Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 13:08
Static task
static1
Behavioral task
behavioral1
Sample
01_extracted.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
01_extracted.exe
Resource
win10v2004-20240802-en
General
-
Target
01_extracted.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Extracted
remcos
RemoteHost
ocservice.duckdns.org:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
evferf
-
mouse_option
false
-
mutex
Rmc-5U6QT9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/1760-65-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3496-64-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/636-63-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3496-58-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1760-59-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3496-76-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1760-65-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/1760-59-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/3496-64-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3496-58-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3496-76-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 6 IoCs
Processes:
name.exename.exename.exename.exename.exename.exepid Process 3508 name.exe 3860 name.exe 3496 name.exe 848 name.exe 1760 name.exe 636 name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
name.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0006000000016844-14.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
name.exedescription pid Process procid_target PID 3508 set thread context of 3496 3508 name.exe 101 PID 3508 set thread context of 1760 3508 name.exe 103 PID 3508 set thread context of 636 3508 name.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
01_extracted.exename.exename.exename.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01_extracted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
name.exename.exepid Process 3496 name.exe 3496 name.exe 636 name.exe 636 name.exe 3496 name.exe 3496 name.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
name.exepid Process 3508 name.exe 3508 name.exe 3508 name.exe 3508 name.exe 3508 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
name.exedescription pid Process Token: SeDebugPrivilege 636 name.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
01_extracted.exename.exepid Process 1300 01_extracted.exe 1300 01_extracted.exe 3508 name.exe 3508 name.exe 3508 name.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
01_extracted.exename.exepid Process 1300 01_extracted.exe 1300 01_extracted.exe 3508 name.exe 3508 name.exe 3508 name.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
01_extracted.exename.exedescription pid Process procid_target PID 1300 wrote to memory of 3508 1300 01_extracted.exe 94 PID 1300 wrote to memory of 3508 1300 01_extracted.exe 94 PID 1300 wrote to memory of 3508 1300 01_extracted.exe 94 PID 3508 wrote to memory of 3860 3508 name.exe 100 PID 3508 wrote to memory of 3860 3508 name.exe 100 PID 3508 wrote to memory of 3860 3508 name.exe 100 PID 3508 wrote to memory of 3496 3508 name.exe 101 PID 3508 wrote to memory of 3496 3508 name.exe 101 PID 3508 wrote to memory of 3496 3508 name.exe 101 PID 3508 wrote to memory of 3496 3508 name.exe 101 PID 3508 wrote to memory of 848 3508 name.exe 102 PID 3508 wrote to memory of 848 3508 name.exe 102 PID 3508 wrote to memory of 848 3508 name.exe 102 PID 3508 wrote to memory of 1760 3508 name.exe 103 PID 3508 wrote to memory of 1760 3508 name.exe 103 PID 3508 wrote to memory of 1760 3508 name.exe 103 PID 3508 wrote to memory of 1760 3508 name.exe 103 PID 3508 wrote to memory of 636 3508 name.exe 104 PID 3508 wrote to memory of 636 3508 name.exe 104 PID 3508 wrote to memory of 636 3508 name.exe 104 PID 3508 wrote to memory of 636 3508 name.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\olarcmblioimczgsvoinedqtmdivmxdfe"3⤵
- Executes dropped EXE
PID:3860
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\olarcmblioimczgsvoinedqtmdivmxdfe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\znfjd"3⤵
- Executes dropped EXE
PID:848
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\znfjd"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\bhkcexwhs"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:81⤵PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD503b607a9984666fd0f49017906df7500
SHA1890f4c35b2d8f044d6a778e75c68a22699eed998
SHA256565b253b46d4e13a7787444b15857960b5164a6a9a451df8ee704c1838a46089
SHA5123f9f78b559584a3b4bdd0fa79a46e41091b97f339060b8e4a7495a8225eb853bd63114dfa14b6cc0884ad84cd49fa36fa96d232e190fe64f3858d18f02252cda
-
Filesize
4KB
MD5cda83eba5a004554ccdc061fd3df499c
SHA158ff2ecb9d47be10335e104896c87c62dc328523
SHA256e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac
SHA512f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597
-
Filesize
28KB
MD52db633ef207ce985b162d92227536918
SHA1b53e198fb389c983a7e0b837fa99536ddac13646
SHA2567bca6a34219cc289b128c4174ffb785418e39b6551195992ae417a26ec1cc0bc
SHA5127000468102c0a1aaee4c31eddfbb6dcd91fd184d731d37603f2e866890ae643ea97e616c25cafdfd0b40a46f3eb47a279878cf72e70d982d90d4b954b7064476
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.3MB
MD502e47dfd1294ce31f13dba280c0a67b5
SHA16abb28614be7035275e5bd3a3f37e0d5a733c083
SHA256248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
SHA5127653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4