Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
Resource
win10v2004-20240802-en
General
-
Target
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe
-
Size
1.3MB
-
MD5
02e47dfd1294ce31f13dba280c0a67b5
-
SHA1
6abb28614be7035275e5bd3a3f37e0d5a733c083
-
SHA256
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
-
SHA512
7653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4
-
SSDEEP
24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aR1qE5nfd3oSGnVm+Wf:0TvC/MTQYxsWR7aRVSS+I+
Malware Config
Extracted
remcos
RemoteHost
ocservice.duckdns.org:6622
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
evferf
-
mouse_option
false
-
mutex
Rmc-5U6QT9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/1092-78-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4872-73-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4872-72-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/400-71-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/400-69-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4872-83-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/400-71-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/400-69-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4872-73-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4872-72-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4872-83-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 6 IoCs
Processes:
name.exename.exename.exename.exename.exename.exepid Process 4912 name.exe 1080 name.exe 4872 name.exe 400 name.exe 3044 name.exe 1092 name.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
name.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/files/0x0007000000023486-14.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
name.exedescription pid Process procid_target PID 1080 set thread context of 4872 1080 name.exe 94 PID 1080 set thread context of 400 1080 name.exe 95 PID 1080 set thread context of 1092 1080 name.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
name.exename.exename.exename.exe248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
name.exename.exepid Process 4872 name.exe 4872 name.exe 1092 name.exe 1092 name.exe 4872 name.exe 4872 name.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
name.exepid Process 1080 name.exe 1080 name.exe 1080 name.exe 1080 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
name.exedescription pid Process Token: SeDebugPrivilege 1092 name.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exepid Process 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 4912 name.exe 4912 name.exe 1080 name.exe 1080 name.exe 1080 name.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exepid Process 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 4912 name.exe 4912 name.exe 1080 name.exe 1080 name.exe 1080 name.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exename.exename.exedescription pid Process procid_target PID 4792 wrote to memory of 4912 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 87 PID 4792 wrote to memory of 4912 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 87 PID 4792 wrote to memory of 4912 4792 248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe 87 PID 4912 wrote to memory of 1080 4912 name.exe 88 PID 4912 wrote to memory of 1080 4912 name.exe 88 PID 4912 wrote to memory of 1080 4912 name.exe 88 PID 1080 wrote to memory of 4872 1080 name.exe 94 PID 1080 wrote to memory of 4872 1080 name.exe 94 PID 1080 wrote to memory of 4872 1080 name.exe 94 PID 1080 wrote to memory of 4872 1080 name.exe 94 PID 1080 wrote to memory of 400 1080 name.exe 95 PID 1080 wrote to memory of 400 1080 name.exe 95 PID 1080 wrote to memory of 400 1080 name.exe 95 PID 1080 wrote to memory of 400 1080 name.exe 95 PID 1080 wrote to memory of 3044 1080 name.exe 96 PID 1080 wrote to memory of 3044 1080 name.exe 96 PID 1080 wrote to memory of 3044 1080 name.exe 96 PID 1080 wrote to memory of 1092 1080 name.exe 97 PID 1080 wrote to memory of 1092 1080 name.exe 97 PID 1080 wrote to memory of 1092 1080 name.exe 97 PID 1080 wrote to memory of 1092 1080 name.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\ngkbhierdlsttypgljcxsciqzy"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\qapuitokrtkgwmdsctxyvhdhifvox"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:400
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\advmjlzmnbclgtrwleksguyqqtfprvkr"4⤵
- Executes dropped EXE
PID:3044
-
-
C:\Users\Admin\AppData\Local\directory\name.exeC:\Users\Admin\AppData\Local\directory\name.exe /stext "C:\Users\Admin\AppData\Local\Temp\advmjlzmnbclgtrwleksguyqqtfprvkr"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5d816e4be74701427c2c686a90b12639b
SHA16b188144b837f294e48ee9dc7b217eddc1c42a37
SHA256a5c7b426410c0c553dc1429f795854529696eab2228f49c62fd3c2166cf077b7
SHA5125616a29ef59743869cf48a745c11250d7e28445368ca331ef3411dece6b0f15bf7d98267bcdb8a527c801576128f92f1f35ddf2fe1ae8d05bef4962788cf8bad
-
Filesize
412KB
MD5ffe7003cf896656031fc1a3e170dc314
SHA100b4705d9704e6df5f223b66f202051f095d859e
SHA2565c3ff49c33f876c7ba85f135182e166764a2378a330cb046317341c993b625d7
SHA512070703b6c84927f6a27073fd2b3a52e906c86c154433ef064a1302c2fab6fab1b43aa91db5d4e3e66c5870bd8d62105f6a42cd2c14cc047f839eb02ce3075457
-
Filesize
9KB
MD53ed39f01ddccb84d4a2b03abef3f7ebe
SHA1b3296d341ce02f5d0fd41c03141e8a232026fde1
SHA2565129bd3be89a542dcc14c5b2743ead49c43193caf05d6c6c7df046bf90cf01ff
SHA51289bc4cd2397e37031abbc6a47b722ccc0c0189a25c37b6b17a1b1f07daec89016bc55511967214c2cea01bf196ce2df260a9b935c763bcedafe2192b489447d7
-
Filesize
4KB
MD5ea01dd92b15d2f570f6b167dad2d1fd0
SHA17b89141d4c3eb2f29d096f28a9bfe66eb006224a
SHA2560515f49138d74283f9ac1042fd1a384f715b74c2b99193454dbb0cd585097727
SHA5120e7695aea30250a41829fa4abb681b8c3ed4c0955e18f1f9f3a5456bfb3a76f016f538e557bf29b99ab6ab48c846f9fa3c4bccd8cb5fe73099a81b5946029ec8
-
Filesize
28KB
MD52db633ef207ce985b162d92227536918
SHA1b53e198fb389c983a7e0b837fa99536ddac13646
SHA2567bca6a34219cc289b128c4174ffb785418e39b6551195992ae417a26ec1cc0bc
SHA5127000468102c0a1aaee4c31eddfbb6dcd91fd184d731d37603f2e866890ae643ea97e616c25cafdfd0b40a46f3eb47a279878cf72e70d982d90d4b954b7064476
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
482KB
MD5bb8c09250cad288f92d49742fbad1615
SHA1df9c8e9ff64a7cef87ca7f68aff5d1dc60be78a1
SHA2565992af78427e9cf0db85208dff8409d83c0e1f9ba77c0543a8520f2bf0a6fffd
SHA512ac4c8bda58e72c50ccbecba6acc89da5f4a604fb9ca6b2f0d0184ae606d9c584c40382b05aeeade1f4aaa2ec1e7f281cec6608c1d157f602f3fcf1285aee8030
-
Filesize
1.3MB
MD502e47dfd1294ce31f13dba280c0a67b5
SHA16abb28614be7035275e5bd3a3f37e0d5a733c083
SHA256248653074d88fac18a59e758a14fac1c0dcb8af24f32b17a43a15222cf93576e
SHA5127653d7e6d15597b39435bc91b722bb01d49775b3cac42e7d48dec8a708fb993587955877045adb799fe7a544b42f22ac6b2af60aef7c56936a5ee93132ee5fa4