Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
01_extracted.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
01_extracted.exe
Resource
win10v2004-20240802-en
General
-
Target
01_extracted.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Extracted
remcos
RemoteHost
ocservice.duckdns.org:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
evferf
-
mouse_option
false
-
mutex
Rmc-5U6QT9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/4108-88-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1156-83-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1136-84-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1136-84-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1156-83-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 7 IoCs
Processes:
name.exename.exename.exename.exename.exename.exename.exepid Process 2968 name.exe 2484 name.exe 4016 name.exe 1156 name.exe 2384 name.exe 1136 name.exe 4108 name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
name.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x000c000000023463-14.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
name.exedescription pid Process procid_target PID 4016 set thread context of 1156 4016 name.exe 96 PID 4016 set thread context of 1136 4016 name.exe 98 PID 4016 set thread context of 4108 4016 name.exe 99 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
01_extracted.exename.exename.exename.exename.exename.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01_extracted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
name.exename.exepid Process 1156 name.exe 1156 name.exe 4108 name.exe 4108 name.exe 1156 name.exe 1156 name.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
name.exepid Process 4016 name.exe 4016 name.exe 4016 name.exe 4016 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
name.exedescription pid Process Token: SeDebugPrivilege 4108 name.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
01_extracted.exename.exename.exename.exepid Process 4216 01_extracted.exe 4216 01_extracted.exe 2968 name.exe 2968 name.exe 2484 name.exe 2484 name.exe 4016 name.exe 4016 name.exe 4016 name.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
01_extracted.exename.exename.exename.exepid Process 4216 01_extracted.exe 4216 01_extracted.exe 2968 name.exe 2968 name.exe 2484 name.exe 2484 name.exe 4016 name.exe 4016 name.exe 4016 name.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
01_extracted.exename.exename.exename.exedescription pid Process procid_target PID 4216 wrote to memory of 2968 4216 01_extracted.exe 87 PID 4216 wrote to memory of 2968 4216 01_extracted.exe 87 PID 4216 wrote to memory of 2968 4216 01_extracted.exe 87 PID 2968 wrote to memory of 2484 2968 name.exe 88 PID 2968 wrote to memory of 2484 2968 name.exe 88 PID 2968 wrote to memory of 2484 2968 name.exe 88 PID 2484 wrote to memory of 4016 2484 name.exe 89 PID 2484 wrote to memory of 4016 2484 name.exe 89 PID 2484 wrote to memory of 4016 2484 name.exe 89 PID 4016 wrote to memory of 1156 4016 name.exe 96 PID 4016 wrote to memory of 1156 4016 name.exe 96 PID 4016 wrote to memory of 1156 4016 name.exe 96 PID 4016 wrote to memory of 1156 4016 name.exe 96 PID 4016 wrote to memory of 2384 4016 name.exe 97 PID 4016 wrote to memory of 2384 4016 name.exe 97 PID 4016 wrote to memory of 2384 4016 name.exe 97 PID 4016 wrote to memory of 1136 4016 name.exe 98 PID 4016 wrote to memory of 1136 4016 name.exe 98 PID 4016 wrote to memory of 1136 4016 name.exe 98 PID 4016 wrote to memory of 1136 4016 name.exe 98 PID 4016 wrote to memory of 4108 4016 name.exe 99 PID 4016 wrote to memory of 4108 4016 name.exe 99 PID 4016 wrote to memory of 4108 4016 name.exe 99 PID 4016 wrote to memory of 4108 4016 name.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\01_extracted.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\wkpkxhgtapodolbhpemjjvpfnerm"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1156
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmvvyaqnoxgqqzxlzpyklakwwsjvnym"5⤵
- Executes dropped EXE
PID:2384
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\gmvvyaqnoxgqqzxlzpyklakwwsjvnym"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1136
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\iginzsjocfyvaflxqalewnfffzsegjdmxe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5ba348de69e0f37fcaf30d90ae71736b1
SHA14dfa84dedbcc54e1a25d5c744188eb0c344c1ec2
SHA256d4fda9e400b16c6c5317f03d7caeab9b63ff06f6c06af03e90bf71cf29878de0
SHA51203bca9b36cfed451283663b5bc6f18a047fdfc7d7510cdbce66093520dc8e351ac7284f283580826314145b9f6563ad4353674cc823e3faabb1cf95b91e07b02
-
Filesize
412KB
MD5ffe7003cf896656031fc1a3e170dc314
SHA100b4705d9704e6df5f223b66f202051f095d859e
SHA2565c3ff49c33f876c7ba85f135182e166764a2378a330cb046317341c993b625d7
SHA512070703b6c84927f6a27073fd2b3a52e906c86c154433ef064a1302c2fab6fab1b43aa91db5d4e3e66c5870bd8d62105f6a42cd2c14cc047f839eb02ce3075457
-
Filesize
9KB
MD53ed39f01ddccb84d4a2b03abef3f7ebe
SHA1b3296d341ce02f5d0fd41c03141e8a232026fde1
SHA2565129bd3be89a542dcc14c5b2743ead49c43193caf05d6c6c7df046bf90cf01ff
SHA51289bc4cd2397e37031abbc6a47b722ccc0c0189a25c37b6b17a1b1f07daec89016bc55511967214c2cea01bf196ce2df260a9b935c763bcedafe2192b489447d7
-
Filesize
28KB
MD52db633ef207ce985b162d92227536918
SHA1b53e198fb389c983a7e0b837fa99536ddac13646
SHA2567bca6a34219cc289b128c4174ffb785418e39b6551195992ae417a26ec1cc0bc
SHA5127000468102c0a1aaee4c31eddfbb6dcd91fd184d731d37603f2e866890ae643ea97e616c25cafdfd0b40a46f3eb47a279878cf72e70d982d90d4b954b7064476
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
482KB
MD5bb8c09250cad288f92d49742fbad1615
SHA1df9c8e9ff64a7cef87ca7f68aff5d1dc60be78a1
SHA2565992af78427e9cf0db85208dff8409d83c0e1f9ba77c0543a8520f2bf0a6fffd
SHA512ac4c8bda58e72c50ccbecba6acc89da5f4a604fb9ca6b2f0d0184ae606d9c584c40382b05aeeade1f4aaa2ec1e7f281cec6608c1d157f602f3fcf1285aee8030
-
Filesize
4KB
MD51891919175c888ce82e9bd8a047b01ad
SHA1502a6892a5d27ecb791ac5aa6d8586944f540453
SHA256a6c43b4e4b8681cf0ef56c49c730fa77e34dc82db0260253a3ba75039030b9ec
SHA5128bb940050b1abf6c27db133ed446f41e108f670f361ed5102408832ce33d9b87cd0880723441f1632292eeeb0a319c4e0fac0ea659eb55ebe1130cc3e6c776a3
-
Filesize
1.3MB
MD502e47dfd1294ce31f13dba280c0a67b5
SHA16abb28614be7035275e5bd3a3f37e0d5a733c083
SHA256248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
SHA5127653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4