Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 07:57 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe
Resource
win10v2004-20240802-en
General
-
Target
5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe
-
Size
1017KB
-
MD5
b61864f46e2dd1aa7a629eb85f08be33
-
SHA1
99048df6b97319f0d6293309b71d1ffafc8bf269
-
SHA256
5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef
-
SHA512
5a6607351724208aed4bbcd38d0114723131e331c1d50c4b43cb749628e836634d9c7d4b5e82d1261e6518723236d6bf91ddf32ab49af606b2d43878e55b4e8e
-
SSDEEP
24576:U4OR7Cs7VTj7e9pb1icG+hiNT4TrAgPdiRFcpFUQ:471yb1IxsA4d0yFp
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:2404
67.207.161.204:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-ZA03K9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3144-37-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4980-36-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4980-42-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3144-35-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4980-38-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3144-50-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4980-36-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4980-42-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral2/memory/4980-38-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3144-37-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3144-35-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3144-50-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2440 set thread context of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 5108 set thread context of 3144 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 104 PID 5108 set thread context of 4980 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 105 PID 5108 set thread context of 840 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 106 -
Program crash 1 IoCs
pid pid_target Process procid_target 2848 840 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3144 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 3144 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 3144 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 3144 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 840 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 2440 wrote to memory of 5108 2440 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 101 PID 5108 wrote to memory of 4292 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 102 PID 5108 wrote to memory of 4292 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 102 PID 5108 wrote to memory of 4292 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 102 PID 5108 wrote to memory of 5016 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 103 PID 5108 wrote to memory of 5016 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 103 PID 5108 wrote to memory of 5016 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 103 PID 5108 wrote to memory of 3144 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 104 PID 5108 wrote to memory of 3144 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 104 PID 5108 wrote to memory of 3144 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 104 PID 5108 wrote to memory of 3144 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 104 PID 5108 wrote to memory of 4980 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 105 PID 5108 wrote to memory of 4980 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 105 PID 5108 wrote to memory of 4980 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 105 PID 5108 wrote to memory of 4980 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 105 PID 5108 wrote to memory of 840 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 106 PID 5108 wrote to memory of 840 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 106 PID 5108 wrote to memory of 840 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 106 PID 5108 wrote to memory of 840 5108 5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe"C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe"C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeC:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe /stext "C:\Users\Admin\AppData\Local\Temp\tufvyxfxq"3⤵PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeC:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe /stext "C:\Users\Admin\AppData\Local\Temp\tufvyxfxq"3⤵PID:5016
-
-
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeC:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe /stext "C:\Users\Admin\AppData\Local\Temp\tufvyxfxq"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeC:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe /stext "C:\Users\Admin\AppData\Local\Temp\wplnyqqrmpel"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeC:\Users\Admin\AppData\Local\Temp\5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe /stext "C:\Users\Admin\AppData\Local\Temp\gjygzibsaxwyitj"3⤵
- Suspicious use of UnmapMainImage
PID:840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 124⤵
- Program crash
PID:2848
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2820,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:81⤵PID:2732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 840 -ip 8401⤵PID:1136
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request96.136.73.23.in-addr.arpaIN PTRResponse96.136.73.23.in-addr.arpaIN PTRa23-73-136-96deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
GEThttp://geoplugin.net/json.gp5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exeRemote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request204.161.207.67.in-addr.arpaIN PTRResponse204.161.207.67.in-addr.arpaIN PTR67207161204rdnsColocationAmericacom
-
Remote address:8.8.8.8:53Request204.161.207.67.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request204.161.207.67.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.143.182.52.in-addr.arpaIN PTRResponse
-
-
4.5kB 1.7kB 15 17
-
36.0kB 519.2kB 235 386
-
178.237.33.50:80http://geoplugin.net/json.gphttp5868bd786a53297dfb2265f5f00d55cdc21ab25aa803acd288a39d59507d25ef.exe439 B 1.4kB 8 6
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
96.136.73.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
219 B 128 B 3 1
DNS Request
204.161.207.67.in-addr.arpa
DNS Request
204.161.207.67.in-addr.arpa
DNS Request
204.161.207.67.in-addr.arpa
-
144 B 155 B 2 1
DNS Request
50.33.237.178.in-addr.arpa
DNS Request
50.33.237.178.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
209.143.182.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cda83eba5a004554ccdc061fd3df499c
SHA158ff2ecb9d47be10335e104896c87c62dc328523
SHA256e384f4d46587646c6e0f9d2ee90b7bc57b49cea936b37cf8ab81ef3c4ce468ac
SHA512f55ce20f0cf8b603fad765b889607f967c22d377fa4ac417ba1309d0aced9231e197bb4107d1c92bb99f51c04cc68ce26148727a8b694886710100c01f3de597