Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 04:17
Static task
static1
Behavioral task
behavioral1
Sample
NtOl.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
NtOl.exe
Resource
win10v2004-20240802-en
General
-
Target
NtOl.exe
-
Size
1.0MB
-
MD5
6aa8b2797c962a2bfbed78a30afa3f4a
-
SHA1
1c76e253db167d7c6a685282973c1bc80bbe8e5e
-
SHA256
cda34c7ddc45a0ac67f0f3745b91686c285bc86f108c5c2deb36c1c3a0fb5a4f
-
SHA512
ce9ba1c1282e0d87665bbe27749106de3c42ee7b2bc9e741586ad643129c01f2c7421d1afc98b599568c4fd1e229fcf08d19503426b6507db6f45e222903b145
-
SSDEEP
24576:0HH6h1OoaYANm0loL58KwewFARcqlE3r9HMQKw:k8t0loL58KwLgQ7lMQKw
Malware Config
Extracted
remcos
Aug 19.2
method8888.ddns.net:6902
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-U6KI2M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/3040-94-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4344-77-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3040-94-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4344-77-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4924 powershell.exe 2456 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation NtOl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts NtOl.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2292 set thread context of 4988 2292 NtOl.exe 103 PID 4988 set thread context of 4344 4988 NtOl.exe 104 PID 4988 set thread context of 3040 4988 NtOl.exe 105 PID 4988 set thread context of 2088 4988 NtOl.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1540 2088 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NtOl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NtOl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NtOl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NtOl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4924 powershell.exe 2456 powershell.exe 2292 NtOl.exe 2292 NtOl.exe 2292 NtOl.exe 2292 NtOl.exe 4924 powershell.exe 2456 powershell.exe 4344 NtOl.exe 4344 NtOl.exe 4344 NtOl.exe 4344 NtOl.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4988 NtOl.exe 4988 NtOl.exe 4988 NtOl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2292 NtOl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4988 NtOl.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2088 NtOl.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2292 wrote to memory of 4924 2292 NtOl.exe 95 PID 2292 wrote to memory of 4924 2292 NtOl.exe 95 PID 2292 wrote to memory of 4924 2292 NtOl.exe 95 PID 2292 wrote to memory of 2456 2292 NtOl.exe 97 PID 2292 wrote to memory of 2456 2292 NtOl.exe 97 PID 2292 wrote to memory of 2456 2292 NtOl.exe 97 PID 2292 wrote to memory of 1580 2292 NtOl.exe 99 PID 2292 wrote to memory of 1580 2292 NtOl.exe 99 PID 2292 wrote to memory of 1580 2292 NtOl.exe 99 PID 2292 wrote to memory of 2420 2292 NtOl.exe 101 PID 2292 wrote to memory of 2420 2292 NtOl.exe 101 PID 2292 wrote to memory of 2420 2292 NtOl.exe 101 PID 2292 wrote to memory of 2468 2292 NtOl.exe 102 PID 2292 wrote to memory of 2468 2292 NtOl.exe 102 PID 2292 wrote to memory of 2468 2292 NtOl.exe 102 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 2292 wrote to memory of 4988 2292 NtOl.exe 103 PID 4988 wrote to memory of 4344 4988 NtOl.exe 104 PID 4988 wrote to memory of 4344 4988 NtOl.exe 104 PID 4988 wrote to memory of 4344 4988 NtOl.exe 104 PID 4988 wrote to memory of 4344 4988 NtOl.exe 104 PID 4988 wrote to memory of 3040 4988 NtOl.exe 105 PID 4988 wrote to memory of 3040 4988 NtOl.exe 105 PID 4988 wrote to memory of 3040 4988 NtOl.exe 105 PID 4988 wrote to memory of 3040 4988 NtOl.exe 105 PID 4988 wrote to memory of 2088 4988 NtOl.exe 106 PID 4988 wrote to memory of 2088 4988 NtOl.exe 106 PID 4988 wrote to memory of 2088 4988 NtOl.exe 106 PID 4988 wrote to memory of 2088 4988 NtOl.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exe"C:\Users\Admin\AppData\Local\Temp\NtOl.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NtOl.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GIxoePCFR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GIxoePCFR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3FC3.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exe"C:\Users\Admin\AppData\Local\Temp\NtOl.exe"2⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exe"C:\Users\Admin\AppData\Local\Temp\NtOl.exe"2⤵PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exe"C:\Users\Admin\AppData\Local\Temp\NtOl.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\NtOl.exeC:\Users\Admin\AppData\Local\Temp\NtOl.exe /stext "C:\Users\Admin\AppData\Local\Temp\bzroaqqbrwaxnp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exeC:\Users\Admin\AppData\Local\Temp\NtOl.exe /stext "C:\Users\Admin\AppData\Local\Temp\lcxhbjjvfeskqwdgh"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\NtOl.exeC:\Users\Admin\AppData\Local\Temp\NtOl.exe /stext "C:\Users\Admin\AppData\Local\Temp\vwkzcbtwbnkpakrsqdsb"3⤵
- Suspicious use of UnmapMainImage
PID:2088 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 124⤵
- Program crash
PID:1540
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2088 -ip 20881⤵PID:2408
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.144.22.2.in-addr.arpaIN PTRResponse73.144.22.2.in-addr.arpaIN PTRa2-22-144-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request140.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Requestmethod8888.ddns.netIN AResponsemethod8888.ddns.netIN A154.216.20.211
-
Remote address:8.8.8.8:53Request211.20.216.154.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
Remote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
Remote address:8.8.8.8:53Request50.33.237.178.in-addr.arpaIN PTRResponse50.33.237.178.in-addr.arpaIN CNAME50.32/27.178.237.178.in-addr.arpa
-
3.1kB 1.5kB 12 14
-
37.8kB 512.3kB 266 382
-
301 B 1.3kB 5 3
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.144.22.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
140.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
method8888.ddns.net
DNS Response
154.216.20.211
-
73 B 134 B 1 1
DNS Request
211.20.216.154.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
-
72 B 155 B 1 1
DNS Request
50.33.237.178.in-addr.arpa
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5d200cdf41699ebd1bc88f073d120c382
SHA1490d76489d4755dc675b8de883d95922597b6628
SHA256ee5507cef51639979224c6f151baa27aca788f806e7b85a4bd18e092cd9132b1
SHA512306fe4027001693bebc782f75f5023903c303f9fa1a8b06d3dfa4096d6b9c91771e2c1a932e46c48289a6250d68aeb6fa669f6d238f184c53fdf2e62add921a0
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD59581198cddf948918fc148c7f5b03555
SHA158702ec558fde24017ce2876fc45b95d39cd1d97
SHA256a869d5a14c77b0ada0e583a69d804fafb1e3bdf8b533ac38af26e6caed0db77a
SHA512a5d6b71930063e39298ec86ae2da3b14f23439ac8110cb3e139ff4a595dce50e7ad7b7db757af1591038c2d9d9743ade83b1d4c514705a7e9d6c68c21d0466c6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5ea01dd92b15d2f570f6b167dad2d1fd0
SHA17b89141d4c3eb2f29d096f28a9bfe66eb006224a
SHA2560515f49138d74283f9ac1042fd1a384f715b74c2b99193454dbb0cd585097727
SHA5120e7695aea30250a41829fa4abb681b8c3ed4c0955e18f1f9f3a5456bfb3a76f016f538e557bf29b99ab6ab48c846f9fa3c4bccd8cb5fe73099a81b5946029ec8
-
Filesize
1KB
MD53257b91df60c5853f4b79efda3c790b9
SHA1b7b140f599200ef777d02b00b9213b065c0f756b
SHA25665c5ae25ffabc137028bc63a2a093304d46f25b7e9423ed6ef5f493c7a8e8efd
SHA5121f24cb23f45d3f4af0ed2e96c69db64f3ce7c11c46ba262a09e305b9a3bc70dfab38b1e542497079b435e9befc0390cfe10ed2c9442f765bfd5141ecc775b29b