-
13.107.21.237:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=tls, http22.0kB 9.3kB 22 19
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=679a7632935e469f8d8172a63957489e&localId=w:AC2B58A5-1A3B-8F5D-5E56-3F401D899D6C&deviceId=6966569283164616&anid=HTTP Response
204
-
56 B 151 B 1 1
DNS Request
g.bing.com
DNS Response
13.107.21.237204.79.197.237
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
237.21.107.13.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
203.142.123.92.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
233.143.123.92.in-addr.arpa