Analysis
-
max time kernel
147s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 15:46
Behavioral task
behavioral1
Sample
DN TK 7239 (()DHL#3272524765pdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DN TK 7239 (()DHL#3272524765pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
DN TK 7239 (()DHL#3272524765pdf.exe
-
Size
853KB
-
MD5
72fa44e3e13d946e188485a4115c67f4
-
SHA1
36571ccce2ae7f092c8bff4fe80b7b4cd37eee66
-
SHA256
2c98d193201137a3e33b34934fa866c2c66f346ed6878562e8191f4314bc5dc9
-
SHA512
c1a97252b5b0048e861f2c2409b517ce86db911bae64606bbdfb482abb7d94877826265f7ef47c59c134c734054edbcb55b6e0a7317f43ddd35eabcc67717d7c
-
SSDEEP
24576:mBXu9HGaVHoB42WGiRjocxGJo3ToETGMCjm:mw9VHM4YSjoaw8oEqMC
Malware Config
Extracted
remcos
RemoteHost
194.169.175.190:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LBZ2BK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4896-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3092-64-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3384-62-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3384-62-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4896-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
resource yara_rule behavioral2/memory/2976-0-0x0000000000CC0000-0x0000000000E97000-memory.dmp upx behavioral2/memory/2976-14-0x0000000000CC0000-0x0000000000E97000-memory.dmp upx behavioral2/memory/4296-29-0x0000000000CC0000-0x0000000000E97000-memory.dmp upx behavioral2/memory/3044-46-0x0000000000CC0000-0x0000000000E97000-memory.dmp upx -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2976-14-0x0000000000CC0000-0x0000000000E97000-memory.dmp autoit_exe behavioral2/memory/4296-29-0x0000000000CC0000-0x0000000000E97000-memory.dmp autoit_exe behavioral2/memory/3044-46-0x0000000000CC0000-0x0000000000E97000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3044 set thread context of 2908 3044 DN TK 7239 (()DHL#3272524765pdf.exe 94 PID 2908 set thread context of 4896 2908 svchost.exe 100 PID 2908 set thread context of 3384 2908 svchost.exe 103 PID 2908 set thread context of 3092 2908 svchost.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DN TK 7239 (()DHL#3272524765pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DN TK 7239 (()DHL#3272524765pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DN TK 7239 (()DHL#3272524765pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4896 svchost.exe 4896 svchost.exe 3092 svchost.exe 3092 svchost.exe 4896 svchost.exe 4896 svchost.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 2976 DN TK 7239 (()DHL#3272524765pdf.exe 4296 DN TK 7239 (()DHL#3272524765pdf.exe 3044 DN TK 7239 (()DHL#3272524765pdf.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3092 svchost.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2976 DN TK 7239 (()DHL#3272524765pdf.exe 2976 DN TK 7239 (()DHL#3272524765pdf.exe 4296 DN TK 7239 (()DHL#3272524765pdf.exe 4296 DN TK 7239 (()DHL#3272524765pdf.exe 3044 DN TK 7239 (()DHL#3272524765pdf.exe 3044 DN TK 7239 (()DHL#3272524765pdf.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2976 DN TK 7239 (()DHL#3272524765pdf.exe 2976 DN TK 7239 (()DHL#3272524765pdf.exe 4296 DN TK 7239 (()DHL#3272524765pdf.exe 4296 DN TK 7239 (()DHL#3272524765pdf.exe 3044 DN TK 7239 (()DHL#3272524765pdf.exe 3044 DN TK 7239 (()DHL#3272524765pdf.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3548 2976 DN TK 7239 (()DHL#3272524765pdf.exe 89 PID 2976 wrote to memory of 3548 2976 DN TK 7239 (()DHL#3272524765pdf.exe 89 PID 2976 wrote to memory of 3548 2976 DN TK 7239 (()DHL#3272524765pdf.exe 89 PID 2976 wrote to memory of 4296 2976 DN TK 7239 (()DHL#3272524765pdf.exe 90 PID 2976 wrote to memory of 4296 2976 DN TK 7239 (()DHL#3272524765pdf.exe 90 PID 2976 wrote to memory of 4296 2976 DN TK 7239 (()DHL#3272524765pdf.exe 90 PID 4296 wrote to memory of 5008 4296 DN TK 7239 (()DHL#3272524765pdf.exe 91 PID 4296 wrote to memory of 5008 4296 DN TK 7239 (()DHL#3272524765pdf.exe 91 PID 4296 wrote to memory of 5008 4296 DN TK 7239 (()DHL#3272524765pdf.exe 91 PID 4296 wrote to memory of 3044 4296 DN TK 7239 (()DHL#3272524765pdf.exe 92 PID 4296 wrote to memory of 3044 4296 DN TK 7239 (()DHL#3272524765pdf.exe 92 PID 4296 wrote to memory of 3044 4296 DN TK 7239 (()DHL#3272524765pdf.exe 92 PID 3044 wrote to memory of 2908 3044 DN TK 7239 (()DHL#3272524765pdf.exe 94 PID 3044 wrote to memory of 2908 3044 DN TK 7239 (()DHL#3272524765pdf.exe 94 PID 3044 wrote to memory of 2908 3044 DN TK 7239 (()DHL#3272524765pdf.exe 94 PID 3044 wrote to memory of 2908 3044 DN TK 7239 (()DHL#3272524765pdf.exe 94 PID 2908 wrote to memory of 4332 2908 svchost.exe 99 PID 2908 wrote to memory of 4332 2908 svchost.exe 99 PID 2908 wrote to memory of 4332 2908 svchost.exe 99 PID 2908 wrote to memory of 4896 2908 svchost.exe 100 PID 2908 wrote to memory of 4896 2908 svchost.exe 100 PID 2908 wrote to memory of 4896 2908 svchost.exe 100 PID 2908 wrote to memory of 4896 2908 svchost.exe 100 PID 2908 wrote to memory of 4860 2908 svchost.exe 101 PID 2908 wrote to memory of 4860 2908 svchost.exe 101 PID 2908 wrote to memory of 4860 2908 svchost.exe 101 PID 2908 wrote to memory of 916 2908 svchost.exe 102 PID 2908 wrote to memory of 916 2908 svchost.exe 102 PID 2908 wrote to memory of 916 2908 svchost.exe 102 PID 2908 wrote to memory of 3384 2908 svchost.exe 103 PID 2908 wrote to memory of 3384 2908 svchost.exe 103 PID 2908 wrote to memory of 3384 2908 svchost.exe 103 PID 2908 wrote to memory of 3384 2908 svchost.exe 103 PID 2908 wrote to memory of 3092 2908 svchost.exe 104 PID 2908 wrote to memory of 3092 2908 svchost.exe 104 PID 2908 wrote to memory of 3092 2908 svchost.exe 104 PID 2908 wrote to memory of 3092 2908 svchost.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"2⤵PID:3548
-
-
C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"3⤵PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DN TK 7239 (()DHL#3272524765pdf.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\tzrgncqgophmknlhmwmkyaziazn"5⤵PID:4332
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\tzrgncqgophmknlhmwmkyaziazn"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4896
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"5⤵PID:4860
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"5⤵PID:916
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\vbxronahkyzznbhtwgylbemzbfwjwu"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3384
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\gvcjoflbygsexhwxnrtfmrgpjmosxfmhm"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD52d70bfd1c9ec172c998df713249aa082
SHA1776b7f2acd1878719e590a4536b512eef2ba413f
SHA25601ea48aef9caf96211f378b35d5cee12e898c5337f07101588e567809e3034ff
SHA512b46815b83f8df40ce560aba3e5e500081dd719184f92050cb3bbb2cf199c3540d1baa2d2fcb5ad62b35c130ad0d382b29d0a806fad45a8e840049f570a121a02
-
Filesize
9KB
MD5929f6966ac8cca0cfe2a0afd9c63d33e
SHA185ed454c656cd4b4c1c1780e1d4fcd1c18d0c26e
SHA256b5819d69322a25044dcce4d8ab0c70f8d091847188db7c19db4c6b10e6360293
SHA51259034aa4e932d9789d08446a29df6e116422007e61d918772868288183b9a0776dcfc68729c6d1638168ef01d50ab33b1f9ee6a852364727458fb2f660896c5f
-
Filesize
28KB
MD50a2635be16a8198ce853e4903f314c39
SHA18d0d9b0554ac1a1a0476e3bf4fb91fc32293f5bd
SHA256d3ce45201555b0954ced374ea84306e5b74a3ee6384f541725346ddf9a927dea
SHA5127db087df47628d79c5c5b11ae24e3dce7f498fc93398170d31b030f1e1a2f1a5d2f4ee4f9a45e657311c4ceb9f5e399e14c31d4990dc7c3b730e8fae7762eed4
-
Filesize
483KB
MD50525d45a79ebb31866ce270c9789d639
SHA10cca3162c9fe026aaf6fd0023c095c2e94381978
SHA25609a1985d77a84c7b11e79bf18055d15a321a1def9fc7dab1938ac6c33816e3f5
SHA512e5b2ec4ee75867274407c0c53982192e2824e918ce93e0bc46d1c9e8393ffc5fd7e331ab37e66507398ddc9fd3875541258af8b65a4d145284db7e27a18be031
-
Filesize
4KB
MD518db1829b27eaeed163c211f5d179d72
SHA14442332494cba1e012f8876ecac42126ba995bc6
SHA256610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d
SHA512123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986